Desi: So, welcome back to the Forensic Focus Podcast. I’m Desi, and this week Si and I are talking to Alex Tilley. He’s currently part of the counter threat unit at Secureworks, and I recently saw Alex do a presentation on the history of financial cybercrime and wanted to bring him on to bring his presentation to you all. So, welcome Alex, and thanks for joining us this evening.
Alex: Thanks for having me.
Desi: So, I guess we generally see that people take non-traditional pathways, by today’s standard at least, like with all the degrees and everything out there with cyber security. So, I wanted to start with maybe just a little bit of background about yourself and kind of how you ended up in the role that you’re in with Secureworks.
Alex: Yeah, I mean, I’m a philosophy degree dropout! I think I did about a year and a half of philosophy degree and been out of school and wasn’t…didn’t quite gel with me, the university thing.
So, then my dad is a…was an old telecom engineer and an old satellite engineer. So, he knew a guy who was starting up the Cisco CCNA course, the very first time they ran in Australia. And he was like, “do you want to do that?” And I was like, “yea, actually that could be a bit of fun.”
So yeah, so I did that and then managed to jag a job at online casino on the Gold Coast. So it was…yeah, it was interesting. It was back when it was still legal to do online casinos. And I was a young kid about 18 years old doing shift work, driving an hour each way at six in the morning. It was…looking back, it was a bit of a crazy time!
But then, yeah, so then they…so that was doing sort of just standard desktop support, but also security stuff, and I really enjoyed the security bit. That was back when ISS Realsecure was a thing. (I’m not sure if it’s still a thing now).
But yeah, so monitoring that. And then the government in their wisdom decided that it was too easy to gamble online and shut them down. So yeah.
I’ll give you the quick version: I went with my girlfriend at the time to Ireland, lived in Dublin for a year doing similar things, running internet cafes. Came back and started working in banks.
And then yeah, just sort of worked my way up from the service desk to the network security team. (I’ve always been a bit of a network nerd.) So yeah, then started doing network security, and then basically when phishing started, I was sort of in the security function, so we started responding to phishing attacks, which then, as per the presentation, phishing attacks turned into malware attacks.
And then I was working a lot with the AFP, the old high tech crime center. And they basically said, “Hey, do you want to move to Melbourne, and we’ll set up a team around you and we’ll do, you know, financial crime stuff online?” And I said, “Yeah.”
And then that was it, basically. Went to Melbourne and basically we did all the big breaches: we did Bottle Domains, we did Distribute.IT, we did a bunch of other large scale breaches in Australia back in the last 10-15 years.
And then, yeah, after a little while, you sort of, as most people do in government, you realize, “okay, this is great, and I love it, I love my team and I love the work, but this is what I’m going to be doing now until I decide to leave.”
So, you know, I had worked with the Secureworks CTU for a long time, and I knew that they did a lot of work with government law enforcement, and they offered me a role and I was like, “All right, cool, I’ll take it!” So here I am, you know.
It’s…I often get asked, you know, sort of to talk about career paths and stuff, and mine’s been a bit of a funny one, a bit of a weird one. But I seem to have sort of keep backing myself into niches. And I still, I find more and more tight corners to back myself into! But so far it’s working out for me.
Desi: Let’s hope you never realize…you’re just like, “Wait, I don’t really want to do this.” And then you’re just like…
Si: “There’s no way out anymore. I only know how to do one thing!”
Alex: Well, that genuinely is a thing that I’ve said to people, I’m sort of like, “If I don’t do this, this is all I can do. I don’t have any other skills.” So looking around going, “Okay, maybe I’ll dabble in woodworking or I’ll dabble in this or that or something, because this is all I know!”
Desi: I mean, it might be a little bit tough, but maybe you could get some credits for that philosophy degree and just finish…push that off.
Alex: Yeah, I did some work with the university back when I was with AFP and they sort of offered me a…not honorary, but that they offered me a spot to do a master’s degree or a PhD with them as well. And I sort of said, “Oh, well, can I get RPL?” And they were like, “Oh, you know, 15 year old, a third completed philosophy degree doesn’t really sit with what we’re trying to do here!”
Desi: That’s fair. So I’m interested when you…so when you started with the banks, did you see the same kind of thing that happened with the IT industry? Is that they kind of, right at the beginning they didn’t really have security functions, or did you kind of see that from the…when you joined the banks had kind of IT security built in from the start?
Alex: They had security functions, but back in those days security was largely a policy sort of function. And it was sort of giving advice to projects and stuff like that and dealing with regulatory requirements around, you know, scheduling pen tests and that sort of stuff. But largely it was, yeah, it was sort of more of a policy function.
Obviously we, you know…someone had to drive the AV consoles and someone had to drive the spam consoles and that sort of stuff. But yeah, most of the work was around sort of project work, until phishing started happening. Then it was like, “Oh, okay, we need to specialize pretty quick.” So yeah, this is right man at the right time.
Desi: Yeah. So, I suppose that’s the really good point to dive into, I guess, the presentation that I saw you do, which is…I guess you kind of structured your talk around loss per event and how that was structured. So, maybe you could just start us off with, I guess, the low end of the loss per event and then go from there.
Alex: Yeah, definitely. So yeah, I structured it that way because I was trying to figure out how to structure it, if that makes sense. So, I was sort of like, “Okay, so I’ve got this big story to tell, how do I actually tell this story in a way that’s cohesive and makes sense, and people can sort of…?” I sort of want people to understand how we got to where we are now.
And so the way that I sort of did that was I started with, “okay, well the initial phishing attacks were maybe 300-500 bucks that you would lose as a bank per phishing attack,” because the current really modern (we’ll get to) the modern sort of money laundering pipeline simply didn’t exist.
And I sort of wanted to sort of, yeah, get people to understand that we didn’t have the technology that we have today, even though it was only 20-25 years ago.
