Best Infosec-Related Long Reads for the Weeks of 8/21/23 and 8/28/23

Inside Coffee Co.'s computer intrusion, Unmasking Trickbot, Criminal use of credit headers, Brazil's Instagram stolen account retrieval boom, Chinese sextortionists exploit X's blue check policy, more

Metacurity is pleased to offer our free and paid subscribers this weekly digest of the best long-form infosec-related pieces we couldn’t properly fit into our daily crush of news. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com. We’ll gladly credit you with a hat tip. Happy reading!

What the Heck Happened in Coffee County, Georgia?

Anna Bower, Lawfare’s Legal Fellow and Courts Correspondent, delivers this opus on the computer intrusion that occurred in Coffee County, GA, which figures prominently in Fulton County District Attorney Fani Willis’s election interference indictment, outlining in detail how Cathy Latham, a public school teacher and chairwoman of the Coffee County GOP, and local election officials, aided by shady cybersecurity characters, worked to “unlawfully access secure voting equipment and voter data” and “stole data, including ballot images, voting equipment software and personal voter information” in a bid to help Trump attorney Sidney Powell advance Trump’s election fraud claims in the 2020 election.

The next day, on Jan. 8, Maggio again emailed Powell. “Everything went smoothly yesterday with the Coffee County collection,” he wrote. “Everyone involved was extremely helpful. We are consolidating all of the data collected and will be uploading it to our secure site for access by your team. Hopefully we can take care of payment today.”

Later that month, video surveillance shows that Hampton again permitted outside access to election equipment. Shortly before 5 p.m. on Jan. 18, Hampton arrived at the elections office alongside Logan, the CEO of the Cyber Ninjas security firm, and Jeff Lenberg, a forensic consultant. At the time, the office was closed to the public in observance of Martin Luther King, Jr. Day. But the surveillance footage shows that the trio spent more than four hours inside the office, according to court filings.

The next day, according to court documents, the surveillance video shows that Logan and Lenberg returned and spent most of the day in the elections office. At one point while Logan and Lenberg were allegedly in the building, Hampton texted Chaney: “The guys measuring my desk are still here,” she wrote.

Over the course of the month, Lenberg made additional visits to the elections office, where the footage shows that he spent time in the room that holds the election management system server.

In respective depositions, both Lenberg and Logan claimed that they were invited to assist Hampton with tests on the voting equipment after she complained of “anomalies” during the Senate runoff held in January. They believed Hampton had authority to authorize the assistance they provided, the men said. And according to Lenberg, neither he nor Logan touched any of the voting equipment; instead, they “directed” Hampton to conduct certain tests.

Unmasking Trickbot, One of the World’s Top Cybercrime Gangs

Wired’s Matt Burgess and Lily Hay Newman present an in-depth investigation into the notorious Russian cybercrime syndicate Trickbot, shedding light on the inner workings of the syndicate and unmasking Maksim Sergeevich Galochkin, a key member of the gang who his fellow members know as Bentley and Manuel.

Through Russian phone industry information, leaked data breach troves, and other intelligence reviewed by Nisos, the Gmail account was linked to a phone number for Galochkin. The connection helped unravel Galochkin’s offline identity. Records seen by Nisos connect Galochkin’s phone number to an address in the southern Russian city of Abakan. Further research by the company reveals that he was born in May 1982, and his tax identification number shows he previously had the legal name of Maksim Sergeevich Sipkin. Galochkin and Sipkin are linked by the same date of birth and Russian passport number, Nisos found.

Other cybersecurity researchers who have followed and monitored Trickbot agree that Galochkin is behind the Bentley handle. Alex Holden, president and chief information security officer of Hold Security and a researcher who has focused on Trickbot for years, says the data around Bentley’s identity is “extremely consistent” with his previous findings.

Similarly, Radoje Vasovic, the CEO of security firm Cybernite Intelligence, who has analyzed the Trickleaks data and conducted open source research, is confident that Galochkin is Bentley. In December 2022, German newspaper Die Zeit also published an investigation into Conti, which included identifying Bentley as “Maxim G.”

