image of breaking badness
Breaking Badness
Breaking Badness

142. The Pheast of the Seven Phishes

Coming up this week on Breaking Badness. Today we discuss: Seize The Domains and Sam OpenAI Am.

Here are a few highlights from each article we discussed:

Seize The Domains

  • The US Department of Justice has seized 48 Internet domains and charged six suspects for their involvement in running ‘Booter’ or ‘Stresser’ platforms that allow anyone to easily conduct distributed denial of service attacks.
  • These terms (booter and stresser) feel right out of Prohibition times, but what do they mean?
    • You can call them booters, stressers, or “website reliability test tools,” but they’re services that represent themselves, in a way that everyone knows is BS, as tools to stress-test a site to see if it will hold up under high traffic volumes. But their real purpose is, as you alluded to, running DDoS for bucks
    • As we understand it, at least part of this actually has its origins in the online gaming world, where rivals would try to take down each other’s servers. But of course there are a lot of markets for DDoS.
  • There are warnings on these sites asking people to not use them to conduct attacks, but could there ever exist a situation where they’re used for legitimate testing and not end up on a hacker forum?
    • As we’re all probably aware, you could come up with the most intrinsically benign thing in the world and it would probably end up in some hacker forum somewhere
    • But as suggested above, those notices to users not to use them for DDoS are posted with a huge wink and nod, in an effort to keep the sites up and as a defense against prosecution
    • Tim looked some of these sites many years ago as part of an illustration of how to use a pivoting methodology to find out more about malicious infrastructure and the actors who operate it
      • This was in the days before the near-universal Whois privacy that we see in the post-GDPR world, when you had to opt in and pay extra for privacy, and guess what—the sites were cloaked in various forms of privacy, from regular privacy proxies to obviously fake registrant identities
      • Now, ask yourself this: if these were aboveboard businesses, selling a nice QA type of service for website owners, why would they go to such lengths to obscure their identities? So yeah…not innocent
  • In this particular case, do we know if the suspects running their booter/stresser sites were actively on the hacker forums or is there a process they neglected to go through to ensure their services weren’t being used to conduct attacks?
    • We think if any of the individuals charged here try to make the case that they were not actively on these forums, it will have just as much credibility as those “don’t use this for DDoS” warnings
    • There were promotions and coupons and such on these forums to try to sell these things all over the cybercrime underworld
    • Now, they did have affiliate programs in place to help multiply their efforts to promote these things, so some of the promotion was by proxy, but yeah, no, it’s very clear that these owners/operators were 100% involved
    • Of course, we as podcasters don’t have the same burden of proof as the FBI, but take it from us, this is rock-solid
  • What’s the process of the FBI seizing domains?
    • Everyone say it with us now: it’s…..always…..DNS!
    • When law enforcement has the go-ahead to take down domains, they work with the domain registrars to transfer control of the domains’ DNS records to the law enforcement agency
    • So when anyone goes to the domains after that, they see whatever the law enforcement agency wants them to see, which can range from nothing at all (the page never loads) to the very bright, bold notices that the FBI put up on these domains describing how and why they’ve been taken down, telling folks that by the way they should not be using booter services, and there’s a link to their blog/press release about the operation

Sam OpenAI Am

  • OpenAI Chat has grown in popularity recently. Users can chat with it as if it were a real person and it answers questions, writes code, and it even remembers context. But could its potential expand to phishing campaigns?
  • OpenAI reminds us of a more advanced version of SmarterChild from the AOL Instant messenger days, but what is it and what’s its intention?
    • What we’ve been seeing in the news is something called Chat GPT which is owned by OpenAI and it is a simulated chat bot and its language model was trained by the Internet up until 2021 (because at a certain point, you have to stop feeding it and let it do something)
    • You can interact with it, you can ask it any question and it will provide answers, but because it was trained by the Internet and GitHub, you can ask it to code basic things. It’s not always right, but it’s very confident 
    • That hubris is part of its personality 
    • It’s free for use
  • Rick Osgood wrote a blog post around using OpenAI chat to generate phishing campaigns
    • It was more than happy to oblige 
    • The prompt he gave it was “write an email offering the recipient a $50 Amazon gift card if they click a link to complete a survey, put the link in the middle of the email, and make it come from Human Resources.” and it was able to do it
    • He then asked it to rewrite the email with grammatical mistakes and more urgency
    • It’s kind of a call and response scenario
    • He was able to not only create the email with the clickable link, but also the accompanying landing page using this technology
  • There are some topics that Chat GPT handles well, and others it kind of stumbles over
    • Taylor asked it to create a cybersecurity-related pun, and it was unable to do so 
    • But again, it’s very confident in its answers 
  • Can it be used for good and evil? Can we fight phishing with this technology?
    • Rick doesn’t delve into this topic in his current blog post
    • He’s coming at it from a Red Team perspective 
    • Taylor supposes we could churn out fake targets and flood the zone from the other direction
  • Will we see an actual phishing campaign using Chat GPT soon? Will we be able to trace it back to that technology?
    • It definitely will be used for these purposes
    • We’re in the early stages, but it’s hosted on the OpenAI servers right now, but we’re certainly not far from it

This Week’s Hoodie/Goodie Scale

Seize The Domains

[Tim]: 3/10 Gingerbread Goodies
[Taylor]: 1.73/10 Gingerbread Goodies

Sam OpenAI Am

[Tim]: 8/10 Hoodies
[Taylor]: 7.5/10 Hoodies

That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.

*A special thanks to John Roderick for our incredible podcast music!