>The government alleges the defendants and other members of ViLE use various methods to obtain victims’ personal information, including:
-tricking customer service employees;
-submitting fraudulent legal process to social media companies to elicit users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a nonpublic United States government database without authorization
-unlawfully using official email accounts belonging to other countries.
>Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”
>The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.
> because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name.
Is the implication here that the US gov has broad access to accounts IDs->IP address which access social media accounts? Or can the FBI/three letter agencies can go to Twitter/FB/etc (or some NSA db) and ask which accounts logged in via x IP address? Or, less conspiratorial, the investigators had some leads on x group of accounts -> got warrants for account IP addresses -> confirmed hypothesis.
The US government requires that all ISPs install wiretapping devices as a precondition for doing business.
Failure to install and maintain wiretapping devices incurs a penalty of $130,000 per day, with a maximum of $1,325,000 per violation (unlimited violations).
Assume every ISP is compromised and that every government agency can see everything.
They don't need to leak it. ISPs, web hosts, social media companies, etc. give up the information willingly, and the feds take care of all the correlation work as needed.
"SSL added and removed here :^)" was over a decade ago now? HTTPS and encryption since became commonplace.
Not to mention, there's really no reason for the feds to try and break/work around HTTPS in this case when they have more than enough to subpoena the provider and they'll happily surrender the logs.
>"SSL added and removed here :^)" was over a decade ago now?
Yes, and surveillance has become even more entrenched since then.
>HTTPS and encryption since became commonplace.
HTTPS only protects the information in transit. It can't protect you from a backdoored load balancer or other endpoint, which is what that infamous slide was about.
The NSA wasn't breaking encryption, but rather compromising the devices that were communicating via HTTPS with you. The little padlock icon in your browser says nothing about the trustworthiness of the server on the other end. It's like talking on a secure line with someone who is actually a spy.
I think you are looking too closely. They were being investigated for instagram extortion. They had an IP. Therefore subpoena instagram for that IP. Not exactly rocket science
Fbi asks twitter, Facebook etc who used this ip address. They will probably tell them. If they don't, it gets a subpoena, and then they get the accounts. It's regular everyday police work. No secret spy programs required.
It definitely implies one of these, and at face value, they're both terrible. A single IP being used somewhere makes sense to go to the ISP and ask "hey who was this IP assigned to at this time?".
It does not make sense that the police should be able to get a warrant for data from every single website in the western world based only on a single IP. But Snowden already proved that PRISM is a thing.
Also why stop at Facebook/Twitter/Discord? Should police also get warrants for AshleyMadison.com, Tryst.link, UnitedNuclear.com, DonateToPoliticalParty.org, INeedAnAbortion.org, etc etc? "Hey did anyone with this IP perform a transaction on your site and can you give us their name?"
> It does not make sense that the police should be able to get a warrant for data from every single website in the western world based only on a single IP.
Why not?
The police can go around every single business in town, and ask if a man matching some particular description patronized it.
This isn't a fishing expedition, this is the police asking for particular information about a particular person, who they are investigating for a particular crime. This is... Normal police work.
Yes and some people think the issuance of those presumed warrants are inappropriate. However, it’s been proven that the government doesn’t necessarily need warrants as they’ve had unlimited access to the firehouse of data directly through the PRISM program.
Prism was a web portal for serving warrants and NSLs, but if we repeat the original misreporting enough times, I guess it'll stick.
If what you're saying is true, these guys will walk because they'll challenge the lack of warrant in court. I have strong doubts that they are going to be walking anytime soon.
Well, I don’t think they’ll walk if there’s no warrant because the third party doctrine allows Facebook to share whatever they want to with the police. A warrant would actually be “worse” … if it’s based solely on a single one-time IP.
I don't see where you're getting "conspiratorial". It's no doubt just that, y'know, warrants shall issue upon probable cause. If you give information about yourself to someone else, and the cops reasonably suspect you of a crime and can convince a court to that effect, then they can get the info. There's absolutely no new or weird law enforcement powers needed.
I said less conspiratorial in context of the third option because the other two were obviously much more sketchy options? Obviously if the investigators had a lead on particular social media usernames they could get warrants for them.
Unless you mean you think it's "normal" for police to ask Google/Twitter/etc for data dumps of every single account that ever connected from x IP address?
> Unless you mean you think it's "normal" for police to ask Google/Twitter/etc for data dumps of every account that ever connected from x IP address?
I don't see where "data dumps of every account" is substantiated anywhere, you're introducing that as a prior. They no doubt had a suspect[1], got something incriminating, took it to a judge and that was enough to get Meta or whoever to cough up the logs. If you're genuinely curious just wait for the court case and follow it. The defense will be presented with all the warrants and will challenge things if they don't look legal.