We were still dealing with spreadsheets and notepad. You know what I mean? We weren’t dealing with these lovely analytical systems and SIEMs and Splunks and that sort of stuff. It was very much a manual process. Even fraud detection at some banks was still very much a manual process.
So, when the bad guy started attacking with phishing and then moving into malware, it was a real arms race to try and skill up, a) you know, how do you do a phishing site takedown?
No one knew because no one had done it before. You know, how do you actually do this? Who do you talk to to get a domain, NX domain? Who do you talk to to get content from a phishing site? This is stuff that we learnt literally day to day.
Now it seems like it’s so simple and basic, but for us it was just like, “Okay, what are we going to do here you guys, let’s figure this out?”
And the Australian Banking Industry, we all worked together, you know, people like myself at the banks were, like, sharing notes and on how we were doing things and that sort of stuff, and which vendors we could talk to to try and help us out, because even that stuff didn’t really exist at the time. There wasn’t really…phishing takedown as a service didn’t really exist. You’re sort of on your own.
Desi: Yeah. So, I remember you talking in your presentation. So the takedowns, like at the beginning timing was pretty critical in getting stuff down. So, I think you said, like, if you couldn’t get it down within a certain time, you were just like not bothering because there was kind of like a peak of activity from the attackers and then they’d tail off and if you missed that peak, then there wasn’t a point.
Alex: Yeah, 100%. It was…it’s sort of a lot of the…when people started to finally realize that this is a big problem not going away, and people started to research it and understand how it worked, it’s sort of centered around the four-hour mark from start of business.
So you had about four hours from about 7:30am before basically there’s a big peak in the number of users logging into it and sharing their credentials, and then it tails off to almost nothing after about lunchtime.
So yeah, you’re right, once you get to about lunchtime, you haven’t got it taken down, move on to the next one and sort of, you still burble along on it, try and get it taken down, but its damage hasn’t really…has really been done already by that stage.
Si: Is that just human nature for people coming in and logging in first thing in the morning to do their banking and therefore you are seeing the same peak on the phishing site as you see on your own internal sites?
Alex: It seems to be the way, yeah. That was the prevailing understanding was that people were logging in, sitting down, checking their emails and then they’d log into the phishing sites. That was the prevailing theory at the time.
And I think it stands up. I think now with the benefit of hindsight, we can sort of see that, yeah, it’s a pretty quick from login to click email to, you know, move on with your day. I think it still fits.
But I think that even as the bad guys that sort of tailed off as they sort of realized they could do a whole lot more if they didn’t just rely on that four-hour window.
Desi: And did you see, so, we…I guess like later on we’ll talk about kind of the big players in the game that you were kind of tracking, but did you see kind of any criminal activity that you think was coming from Australia and New Zealand at the time, kind of targeting Australian banks?
Or was it more kind of just foreign criminal or foreign cyber criminals that were just having a broad net and Australia was just kind of hit in that attack as well?
Alex: Yeah, it’s a really good question and it’s something that sort of comes up time and time again and it’s…I don’t have any hard numbers on it. But more and more when I look at the latest and greatest attacks there is, there does seem to be a real bent to target Australia first.
Now, my theory on that is that we’re a relatively wealthy nation, we’ve got relatively advanced fraud detection and, you know, anti-crime sort of infrastructure, and we do have a really well set up way to move money out of the country.
And I think that’s why we…it appears to me that we’re a bit of a test bed, and other people seem to seem to agree that you sort of…you see the new stuff and it’s like, “Well, why is that targeting Australia?” And it’s like, “Well, I guess we’re as good as anyone!”
And you want to sort of practice it here and get good at it here and then you move on to the UK and Europe and the US, is the sort of theory that I have.
Desi: Yeah. And I suppose like how, from what you’ve seen, are they still targeting us and using us as a sort of test bed potentially because, like, the information sharing and communication channels weren’t always good and we were smaller.
Alex: Yeah, I think we’re small enough that they can hit a bunch of our brands at once easily. We don’t have to worry about, you know…like the US has got thousands and thousands and thousands of different banks and financial institutions. Australia’s got a relatively small community of them, and the UK is obviously tied in really tightly with Europe, so it sort of gets a bit interesting there as well.
So, I think we’re relatively siloed in that respect. So if you can try it here…and also our banks have very advanced fraud detection, as I said, and malware detection systems, but also really fully functional internet banking and phone banking, which means that if you can work it here, it’s going to work anywhere, is basically the idea.
Desi: Cool. So I suppose, like, right at the beginning you said that kind of banks were buying into security quite heavily and the work that your team was doing and taking all this stuff down, like still in that $500 mark was because they were really pushing the confidence in the channel is what you called it. So I was wondering maybe you could just explain that and touch on that a little bit just for the listeners.
Alex: Yeah, no problem at all. It’s an interesting one that people don’t seem to consider a lot, is that, you know, everyone likes to sit there and bash the banks. Obviously that’s that sort of a sport for Australians!
But the banks actually spend an awful lot of money and resources trying to protect your money, which is also their money, if that makes sense. So, at the time it was really, “Okay, we need to up this game, because we are bringing in this brand new thing at the time called internet banking and we want people to use internet banking because it’s, you know, more convenient and they want…how to use it and it’s, you know, ultimately going to be cheaper if they use it.” That sort of stuff.
So the level of panic around people losing confidence in what was a burgeoning the channel…like internet banking was brand new, so people were still a bit leery about it.
So yeah, it was about, “Listen, we’re investing heavily in security to secure ourselves and your money, but if you want the convenience, there is going to be some risks. We’ll do our very, very best to help, you know, subvert those risks and mitigate those risks,” but that does exist, but you don’t really want to talk about it.
