Hacking the Hackers

In a recent blog, we wrote about Alexander Hall, an ex-fraudster turned security consultant.

In his criminal past, Alex was involved in a wide variety of scams, including the use of stolen identity information that enabled him to access and take-over user accounts.

While making money by taking over accounts is ultimately the end use of the majority of stolen credentials, this information is typically obtained from the servers of online businesses by hackers whose primary goal is making a profit by either selling it on the dark web, using it to demand a ransom from account holders or the companies that were hacked, or to hack into even more servers.

At the forefront of the fight against malicious hackers is cybersecurity expert Vinny Troia, CEO of Night Lion Security. Troia’s approach to cybersecurity is unique. While a significant portion of his time is spent performing “white hat” hacking services for online companies, looking for vulnerabilities that could be exploited by bad actors, he takes the game a step further, seeking to find the identities of those who have stolen credentials and other personally identifying information.

This is no easy task.

Hackers have a multitude of techniques for throwing law enforcement – and private investigators – of their trails, hiding behind multiple usernames on dark-web forums, assuming the usernames of other hackers, posting misleading blogs designed to lead investigators down rabbit holes, and carefully covering their tracks at every move.

The process of identifying bad actors is a matter of investigating every lead and keeping a massive spreadsheet of signs that fragments of identity information belong to the same person, connecting the dots and looking for corroborating information. It’s an exhausting, time- consuming and labor-intensive process, but Troia has a few tricks up his sleeve.

One creative technique used by Troia involves using the “Forgot password?” function that can be found on email and other types of online accounts. By entering in an email address that’s believed to be associated with a bad actor, the email account provider will provide a prompt to send password reset information to a choice of a recovery email account or phone number. The address of the recovery email – or the phone number – will be partially obscured, but the specific digits or letters obscured will vary by platform, making it possible to assemble a complete email address or phone number, and providing another data point to add to his spreadsheet.

Another tactic employed by Troia is posing as a fellow hacker on dark web forums, nurturing relationships with bad actors and teasing information out of them.

Troia also takes liberal advantage of the fact that 100% of hackers are vain people who seek the validation of others in their community – or at least they were when they were young. Young hackers often display a shocking disregard for OPSEC, or operational security, when bragging about their exploits on forums or social media. Though they may become wiser when they’ve grown up a bit and delete the incriminating information they’ve left behind, that’s not always good enough. Using tools like The Wayback Machine, a service that’s been archiving the internet since its launch in 1996, it’s possible for Troia to find clues as to the identity of bad actors. The internet is forever, as they say.

According to Troia, the importance of historical data cannot be overstated, and free tools like The Wayback Machine are the exception rather than the rule. There are paid tools that offer historical data on everything from open-source content found on websites and forums to the ownership of IP addresses, but typically, he says, you get what you pay for.

Another essential for serious investigators, according to Troia, is access to a massive number of data sources and a tool that makes it easy to analyze them – tools like Data Viper, a tool that he created to analyze breached data collections available for sale on the dark web; Maltego – a collection of tools designed for open-source forensics, link analysis, and data mining; Pipl – the
online identity company; and many others.

Above all, Troia cautions investigators to save every single clue they come across. The road to finding cyber criminals is long and winding, and new clues can suddenly shine a new light on information that may have been considered irrelevant earlier in the investigation.
‍

Vinny Troia, Ph.D., is the CEO and co-founder of Night Lion Security, white hat hacker and cybercrime investigator. With over 20 years’ experience in IT security consulting, threat hunting, and penetration testing, Troia launched Night Lion Security in 2014 to put his passion into practice and take an unconventional approach to an oversaturated market.

In addition to running a security consulting firm dedicated to providing top-tier ethical hacking and risk management services, Troia spends most of his free time hunting for data breaches and infiltrating private criminal circles on the dark web. He is a member of the McAfee Global Technologies (MGT) prestigious Hacker Advisory Board.

Troia published his first book, “Hunting Cyber Criminals” in January 2020, detailing the beginning of the years-long ongoing cybercriminal investigation about the cybercrime group TheDarkOverlord. This project and its findings will also serve as inspiration for his next piece about digital investigations and intelligence gathering.