[1] No doubt because someone got sloppy with opsec and posted something from the wrong account. It's always something like that. Crime is actually really hard to do anonymously.
I wouldn't be surprised, but parallel construction is also likely in these cases. E.g. they have some god-mode global network analytics to link most VPNs to real IPs, and simply make up some alternative plausible but bs story about how they tracked them.
Doesn't have to be a govt conspiracy, facebook will sell you IDs->IP address. It's literally their business model, answering the question "Who bought stuff where, or when do people want to buy stuff?". "where" and "when" can be derived from a time-series of IPs, for example to know if you observed something on your phone over wifi (implying you live with others, so network-based ads would be most effective) or cellular (implying you're alone rn + targeted ads are better).
> On or about May 9, 2022, the government says, Singh sent a friend screenshots of text messages between himself and someone he had doxed … and was trying to extort for their Instagram handle. The data included the victim’s Social Security number, driver’s license number, cellphone number, and home address.
“Look familiar?” Singh allegedly wrote tthe victim. “You’re gonna comply to me if you don’t want anything negative to happen to your parents. . . I have every detail involving your parents . . . allowing me to do whatever I desire to them in malicious ways.”
I struggle to understand what could be so important about an Instagram account that you threaten someone’s family.
Premium Instagram handles can go for tens of thousands of dollars on the grey market. Similar to how premium domain names can be very expensive. Thais particular situation with extortion for Instagram handles is pretty common.
I’ll preface that none of this is meant as an actual threat.
Psychologically to someone not IT savy, the instagram hack might seem like someone means business. If I made the same threat and showed someone photos of their children, they’d surely feel similar, despite the fact that all that proves is that I know where they live and I own a camera.
A whopping number of online scams begin with bluffs, the scammer only needs 1% of people to believe them. The instagram account takeover is for emotional leverage to get a person further away from their friends. A second story will be concoted to get money from them.
Aren't most armed robberies a bluff too? "Give me your wallet or I will kill you."
Even if the robber has no intention of actually killing the victim and just wants their money, this is still very much a threat, and whether it was a bluff or not, it still causes distress and possibly trauma.
I’m not suggesting either direction, I’m saying that some people may take an Instagram hack+threat more seriously than others, but that all threats could be bluffs and the objective of any data provided by the blackmailer is to increase plausibility, and the victims literacy in the topic is relevant to their response
> In March 2022, KrebsOnSecurity warned that multiple cybercrime groups were finding success with fraudulent Emergency Data Requests (EDRs), wherein the hackers use compromised police and government email accounts to file warrantless data requests with social media firms and mobile telephony providers, attesting that the information being requested can’t wait for a warrant because it relates to an urgent matter of life and death.
The problem here is definitely the hackers that broke into this portal and not the fact that these databases can be accessed by police without a warrant at any time just by lying.
Given how low quality most reports are for bug bounties, putting social engineering in scope publically would be dreadful for any employees. basically just authorized mass spam. social engineering in a private pentest though, sure.
In these online crime communities and other groups are lousy with feds everyone suspects everyone else is a fed and engages in opsec to protect themselves accordingly. Anything they "know" about the people they talk to and work with is going to be mostly stuff the glowies have reported long ago.
If you're referring to the guys on Raidforums etc.. I used to hang round there a bit to see who was getting breached, and most, including some that leaked some serious stuff for payment, have really poor opsec. They all use discord installed on their PC which they use to brag about their crimes, you can tell they aren't using it anonymously because the app is installed on their PC and they all have their gamer tags/spotify accounts connected. They were all using BTC as well last time i checked.. not even Monero.. oh and their site got seized with all that transaction history. I don't doubt that some are serious, but most of them are NGMI and many have already been arrested.
-tricking customer service employees;
-submitting fraudulent legal process to social media companies to elicit users’ registration information;
-co-opting and corrupting corporate insiders;
-searching public and private online databases;
-accessing a nonpublic United States government database without authorization
-unlawfully using official email accounts belonging to other countries.
>Prosecutors say they tied Singh to the government portal hack because he connected to it from an Internet address that he’d previously used to access a social media account registered in his name. When they raided Singh’s residence on Sept. 8, 2022 and seized his devices, investigators with Homeland Security found a cellular phone and laptop that allegedly “contained extensive evidence of access to the Portal.”
>The complaint alleges that between February 2022 and May 2022, Ceraolo used an official email account belonging to a Bangladeshi police official to pose as a police officer in communication with U.S.-based social media platforms.