Friday 5 October 10:00 - 10:30, Green room
Dhia Mahjoub (Cisco Umbrella (OpenDNS))
Jason Passwaters (Intel471)
Through the 2000s ICQ was the 'go-to' chat application amongst cybercriminals, but over time, trust in ICQ degraded due to the fact it was owned by US-based AOL. By early 2009, XMPP, commonly referred to as Jabber, started to gain traction as a more secure and trusted means of communication as it offered GPG/PGP encrypted chats, Off-The-Record (OTR) client-to-client encryption, and other functionality that was ideal for communicating with geographically dispersed cybercriminals across an array of criminal services, products and goods.
XMPP is currently the preferred method of communications amongst cybercriminals. There are two fundamental aspects of XMPP that drive its popularity: client-to-client encryption (OTR) and the ease with which you can run your own server. A unique opportunity presents itself any time threat actors and groups isolate themselves in a single location or on a single server. While there are a number of aspects of XMPP that offer opportunities for researching cybercriminals behind the client, the means by which DNS is used by XMPP is particularly interesting as it relates to researching cybercriminal groups that opt to run their own servers. In this talk, we introduce unconventional techniques to analyse Jabber DNS traffic at global scale and uncover trends for both popular and more obscure Jabber servers. In particular, we show how we separate communications between clients to servers and servers to servers. We also focus on analysing the client and hosting IP space of Jabber servers tied to cybercrime forums and credit card dump shops and link that to bulletproof hosting providers. In general, we provide a unique new view into the private communications ecosystem of cybercriminals.
This talk will be very useful to threat intel researchers, and law enforcement tracking these aspects of cybercrime as related to global internet traffic.