No perfect crime<\/strong><\/p>\n In mid-February, during the Kaspersky Security Analyst Summit in Cancun, Kris McConkey of PricewaterhouseCoopers spoke<\/a> specifically on the mistakes that cybercriminals make. They go to great lengths to throw researchers off their scent, but just like in the \u201coffline\u201d crime world they make errors and leave peculiar traces behind, making them look a bit silly, which makes the cyberforensic experts happy.<\/p>\n Free Internet; why not use it?<\/strong><\/p>\n For instance, members of the notorious Comment Crew (APT1), one of the better-documented APT groups, tied to Chinese Republic\u2019s People Liberation Army Unit 61398, worked at the highest level of professionalism, and still got uncovered. Researchers at Mandiant were able to identify the location of its operational headquarters, malware resources, and the victims they were targeting. How? One of the major pitfalls was the use of victim\u2019s infrastructure to access the attackers\u2019 personal social media platforms.<\/p>\n Yes, they used the victims\u2019 internet access to login into their own social network accounts.<\/p>\n \u201cThis was a big giveaway, and it\u2019s likely a result of their government policy,\u201d McConkey said. \u201cTheir restricted Internet access made unfettered Internet even more tempting.\u201d<\/p>\n I love my nickname<\/strong><\/p>\n APT1 operators appear to have been \u2018married\u2019 to their online aliases. For instance, one of the group members going under the handle UglyGorilla left this moniker stamped all over malware, injection commands in websites, etc.<\/p>\n A similar story was told when Crowdstrike exposed the PutterPand gang in 2014. They used personal addresses to register early command and control domains and one handle in particular, cpyy, was used throughout the campaign. Researchers were able to eventually link that handle to a Picasa account that was loaded with photos of the hacker behind the handle, photos of the Unit 61398 office, and other data pertinent to the investigation. Thank you, cpyy!<\/p>\n We are Wet Bandits!<\/strong><\/p>\n Remember Home Alone<\/em>, 1990 classic? While getting arrested, two burglars proclaim themselves to be Wet Bandits since they flood every house they have robbed. A police officer delightfully answers that now they know every single place they have burglarized.<\/p>\n Something similar took place here. Though these APT groups learned a lesson and removed these giveaways from sight.<\/p>\n The recently revealed APT The Equation also proved to be vulnerable to such mistakes. According to Kaspersky Lab\u2019s Costin Raiu, one member of The Equation group accidentally left the username used on the computer in the code of one of the modules. This proved to be quite helpful.<\/p>\n Cryptoerrors<\/strong><\/p>\n One of the major cybersecurity headaches today \u2013 encrypting ransomware which often goes under the common name \u2018cryptolockers\u2019 \u2013 is prone to mistakes as well.<\/a><\/p>\n While they may use extremely strong encryption, mistakes and imperfections in the code make them likely to be deciphered by third-party antimalware utilities. However, without these errors, breaking cryptos is next to impossible: a 2048-bit RSA key used by the later strains of cryptolockers effectively prohibits any kind of bruteforcing. The only way is to get a grab on their infrastructure, which is what happened with Gameover ZeuS botnet. But now criminals behind such ransomware increasingly use Tor to stay anonymous and conceal their C&C servers.<\/p>\n More on ransomware is available here<\/a>.<\/p>\n![\"quadruple\"](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/02\/06020303\/quadruple-1.png\")
<\/p>\n