Desi: Yeah. I think I remember in your presentation it was just like sense compared to like…I forget what it was. But it seemed like a big difference between going into a branch and doing your transactions and online banking, which is, kind of, seemed why they were pushing that.
Alex: Yeah. And that’s a little bit of inside knowledge that I don’t think the banks like me talking about. But yeah, it’s like, it’s ultimately cheaper if you use internet banking than it is if you walk into a bank branch and demand to have a teller in front of you giving you some sort of service.
So yeah, there’s ultimately that. So that was why…and plus people wanted it. That was the other thing. Like, we were doing these surveys and we’re talking to our customers, you know, “know your customer” became, the watchword around that time was like: understand your customers’ wants and needs and that sort of stuff.
So it became that, that watchword and it was about, “Well, what do you want?” “Well, I want, you know, fast transactions, I want access to it wherever I go and I want to have to go into a branch.” We say, “Okay, we’ll build you this platform, which means that you can use that, which ultimately will save a bit of money (It’s going to cost us money to implement it), but we also now need to understand how to secure this damn thing.”
And then, you know, we move through into like, you know, instant payments and then offshore transactions and as it evolves and as people, what they want to do evolves, the banking industry has to keep up with that and try and balance security with functionality, right? That’s the whole thing.
Si: It’s somewhat self-evident, isn’t it? You know, you’ve got a large building that costs money in the middle of a town center and…I mean it’s contentious in the UK because, you know, there are people who like going into a bank and talking to people still and the fact they’re getting shut down is a contentious point.
But yeah, it is obviously logical: we shop online, we bank online, we do pretty much everything online except for going to the supermarket to poke a tomato before we buy it. And that’s about it. I mean, there are people who do that too, you know, online. Not the poking part, the buying part!
Alex: You go into bank branches even here in Melbourne now, and it’s a very different experience. They’re almost like, “What, what are you doing here? What’s going on?”
Si: Well I found, I found that if I turn onto a branch in the UK, they quite often point me to the ATM, and say, “You can do everything on that.” It’s like, “Well, if I came in here, it’s obviously something I can’t do on that,” but, you know…yeah.
Alex: I had a bank…I was talking to a bank, I was moving my mortgage over and you know, the guy was like, “Oh, you know, you can’t, you don’t want to go with that lender because they haven’t got any bricks and mortar banks and they’re not a full-time bank and they haven’t got facilities.”
And I said, “Okay, cool, but also while I got you, I want to cancel this credit card. Can I go into the branch and cancel this credit card?” And he said, “No, you do that online.” And I was like, what am I actually missing out on here, you know?
Desi: Alright. So I guess moving on from the, the initial wave of attacks and phishing that you were seeing with the banks, you kind of then dove into the 5000 per transaction limit that you were seeing. So I guess you saw a bit of an evolution there. So, maybe you could just talk about some of the technical details around that and what you were seeing.
Alex: Yeah, 100%. So that was so…so around that time, which is about maybe 2003, 2004, 2005-ish, let’s say, we saw a real shift because I think we were getting quite successful at getting things taken down. It was whackamole and you had, you know, it was a constant, constant thing, but we were not bad at it.
And we sort of had our… by that stage we’d built some systems, we had some scripts and, you know, things would help. But then what happened was this, this thing called Rockfish emerged. You know, Rockfish really changed the game as far as phishing was concerned.
So Rockfish was what you would call like the first automated large scale multi victim phishing apparatus. It was probably one of the first real crime apparatuses that we saw being developed for online cybercrime, financial based cybercrime.
And it was really basically…the idea of it was they were using reverse proxies and had things at arms’ length. And then they started to use this stuff that we called…and you’d see like (pardon me) you’d see like, you know, 20 bank brands with 400 phishing sites popping up all at once.
So then everyone would have to scramble to try and get it taken down. And because it was hosted on reverse proxies in maybe even Bulletproof hosting, it was hard to get things taken down. It was a real interesting, sort of, pivot.
And, and you’d see these domains come up, which initially had whatever domain /rock/bank, and then they went to /r1/bank and then /r/bank. And you’d see that and as an analyst you’d sort of panic because it was like, “Okay, now we’ve got a big attack on our hands.”
Si: Can I just ask: is it the people who are doing the low-level phishing who have evolved and learned? Or is it just some more organized people realizing that there’s an opportunity here and coming in with a different skill set? Is it…do you know which it is?
Alex: I think it’s a bit of both. I think it’s a bit of both. Actually if I can do a quick plug, I wrote a paper about this that’s on our website that sort of goes into a bit of the historical aspects of who was involved with Rockfish and that sort of stuff. It’s called the business club. But so it’s worth a look, if I do say something myself!
Si: Yeah, no. We’ll link to it in the show notes. Definitely.
Alex: Yeah. So, that whole stuff seemed to come out because people realize, “Hey, we can make some money out of this.” And as that evolved, you started getting things like, you know, not yet commercial mule infrastructure.
So a mule (for your audience) a mule is like, if you think about, like, a drug mule, the mule’s drugs…a person who takes drugs from one country to another country, the same thing is true with money. You have what’s called money mules who will move money from one country to another country.
Initially they sort of started out being, you know, applying for job ads, for work from home, that sort of stuff. That was pretty evident through my entire career, was that stuff. But that sort of moved off now. It’s much more professional these days with people who know what they’re doing involved.
But the idea being that, “Okay, we’ve got these decent sized criminal pits of infrastructure like RockKit and that sort of stuff, we need to move serious amounts of money.” Because five grand, funnily enough, back in 2004, is pretty hard to move five grand around the world, genuinely speaking.
Like, you could do various things to credit cards and foreign exchange offices and Western Union and that sort of stuff. But it really at scale was kind of hard to move that sort of money then.
Now it’s a whole different story! It’s got crazy. But the idea being back in the day, “Yea, like let’s hit multiple banks around the world all at once really hard and get as much money as we can.”
