The life story of an IPT - Inept Persistent Threat actor

Thursday 5 October 09:00 - 09:30, Red room

Adam Haertlé (BadCyber.com)



This presentation will follow a Polish threat actor, known as 'Thomas', in his career as a wannabe cybercriminal from late 2011 until today. We will watch his first steps on HackForums, where friendly vendors and free tools helped him to build his first botnet. We will follow his phishing and spam campaigns visible in the media and correlate them with tool purchases on HF. We will see how his tools evolved and botnets grew despite his total lack of technical and language skills, and how he even managed to perform targeted attacks against state institutions. We will celebrate with him as he bragged about successes and commiserate with him over his failures, as he attempted to pivot into banking fraud and got scammed by others on multiple occasions. We will look at his business strategies and monetization vectors, including a botnet-as-a-service offering, while contemplating pricing strategies and ad design skills. We will watch him try to defraud competitors with a deceptive video demonstration of his own hacking tools, using the opportunity to get a glimpse of his desktop, and we'll look at an unsolicited interview he gave to a malware analyst while the latter reverse engineered one of his malware samples. Finally, we will discover his identity though multiple uncensored screenshots and end by trying to explain the legal hurdles which mean that, despite being well known to the law enforcement community, he remains at large. Every step of our journey through the timeline of his criminal career will be illustrated with relevant screenshots or videos, documenting his operations from both the victims' and perpetrator's points of view.



VB2018 MONTREAL!

VB2017 OVERVIEW

VB2017 SPEAKERS

VB2017 PROGRAMME

VB2017 PHOTOS

2017 PÉTER SZŐR AWARD


Other VB2017 papers

Mariachis and jackpotting: ATM malware from Latin America

Thiago Marques (Kaspersky Lab)

Fabio Assolini (Kaspersky Lab)

Of all the forms of attack against financial institutions in the world, the ones that are most likely to combine traditional…

Walking in your enemy's shadow: when fourth-party collection becomes attribution hell

Juan Andres Guerrero-Saade (Kaspersky Lab)
Costin Raiu (Kaspersky Lab)

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt…

Keynote address: Inside Cloudbleed

John Graham-Cumming (Cloudflare)

In February 2017, Cloudflare was revealed to have been leaking private information including HTTP headers, cookies and POST data…