Tracking a Russian hacker

I had just arrived at work, and in my email inbox I saw that I had received an email from Mighty Ape (an online store) saying that I had a $100 voucher on order. That's odd, I thought. No, I'm sure that I didn't order it by mistake at 3am. I then thought it may have been a free gift. I had bought a number of gifts for Christmas from Mighty Ape, so maybe I had won something. I searched around on the net and checked to see if there were any competitions or freebies going on, but I couldn't see any hits.

So I logged onto the Mighty Ape website and looked up “my” order. It showed my credit card had not yet been charged. I contacted the Mighty Ape support team to get to the bottom of this. They came back to me saying that someone had accessed my account and ordered the voucher. The voucher was due to be sent to the email address lbindcwv@10mail.org. Mighty Ape were good enough to cancel the order.

I quickly changed my password. I was surprised that I had been hacked; my Gmail account hadn't been touched, as the service would warn me. But I double checked the logs on Google Accounts (accounts.google.com), just in case. I'm pretty sure my password is not one that could be dictionary attacked (this works by trying as a password all the strings in a pre-prepared listing, typically derived from a list of words such as a dictionary), but with enough time it could be brute forced (this method works by calculating and trying every possible character combination that could make up a password).

I asked Mighty Ape for more details about their security. They said:

“Our security system is set to automatically pick up on suspicious transactions such as this, and it looks to have correctly done so in this instance, preventing the transaction from going through and placing it on a list of orders that would need manual review and approval…. Rest assured we are actively monitoring this to ensure that there is no issue on our end.”

I also suggested that they should increase their password character limit to 8 characters, which they said they were going to look into when they review their password policies.

The email lbindcwv@10mail.org seemed to be valid, so I did a whois lookup (publicly available search service that provides information about a domain name) on the 10mail.org domain name. The server was located in Russia, and so were the owner's contact details. The domain has no public website, and it looks likely to be a spam/scam service; there were plenty of examples online showing this. I found it odd that someone from Russia would be trying to steal a voucher for a New Zealand company.

I also considered contacting the police (http://www.police.govt.nz/contact-us/how-report-crime) and their webpage suggested I contact NetSafe.

They gave advice that was pointless to me (change password, virus scan, etc) and thanked me as reports like mine help them to identify emerging patterns. I was a little disappointed of the reply, so I asked them to contact Mighty Ape and get the IP of the hacker and track their ISP down.

They replied:

“Unfortunately, Netsafe's role around scams/security is more around educating and providing advice. So, unfortunately, we do not have forensic investigatory powers to be able to follow this up in the manner that you have asked.” Another dead end. I asked who I should report this crime to. They came back with: “You do have the option to report this to the police, if you want, however, the Police might not be able to take action. I understand how frustrating this can be, but unfortunately there is no agency yet that specializes in tracking down cases like this, due to the global nature of the platform.

This is predominantly because of difficulties associated with tracking the person responsible down as they might be based overseas, which would lead to judicial problems. Further, in terms of IP addresses, the one used might not reflect the actual IP address (e.g dynamic IP versus static IP https://support.google.com/fiber/answer/3547208) and the person who owns the computer, might not be the one who attempted compromising an account, etc.”

I was shocked. There is currently nothing in place to help New Zealanders against cybercrime.

With all the problems that NetSafe listed with tracking IPs, we still do it with the Copyright (Infringing File Sharing) Amendment Act 2011.

Disappointed with the results, I felt I could try the police but I probably would need an IP that belonged to a New Zealander for any kind of action. Trying my luck, I again contacted Mighty Ape said what happened and I was going to contact the police, I asked for the IP of the hacker.

They gave the IP of “173.254.216.66”, but more bad news. It was a proxy, there is no way to get the location of the hacker. This person was a professional alright.

Mighty Ape support also said they are building a realtime alert system that would notify customers if there is an unusual login on their account, which is great.

They sent over an awesome website too (https://haveibeenpwned.com) that helps to identify if your email and connected data may have been leaked online. It looks like 8 websites (Adobe, Dropbox, gPotato, Last.fm, Nexus Mods, Tumblr, Xat and LinkedIn) have leaked my account data over the years. One of those websites were responsible for helping this hacker gain access to my Mighty Ape account.

This is partially my own fault for using an old password, lesson learned. So yeah, it is probably pointless going any further. I guess I could always send a fake voucher to the hacker's email and waste their time… until next time.

P.S: Two factor authentication saves lives, it helps against such attacks.