So sort of that sort of ratcheted up a bit to that $5000 using these reverse proxies and things like, you know (your audience can…I won’t go into too much detail), but you can sort of Google things like Fast flux or RoundRobinDNS, which helps with hosting things around the world and moving things around, so it’s harder to take them down by IP address means.
That was all coming up as being brand new sort of stuff because the business, if you will, of cybercrime was starting to understand, “Hey, there’s money here and we can do this.”
Desi: Yeah. So I suppose that, like talking about the, the Fast flux. So you saw that towards the end of 2005, that kind of, when it was kicking in?
Alex: Yeah, it’s a really simple trick. And these days, I suppose we’d call it load balancing or the cloud, I suppose these days! At the time it was…the idea being that you resolve one domain now and you get five IP addresses that are all over the world. You resolve it in a minute, you get five new IP addresses that are all over the world.
And so it just bounces through this network of thousands of basically reverse proxies. So, it makes IP based takedowns pretty much impossible, or actually impossible.
And then you have the problem of thinking about, “Okay, well from a fraud point of view, how do I tell which IP is a bad IP when I’ve got thousands of IPs all logging into accounts at once?” It makes things more difficult. So that was the sort of evolution going forward.
Desi: Yeah. How…and at this point in time, how did you see the, I guess, the blue side or the defender side evolving? Because it seems like initially it was very manual, go contact the provider, take it down, like in that time when it was $500 per transaction. But were you seeing some more like defensive automation in the banks at this stage?
Alex: Yeah, rapidly. Rapidly. Definitely around things like, you know, what we call simple things now, like things like automated querying of WHOIS, and automated, you know, domain scraping and IP scraping and building databases of that sort of stuff.
Like, you know, like, we sort of think about them today as being bread and butter, but a list of known bad IP addresses at that stage didn’t really exist yet.
Like, we were building them as we went, you know, as you’re monitoring these botnets with these Fast fluxes, you were adding those IPs to lists to try and build this picture. These days you’ve automated systems that, you know, emulate botnets and scrape this and that sort of stuff like that.
But back in those days we didn’t really have that, but they were coming along rapidly because we had to, because you know, that’s the old adage of: “if you do something twice, script it; if you do it three times, make a program for it!”
Alex: And we were doing this stuff daily. So yeah. Various banks had their own different approaches to it. But yeah, definitely we were rapidly increasing our understanding and our tooling around this stuff.
Desi: Yeah. I know from like other industries, so for example, like the OT industry and even some of the government indu…like you think about state governments and that kind of thing, like information sharing’s always hard.
Like, how did you kind of see, like back in 2006, were the banks really picking up amongst each other to kind of help everyone out? Because they would’ve all been facing the same problem, right?
Alex: Yeah. And this is a little bit of inside baseball, but it’s…there was an adage that we had at the time, which was: “There’s no competitive advantage in security.” As in we would help each other out to help to understand the new stuff.
And so even back then, when people used to bash the banks, I used to sort of sit there and smile and say, “You have no idea. We’re working so hard to try and help people here. And we’re…everyone’s working together and we’re all sharing things and trying to help.”
Obviously you’d never share customer data or anything like that, but either be around, you know, “What we’re trying to do here and how we’re trying to do that there,” and “We tried to use this and it didn’t quite work, so we pivoted that way.”
That sort of stuff was…there was a real (it still is, I imagine, but I’m out of banking now), but there was a really good community there of like-minded people who just wanted to help protect customers. And the banks saw the value in that work, obviously, and helped facilitate that sort of sharing, or at least that sort of building of a community, which I was quite proud to be part of for a very long time.
Desi: Yeah. Because I can imagine, like, the cyber industry still seems small in Australia, so I imagine that that security like group would’ve been tiny.
Alex: It felt like at some points there was about 12 of us, honestly! I think, I feel like there’s probably a lot more now, but at the time it did feel like there was…I had about 12 people that I would contact daily or whatever, that I knew I could get to help. So yeah, at that stage it felt quite small.
Desi: Yeah. Wow. Cool. So I guess like moving on from that then you…the next part of your presentation was I guess moving into the $50,000 range?
Alex: Yeah. I took a bit of a bit of a jump there, but it was sort of, to sort of explain that we had this shift from, even now the automated live scale Rockfish type phishing attacks to malware.
So, malware became a thing. And Banker Trojans now are a dime dozen. You talk about Zeus and Citadel and, you know, Sherlock and Net Hill and SpyEye, and these sort of names that people sort of seem to understand.
But at the time it was like, “What is this thing? Holy crap. It’s hooking the web browser. Oh my God. It’s harvesting credentials out of the web browser directly. Crickey, what are we going to do?”
Like we’re still just getting used to dealing with large scale phishing right now. All of a sudden our customers’ web browsers are getting owned and owned at a really large scale.
And it was like, that was an evolution. Like that was a massive evolution in detection for the banks, but also for the bad guys in their activities. So that jumped from just phishing to “Now I’m going to install someone on the computer.” That was a really bad time in trying to figure that out.
Desi: So how, I guess, like, from your viewpoint, how did…how do they go about that? Because I guess that’s moving it from kind of almost attacking the bank directly to attacking the individual, like installing on individual workstations.
Alex: Yeah, it’s…and like to go back to the previous discussion we had around the timing: what it does is, one of the big things is it takes that four hours out of the loop, right? Now I can get you no matter when you log into your bank, because I own your web browser.
So it was a massive pivot and it made sense, looking back historically, it totally makes sense because that was the next place you’d go. You didn’t, because…and also at the same time, things like spam filtering were getting better, right?
Like you had, you know, all these companies now were starting to exist that did spam filtering. And I remember my boss back at a bank saying to me, you know, we were looking at outsourcing to a spam filtering company. And I was like, “Oh, do we really want to do that?”
