Phishing with Botnets

Phishing is the act of tricking someone into giving you confidential information via the computer such as SSN’s, DOB, Credit Card Numbers, etc. for malicious purposes. Generally received via email. Botnets are a collection of software or computers that run autonomously. When these two are combined, a criminal enterprise may very well exist. Millions of dollars are generated by these illicit businesses resulting in nearly 15 million Americans being victims of identity theft. Enter Fast Flux , a rapid way to randomly use computers to do this with changing IP addresses. One tool we as investigators can use to begin an investigation into these types of crimes is DNSStuff Tools. This begins the mapping process to better understand the origins of phishing emails. Working this and comparing the IP addresses and TTLs help to better give you an understanding of the life of each IP and if you are dealing with a round robin scenario. If targets expire, try pinging again and see if the address is constantly shifting you may have what is known as a fast flux. Use the Whois tool to understand the owner of the IP. If you a getting what appears to be a legitimate organization then you may not need to be concerned. If you are getting a bunch of ISP's associated with consumers then you may have a bot-infected host. It is recommended that the ISP be contacted to alert them of your discovery.

As professionals, technology not only plays an important role in our investigations, we many times find ourselves checking into those who abuse it for criminal purposes. This continuously evolving field of cyber-security and cyber-investigations is the future of where our industry is going.