« The Still Sad and Deplorable State of Internet Security | Main | Lending Clarity to Security Risk Definitions - for ICANN Community and Beyond »

Thursday, 11 February 2016

Identifying Cybercriminals: Is An IP Address Sufficient?

DigI'm often asked, “I’ve found the IP address of a criminal, where do I find information about the criminal associated with this address?

I’ve begun using the following explanation to help investigators so that they appreciate context and relationships between Internet identifiers – domain names, IP addresses, or Autonomous System Numbers (ASNs) – and criminal acts and actors.

People and networks use Internet identifiers to name or number individual computers (hosts) so that these can communicate. These identify location, for example, in the most basic interpretation:

  • IP addresses identify Internet’s streets and house numbers
  • Autonomous System Numbers identify the Internet’s “neighborhoods”
  • Domain Names provide user-friendly ways to remember addresses, e.g., “My friend Matt’s house”.

Let’s imagine that you are investigating a complaint about illegal content (counterfeit goods, child abuse material, etc.). The complaining party gives you a domain name or URL. You use the DNS to identify an IP address that is associated with that domain name. This is the location where the content is being hosted or published, or perhaps the location where a spam or phishing email originated.

Some investigators are tempted to associate this IP address with the person whose published the illegal content in the same definitive manner as one might associate a fingerprint collected at a crime scene with an alleged perpetrator (or person of interest). Both of these are presumptive conclusions; for example, even in cases where a single fingerprint is collected at a crime scene, more evidence is necessary to prove without reasonable doubt that the person whose fingerprint matches the one found at the crime scene committed the crime. In many crime scenes, multiple fingerprints may be collected. This increases the list of persons of interest, and investigators must gather additional evidence to place a particular person of interest not only at the scene, but also at the scene at the time of the crime.

This is also true for an IP address. Different individuals can use an IP address at different times (at a public library or Internet cafe). Often, many individuals using a public or private network that uses network address translation (NAT) may share a public IP address. Thus, IP addresses pose additional hurdles for investigators:

  • They can be spoofed, i.e., a criminal actor can forge an IP address and thus “leave some other person’s fingerprints”
  • A criminal actor can relocate his illegal content from one IP address to another, or host that content from multiple IP addresses and thus leave lots of fingerprints over time.

Even if your person of interest uses a public IP address and the illegal content remains at this address as you pursue your investigation, you are in most cases confronted with – and about to be confounded by – the problem of associating this “fingerprint” with an actual individual. The situation an investigator most often encounters is similar to taking a fingerprint from a crime scene and finding no match among all the available crime databases:

  • The provider of the service where the content is hosted (or where the content is originating from) has inaccurate or fraudulent contact data, or the contact data is accurate but further investigation reveals that the criminal forged, hijacked or impersonated an innocent party or exploited an innocent party’s resources (e.g., a web site).
  • The IP or Domain registration data (Whois) has inaccurate data or fraudulent contact data, or (again), the registration data are accurate, but further investigation reveals that the criminal forged, hijacked or impersonated an innocent party’s identifiers (e.g., a domain name).
  • The contact data in any of the above scenarios is “privacy” protected and the party that provides this confidentiality service won’t cooperate with the investigator (without a court order).
  • You can’t serve a court order because any of the above party’s do not recognize your jurisdiction.

Book-depository-jfkAll these hurdles reinforce the following: gathering the addresses or names allegedly associated with a criminal activity is necessary but not sufficient evidence collection to “identify the criminal”. A law enforcement colleague I contacted agrees, noting that, “Knowing the shot that killed John F. Kennedy came from Book Directory wasn’t enough to prove Lee Harvey Oswald was the shooter.”

What do you do next?

My law enforcement and private sector colleagues all give me the same answer:

Police work.

Revisit the crime scene. In a real world investigation, you’d look for camera footage, shell casings, and fiber remnants. Are there any data that you haven’t yet used but might use to find evidence by flexing your google-fu? Your person of interest may be no different than any other Internet user. He may use social media and perhaps may brag about or unwittingly share his “accomplishment”. Have you searched Facebook, Twitter, or other social media using digital trace evidence you found?  Have you canvased the digital neighborhood? You may find and associate other addresses or domain names with the crime, and registration or other data associated with these may reveal more about your person of interest or his conspirators. Can you single out individuals who associate with your person of interest and among these, can you identify potential informants, or turn a co-conspirator? Was malware associated with the crime? Bomb makers have unique signatures and often, so do malware authors.  And the obvious: can you question the person of interest and obtain a confession?

Many crimes today have both real world and online components, and no small part online investigations involve the same police work and investigative methods as real world investigations.

It’s tempting to imagine that there’s a silver bullet of evidence among the identifier data you collect but it just isn’t so.

Criminals haven’t adopted online crime to make finding them easier.

 

A special thanks to my colleague Mert Saka for inspiring this post.

Posted at 03:08 AM in Anti-Malware and Anti-phishing, Domain names and DNS, Malware |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • Interisle Study Reveals Alarming Rise in Online Abuse and Identifies Exploitable Links in Cybercriminal Supply Chains
    My Interisle colleagues and I today published our 2024 Cybercrime Suppy Chain study. We analyzed 16 million cybercrime events to expose a dramatic rise in criminal exploitation of name, address, hosting, and financial supply chains. Our year-over-year findings show that cybercriminals exploit lax policies to easily and cheaply obtain resources for phishing, malware, and spam campaigns. In our report, we provide actionable insights for those aiming to curb cybercrime. Among the major findings in the study, Interisle reports that: The total number of malware, phishing, and spam attacks grew year-over-year by nearly 54%, to nearly 16.3 million attacks. Spam doubled,...
  • Malware quarterly reports for July-September
    Malware quarterly reports for July-September 2024 is now posted at the Cybercrime Information Center. For the period... Malware identified as targeting endpoint devices increased 277% over the prior period. WordPress blog sites used for malware accounted for nearly all the malicious documents reported for this period. We continue to see an uptick in malicious scripts. IPv4 addresses reported for exhibiting characteristics of attackware and traffic injectors increased 38% to just under 1 million. ASNs in China and India again have the most IPv4 addresses reported for hosting malware. More malware trends for the period at https://www.cybercrimeinfocenter.org/malware-trends-july-september-2024. For historical reporting of...
  • Interisle's Phishing Landscape 2024 is here
    Our Interisle team today announced the publication of an industry report, Phishing Landscape 2024, A Study of the Scope and Distribution of Phishing. Interisle’s fourth annual study examines nearly four million phishing reports collected from May 2023 to April 2024 and provides historical measurements using over 15 million phishing reports collected at the Cybercrime Information Center over a four year period. Findings from the study: • The total number of phishing attacks grew to ~1.9 million incidents worldwide. • Phishing attacks hosted at subdomain providers increased by 450,000+ reported names, representing 24% of all phishing attacks. • The use of...
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....
  • Malware Trends, January - March, 2024 posted at the Cybercrime Information Center
    2024 began with a rise in domain names reported for hosting malware unlike any we have seen since we began measuring malware attacks in 2021. The 1Q2024 Top 20 TLDs included 10 new gTLDs, 6 ccTLDs, and 4 legacy gTLDs. Only three TLDs remained in the top 5 TLDs (COM, NET, INFO) from the prior quarter. The ORG and BR TLDs were replaced by SHOP (over 3,000% increase) and TOP (over 700% increase). All but one registrar in 1Q2024’s Top 20 registrar ranking showed increases of 100% or more. Several registrars had 4- and 5-figure percentage increases in domains reported....

Search

My Photo

Categories