And he said, “Tilley, are we a bank or are we a spam filtering company?” I was like, “Well, we’re a bank.” He’s like, “Well, then we’ll get rid of the spam filtering.” And as a network geek, you know, my old thing was let the router route, let the firewall firewall, right? Let the switch switch!
It’s the same thing in this sort of technology as well. It’s like, get something that does the job as its purpose and let it do it properly.
Desi: Yeah. So I guess back then, when this was happening, when it was more browser based? Because it, it’s probably security features that I take for granted.
So if I, like, jumped on a plane and went to another country and then tried to transfer money out of my Commbank account, like Commbank would probably go, “This is suspicious. You are not meant to be in this country normally.” And it kind of flags that and may stop transactions over a certain amount.
But I guess…did you see that kind of drive those kind of innovations in online banking security?
Alex: Yeah, it was definitely…this was the sort of the start of the era of “know your customer.” And “know your customer” is a very broad term, but it also encompasses “Know your customer’s workstation, know your customer’s browser, know your customer’s habits,” that sort of stuff.
So understanding…because now you understand that okay, that whole, I can log in from Australia, but then if I log in from the UK within 20 minutes, that’s impossible. Like, that’s sort of analytics are starting to be done, which is now bread and butter.
But at the time it was, “okay, we need to figure this out.” So yeah, definitely it was forcing that evolution to try and understand what our customers are doing and where they’re going and what looks strange.
Now the other thing that came in at the same time, and I’m not going to, you know, go too much into detail about it, was the anti-money laundering legislation. All of a sudden, you know, there was sanctions and you had to understand your customer and you had to do all these things.
So, that really forced an evolution in detection was around, “Okay, well now legislatively, I have to understand my customers and where they are, and I have to make sure that I can’t transfer money to certain sanctioned countries.”
So all these things are happening at once, which helped that big evolution from, you know, spreadsheets and notepad to behavioral analytics systems and, you know, all this new cool funky stuff.
Desi: Yeah. And I guess that…so pushing past…I guess, that starting to do the automation you push then from 50 into the 500K range and you’ve got, like, Gameover ZeuS and Daya in this stage. So maybe you could talk, like, not too technical, but I guess just a little bit about that whole criminal campaign and what it meant to the banking industry.
Alex: For sure. I think at this…so what happened around then is…so, up till now, as you said, we’ve been talking about attacks on the customer, attacks on, you know, what you call retail banking: individual accounts, my account, your account, that sort of stuff, and ways to get money out of that.
Which does sort of have a bit of a ceiling, right? Because none of us got that much money! We sort of got a ceiling there.
What happened after that was there was this thing…so ZeuS, which is the first and the biggest and baddest of the banking Trojans, that morphed into this thing called Gameover ZeuS, which was basically ZeuS on steroids.
They basically (again, not to go too much into technical detail), but they’d rejigged the command and control and they’d rejigged some of the backends and they’d move things even further to obfuscate the true sources of data and where, you know, where the infrastructure was.
But that and this new thing called Daya basically started targeting almost entirely (at least in my experience, there’s always some crusty malware analyst who’s like, “Well, that’s not entirely true Tilley, there was a variant that did this.” I was like, “That’s fine, but in my experience…”), they started targeting almost entirely business banking and sort of wealth management and sort of different types of financial institutions and financial…
So they sort of…the banks were doing such a good job at detecting and shutting down these retail banking attacks that the bad guys again pivoted and said, “Okay, well if we do 10 transactions of 50 grand and 9 get blocked, we don’t make that much money, but if we can find a way to do 4 transactions of 500 grand and 2 get through, we’re doing real good.” You know what I mean? That was sort of thinking, in my experience, that was the thinking.
So they sort of pivoted that away from retail banking and mom and dad accounts towards much more robust, well-funded types of accounts, which genuinely made them an awful lot of money. Like it was…there was no messing around anymore. It was quite bad.
And again, that was because the banks did such a good job at shutting down a lot of that retail making stuff that, that bad guys just had to pivot. And that sort of makes a lot of sense, right? You look where there’s money.
And then at the same time you had this evolution of money laundering and cash out pipelines and that sort of stuff happening. So, now you can transfer out of the country 500 grand, because you’ve got these mature money laundering networks set up.
So, everything sort of had matured at the same time to make these attacks not only possible, but really successful. And it all sort of built on the same basic, you know, basic foundation of hooking web browsers and reverse proxies, and all this sort of stuff. It was the same basic foundation, they just made it a bit more robust and then fired it through this massive cannon of money
Desi: From there, like, you talk about how they pivoted to, from the customer base where they were making kind of small-time money, probably constant into businesses. And then you spoke about a couple of operations that I think you were a part of, or there’s like the AFP with the Russian crime gangs attacks and stuff.
So, I think the one in the slides you had was “Operation Tovar: contributing efforts to pull down Gameover ZeuS in CryptoLocker.” So I think that was really interesting because that is kind of like a theory that you had with modern day criminals…
Alex: Yeah, so Operation Tovar was…that was actually Secureworks and the USDOJ, that was the former department of Secureworks, but that was the dismantling (well it’s Secureworks and some other companies as well), but it was the dismantling of Gameover ZeuS.
People worked very long and hard to understand how it worked, to understand where there could be weak points in it, and then just pressed on the weak points and managed to luckily take it down, and largely keep it down.
Like it…these things always have a bit of a resurgence where they try and come back. But so far it looks like, you know, taking it down and keeping it down was successful. It was a tremendous piece of work from lots and lots of people.
Yeah, Operation Tovar is one to definitely look into, for your audience to have a look into. I think we’ve got a blog at Secureworks for our part of it (sorry, not my part, I wasn’t involved, but you know, the part that we did at the time). And I think there’s also some US indictments and that sort of stuff floating around that you can read.
But it’s sort of…it was a brilliant piece of technical work from a lot of people to stop this thing and its tracks ‘cause it was so big and so bad. I think it was quite one of the most successful botnet takedowns that was done really.
Desi: Listeners will get to read up about it, we’ll link that in the show notes. But I guess CryptoLocker was also found, so…
Alex: Oh, yeah, sorry.
Desi: I think at this point like ransomware wasn’t really a big thing back when Operation Tovar was going on. Isn’t that right?
Alex: That’s correct. So at the time, ransomware wasn’t really a thing. And my understanding, and from some of the USS DOJ indictments that you can read, they found the source code for this thing called CryptoLocker on one of the servers.
And at this time, no one really knew what CryptoLocker was, like, ransomware didn’t really exist. It wasn’t a thing. But it genuinely, now, if you look back and historically now, it shows that even at that stage, those crooks were getting an idea that, “Okay, well hey, how about if we take the banks and the financial institutions out of the equation entirely? Let’s take all these protections that these people have built out of the equation entirely and let’s deal one on one with our victims.”
And it’s a much, much more lucrative approach for the bad guys because the victims’ organizations aren’t really set up to protect themselves, or at least haven’t been. They’re getting better as we’re getting more and more knowledge of these things.
But yeah, it definitely one of those things that sort of takes time. And to me it shows that there was that forward thinking by the crooks to, sort of, understand where to move to next.
Desi: Yeah. And it’s so clever as well because, like, they were honing their skills against banks this entire time who were sinking, like, so much money into security, and it’s just like you…it’s like having a pro player that spends all their time getting to pro and then they come back and play junior leagues against just someone who’s never played against a pro player before. And they’re just like, “What is this? Why am I getting hosed so easily?”
Alex: Yeah, oh, 100%. And it, it came out of left field and this at the same time was the sort of explosion of cryptocurrency, right? Which sort of facilitated a lot of this stuff. So, now I don’t even really need these large money mule networks, I can just get the money directly from the victim.
So it takes a lot more of the detection avenues out of the equation. And it was definitely, it’s crooks…so I’ve got a thing I always talk about, which is that, you know, you do a job for long enough, you get pretty good at it, right?
The same thing is true with criminals. You do crime long enough, you learn how to be a better crook. You learn, you know, your bag of tricks or your bag of tools gets bigger and bigger and bigger because you now have this experience.
And that’s one thing that I think a lot of people don’t give credit to crooks about, is that “Yeah, you know, if you stayed out of jail for long enough and you’ve done enough crimes, you’re a pretty good crook, you know, you’ve learned!”
And now when something comes along that, like if you are doing a scam, say, and you get involved with a, I don’t know, let’s say a piece of detection software that you haven’t seen before, you’ve got enough in that bag of tools to pivot and try something different to then still get to your aim. You’re not going to stop dead because you’ve got this whole big bag of experience to deal with. And I think we don’t give them enough credit from that respect.
Desi: Yeah, yeah. That’s very true.
Alex: Not them saying it’s good, but I’m just saying from a criminal point of view.
Si: It’s the nature argument, isn’t it? Is that, you know as soon as you invent a mouse trap, that nature will invent a better mouse. You know, it is a constant game that’s being played is, you know, evolution. You know, we evolve, they evolve, we evolve, they evolve. It’s nonstop.
And we’re seeing interesting and innovative innovation. (Of course it’s innovative innovation, he says! Tautology!) Innovative solutions to come up against this and crypto, like you say, you know, when we’re protecting the endpoints when…or not protecting the endpoints, but protecting the banking infrastructure, taking it to the endpoint becomes the logical thing. You are evolving to do something that deals with your current problems there.
Alex: Yeah. Which is why it makes such sense, and which is why I’m comfortable talking about it, even though I am mindful that I don’t want to tick off the banks, but I’m comfortable talking about it because it, to me, it shows that they did a really good job.
And that’s…it’s sort of perverted to think of it that way, but it’s like, I don’t think we’d be where we are now if the banks hadn’t done such a good job in putting so much effort and resources over the last 20 years.
And that’s, I think the whole crux of what I’m trying to get across, is not to say, you know, “Oh, banks screwed everything up and everything went bad,” which is not the case at all. It just means that the bad guys learnt as we learned and as we got better, they got better. And that’s just, as you’re saying, that’s just the nature of things.
Si: But ultimately taking it to the desktop shows that the banks have, you know, kind of succeeded in protecting their assets. You know, if it’s not worth going at the bank anymore, you’ve done your job, you know, well done!
Alex: Yeah. And it’s become a point now where unfortunately with ransomware it’s everyone’s problem. We did have it nice and sort of, I suppose “contained” is one word for it. We had it nice and contained to the financial sector.
And we’re like, “Okay, these bad guys that want to steal money, where do you steal the money from?” “Steal money from the financial sector.” So it was contained there and it was the bank’s problem. It was the, you know, wealth manager’s problem and the superannuation funds problem to secure the money.
Now it’s like, well no…now it’s, you know, that widget factory, it’s their problem now. Or it’s, you know, that pharmacy, it’s their problem now. And that’s where we’re at now and it’s got quite scary because a lot of those places are nowhere near ready to defend themselves.
And they just…you have one bad day and your help desk melts down because all your staff can’t log into their machines. “I’ve got this funny message on my machine.” And then it becomes really real. And it’s all of a sudden directly your problem. And that’s an interesting world to be in.
Si: Yeah. And it’s not a…and that lack of targeting. Again, you know, has caused serious problems in healthcare where, you know, the NHS here got hit, some hospitals in Germany got hit, resulting actually in the death, I believe that, you know, you’re talking about serious consequences now.
I mean losing money is not an insignificant problem, you know, I haven’t got any to spare, but, you know, death is kind of a level above, and that push out…
Alex: Oh, it’s absolutely brutal.
Si: …is causing that to be true.
Alex: Yeah. And it’s brutal. And you know, I speak a fair bit these days. I tend to go through waves of what I speak about a lot, but one thing that I haven’t stopped talking about in about the last seven years is ransomware, funnily enough, because everyone’s interested in it.
But it is one of those things where sort of, I will talk about it and I do a lot of work on business preparedness for response. So, I sort of talk about, “Let’s not talk about technical means, let’s talk about how the business is going to respond when this bad day happens.”
You know, and there’s a lot of different aspects to that. But when…invariably when I talk about it, a bunch of hands go up of people who have either lost a business or know someone who’s lost the job or whatever to a ransomware attack. It’s brutal.
And it’s, you know, it’s by its nature, it’s brutal, right? And I think that’s what we’ve got now is that the walls that the banks put up around your transactions and your savings were so well constructed. And over time, because it had to be. All of a sudden now, you know, all these companies just leaving the front door open and they’re getting punched in the head by it, and it’s terrible.
Desi: Yeah. And especially I guess with the shift of, like, even ransomware over maybe the last decade (even less) has shifted from not just encrypting the data, but exfiltrating and then extorting.
Which, like, in Australia is a very hot topic at the moment with the current Optus breach, like, being millions of Australians data out there and then having to clean that up and potentially at risk for further scams that way.
So, that’s I guess another revolution that was a small leap between encrypting to, “Oh, we can take data as well and then try and extort companies for it,” so…
Alex: And I think as a bad guy, if you’ve got enough access to encrypt the workstations, they just realize, “Wait a minute, we can steal this stuff as well. This is great. You know, we’re already here. I may as well just take it.”
And I think what it does is it, you know, like a ransomware attack if you’re a victim is…it’s a pain-based attack, right? It hurts a lot. It really, really hurts, that attack. But what we’ve seen now with this name and shame stuff and the exfiltration is there’s now pressure.
So, you’re bundling up this extreme pain of a business being, you know, existentially threatened, basically, with now the pressure of potentially your dirty laundry getting aired or your, you know, your mail spill getting dumped.
And it’s all designed to put to that pressure on either the board or, you know, the C-levels or whoever’s, you know, whoever’s making the decisions to pay. Because the pain wasn’t enough. And they’re like, “Well, okay, now we can really screw on.”
Si: That’s it though. It’s actually you going around and telling people how to prepare so that they’ve got good backups, and they’ve got disaster recovery plans, and they’ve got off– you know, offsite systems that aren’t connected that they can bring online to deal with stuff, has mitigated the ransomware as ransomware.
So they’ve had to evolve to the next level to do it. So again, you know, you have successfully caused them to evolve. So, you know, credit where credit’s due, you’ve done your job, well done!
Alex: Forced an evolution yet again!
Si: And this is it. And that’s, that’s the evolution now. I don’t think there’s much further they can go. I hope there’s not much further they can go. I mean after that…
Desi: Yeah, we’ll see.
Alex: I think there’s potential for…to take the ransomware out of the equation entirely, just use the name and shame, just use the exfiltration and data and the blackmail around the data.
You know, I think sometimes the actual identification of the entire network and deploying of the tool and running the tool and managing the keys is the hardest part of any compromise for ransomware.
I think getting the data out and now having the infrastructure set up to name and shame and do the money transfers, and all these sort of things, you might not even bother with the encryption anymore. You, let’s go, “Well, hey, I’ve got your crown jewels mate, what are you going to do about it?”
You know? You might ask for less per event, but it’s the same basic attack except for the end bit.
Desi: Yeah. And that’s definitely true of incidents that I’ve seen before when companies do have quite good backup solutions, is that it seems like a half-assed effort to encrypt the data. Like, they’ll just hit one file server maybe, but they’ve stolen data from three or four file servers.
And then it…the ransomware is almost just like, “Hey, we are here and look what we did.” And then with the communications, you’re like, “Oh, okay. They’ve actually taken (and the investigation, of course), they’ve taken quite a lot more than just the server that they’ve encrypted.”
Alex: Yeah. And you’re seeing, you know, the event of, you know, DDoS being chucked into the thing as well. You know, it’s like “Either pay off or, you know…we’ve ransomwared you, we stole your data and now we’re going to DDoS what’s left.” So, well, what are you going to do, right?
Desi: Kick them while they’re down is the…
Alex: Yeah, right? It’s all about pain and pressure. All about pain and pressure.
Desi: Awesome. Well it was really great talking to you this afternoon about your presentation. We’ve got a few more questions just to…a bit more lighthearted to finish off with, and then we’ll wrap it up. First one is: what is something that you’re excited that you are, like, got on next? Like maybe it’s a presentation or something that you’re working on, but what’s something that’s exciting you coming up?
Alex: Genuinely, I think I’m going back to New Zealand in a few weeks. I haven’t been there since Covid. I normally go to New Zealand every year for KiwiCon and some other stuff that’s on over there. And I think I’m going to be going back there. So, I’m really excited to see my friends in New Zealand again.
Desi: Are you going to be talking at Kiwi Con or a conference over there at all?
Alex: Yeah, but it’s a closed-door thing. But no, so yeah, I’ll be looking forward to that. And I’m doing…while I’m there, I’m running another session here in Australia, so I’m going to be…I’m trying to figure out time zones and stuff, so it’s doing my head in a little bit now. But I’m, yeah, I’m looking forward to seeing my friends in New Zealand for the first time in three years.
Desi: Nice, nice.
Si: Excellent. Good stuff.
Desi: That’s Si and I every time we try and organize a podcast, is just working out time zones between…
Si: Yeah. Which time zone are we in today? Yeah.
Alex: Yeah. And I had it organized and then we went and chucked daylight savings into the mix and I’m like, “wait, did that go forward or backwards? I don’t actually know what time…”
Si: Yeah. So you guys are well ahead of us on daylight savings. We haven’t got asked till, I don’t know, two, three weeks hence now.
Alex: There’s this weird period where it’s completely out of whack with the UK. And, like, then sort of gets back to a somewhat normal, but yeah, there’s this weird period where it’s way out.
Alex: Makes you get up early!
Desi: Yeah. What do you do to unwind? What’s your kind of downtime, whether that’s family or hobby, Netflix, reading…?
Alex: I used to love to read, but now all I do is read, you know what I mean? Like, you find, you read for a living pretty much. I honestly, I just, I play with my cats. And that’s so, that’s so boring and so stereotypical, but I just got a couple of cats and we play with them and sort of just fuss over them and try and sort of do that.
So yeah, that’s what I’m doing and I’m sort of looking at maybe in the future moving back up to Queensland and I’ll be looking forward to having a pool to bob around in, or the beach or something like that. Melbourne’s a bit…I love Melbourne, but it’s a bit gray and after 15 years, I’m sort of, I think I’m looking forward to getting back to the blue skies and the heat of Queensland.
Desi: Nice. That’s…coincidence…I’m off to Queensland next year, so I’m currently in South Australia, but yeah, looking forward to getting away. I’ve been here for seven years myself, so I’m looking forward to a bit of a change, which will be cool.
Alex: Watch after February. February’s a killer.
Desi: Yeah, I’ve heard
Alex: Especially in southeast Queensland. February’s a killer.
Desi: I guess, last one: so where…do you have any upcoming, I guess, public engagements that people can kind of catch you at if they’re out at any conferences or anything?
Alex: Yes. I’m just looking at my big whiteboard here. I’m doing…there’s a group that I’ve been involved with since I was back at AFP. It’s called SMBITPro, which is “small-medium business IT professionals”. And they’re a group of people that I adore that run businesses that help provide services for small-medium business.
So their national conference is on the Gold Coast at the end of October. And then if anyone’s in Canberra, I’m speaking at ISACA in Canberra on 4th of November. So, if you want to come along and say hi, that’d be great. But yeah, that’s sort of the public stuff I’ve got going on. It’s going to be a big last part of the year as it always is.
Desi: Yeah. Depending when we release this, we’ll chuck those down in the show notes as well if people want to get along and see Alex do a talk.
Alex: That SMBITPro group, I think they’re great. They’re just…it started out really small, started going, there must have been 10 years ago now, speaking there. And it’s just grown and grown and grown as people try and help out small and meeting businesses, and they’ve got a really good network together that sort of help each other. So I’m all about the sharing.
Desi: That’s awesome.
Si: It sounds really good, yeah.
Desi: Alright, so before we sign off, I guess, Si, do you kind of have any last minute questions for Alex?
Si: I think, I did have one, but I think we’ve answered it already. I was just like, where do you see it going? What’s the next evolution or what should we be looking out for next?
Alex: That’s a really great question and genuinely, it’s a great question because it’s so hard because I…all of the pieces have existed for a long time for a really, really well featured and functional mobile malware piece, right?
(And I’m speaking about Androids because, you know, the whole walled garden thing, but that will eventually will get popped, so we’re not going to separate the two of them, we’ll just assume that it’s going to happen.)
But all the pieces have existed for many years to make that a really bad threat to business and personal information. Yet there hasn’t been…apart from FluBot, which FluBot did its damage, don’t get me wrong. FluBot did do a lot of damage which was a piece of mobile…basically mobile banking malware recently taken down. So that seemed to be where they were getting it together.
But we talk about going back to, you know, names like Marcher and ExoBot and Anubis, all these mobile pieces of malware that targeted banking platforms that never really got, you know, got going. FluBot seemed to do a bit of damage.
The bit that I’m sort of thinking about next is: we all use these fleet management softwares to push out software updates to our company’s fleets and workstations, and now more and more mobile handsets, it’s entirely possible that you can push out a piece of ransomware to your entire fleet of handsets.
You know what I mean? Like, all of the pieces exist for that to happen and have had for a long time. It just hasn’t been done yet. But, you know, if you pop someone’s fleet management software and push it out, you can all of a sudden lock up, you know, 20,000 mobile phones. That’s pretty damaging to a business.
I suppose, you don’t need to now because you can lock up 20,000 workstations. But I just think that…I don’t know, it’s just the fact that that threat hasn’t been realized on a large scale is very interesting to me.
And I think maybe it’s only a matter of time. I think we put a lot of trust in our handset manufacturers and our, you know, software platforms to do it right. But we’ve seen that most things can be subverted on a workstation basis, so it would make sense that maybe on a handset basis. But yeah, here we are, right?
Desi: Yeah. I mean even that’s evident, and there’s stories about even law enforcement going the other way when there’s secure phones that are used by criminals and then they’re getting in and making back doors to perform surveillance and that kind of thing, which is all sanctioned and good for catch the criminals.
But I mean, that’s a small-scale thing. Like you’re saying, the criminals could get in and do that to mobile platforms.
Alex: Software’s very rarely perfect as we know! You know? It just has…it’s a question of having a will, I suppose to do it. So I hope it doesn’t happen, don’t get me wrong, but it just seems like it’s an interesting target for something like that.
Desi: Yeah. Well, hopefully we didn’t give them any ideas that they did…But that’s a really good point to finish on, I think. So, I just want to say thanks so much for joining us today on the podcast. It was a pleasure talking to you and diving deep into that presentation I saw you do at Adelaide Sack.
Alex: Awesome. It was an absolute pleasure to be here. Thank you very much for your time.
Desi: Thank you. And thanks also to our listeners. You’ll be able to find this recording and transcript along with more articles, information, and forums on forensicfocus.com.