Unmasking Galochkin is significant. Bentley is one of the “key personas” operating Trickbot, Holden says, thanks in part to his experience and connections in the cybercrime world. And while there are multiple Russia-based cybercrime gangs that pose a significant global threat, Trickbot has garnered particular attention and reprisals for the severity of its crimes. In the lead-up to the 2020 United States elections, for example, US Cyber Command carried out an unusually public offensive operation meant to disrupt the Trickbot botnet. In the ensuing weeks, companies including Microsoft took legal and technical action to disrupt Trickbot’s networks as part of efforts to safeguard voting and other critical infrastructure.

The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15

In the just-launched 404 Media, Joseph Cox reveals that “credit headers” used by credit bureaus Experian, Equifax, and TransUnion, which the bureaus sell to third parties, are giving criminals access to sensitive data on anyone, including high-profile targets, for malicious purposes, including breaking into their online accounts, target their homes or even engage in physical violence.

404 Media accessed around 10 Telegram groups where members discuss and advertise bots that offer personally identifiable data for sale. Prices fluctuate between around $15 and $40 depending on what type of data a customer wishes to buy, and as availability ebbs and flows. One person told a group that their tool finds anybody.

404 Media has seen criminals using the bots specifically for doxing people, meaning publishing their personal information online. In multiple instances, personal information with the same data types as the bot 404 Media used was uploaded to a website popular with cybercriminals and harassers to preserve dox on victims. Members have indicated in their chats and shared dox that they are targeting YouTubers and seemingly ordinary people, as well as the high profile celebrities and politicians.

Some of those bot-generated dox have been uploaded by users that deal specifically in physical violence. These include groups whose members offer services for a price such as shooting up a house, armed robberies, stabbings, and assault. The cybercrime underground has seen a dramatic rise in violence and harassment over the last few years, with innocent neighbors sometimes being swept up in online fights turned physical. In those violence-as-a-service groups, some members explicitly ask for or offer this type of data.

Instagram account hacked? “Ethical hackers” will get it back

Daniela Dib and Marília Marasciulo in Rest of World delve into how the ranks of “good hackers” who are not hackers at all but merely skilled in navigating Instagram’s vague, impersonal, and difficult account recovery process have grown across Brazil as scams via hacked Instagram grow,

The problem is particularly widespread in Brazil. According to the Public Ministry of Minas Gerais, the second most-populous state in the country, Instagram account hacks were among the most common online crimes during early 2022. Data from Reclameaqui, the country’s most popular site for customer complaint intermediation, shows that about 11% of the over 290,000 complaints made about Instagram in the past three years involved hacked accounts.

Dilson Souza, a hacker ético from São Paulo, told Rest of World he’s helped recover over 10,000 accounts in the past year. Although he runs a team of six people, Souza said he needs to hire more because business is booming. He’s amassed over 67,000 followers on Instagram and charges anywhere from 200 to 5,000 reais (between $40 and $1,040), depending on the case. The price varies based on the number of followers an account had prior to the hacking. Victims also need to pay more if they were hacked with a more sophisticated technique — like one that uses an SMS code — as opposed to simpler phishing scams, since this affects the complexity of Instagram’s account recovery process.

Chinese sextortion scammers are flooding Twitter

In Rest of World, Caiwei Chen examines how since X, formerly Twitter, launched its blue check policy that allows anyone to purchase verified badges, Chinese sextortionists are flooding the social media platform to prey on Chinese users, particularly political dissidents and opinion leaders.

The scammers’ tactics are effective because Chinese users on X are particularly susceptible to online sexual manipulation, according to Runze Ding, assistant professor at Beijing Normal University-Hong Kong Baptist University United International College. “Adult content is highly regulated and difficult to access within the Great Firewall,” Ding, who studies Chinese sexuality and media, told Rest of World. “As a result, many Chinese users lack social media literacy when it comes to sexual content, which makes them susceptible to sextortion.”

Liu Chong, a researcher at University of Leeds studying how media impacts Chinese sexuality, believes X’s new blue-check policy enabled the sextortion scammers. “The verified mark gives a new account easily attainable credibility and visibility, things scammers can now afford with only $8 per month,” Liu said.

Murong Xuecun, a famous Chinese writer with 138,000 followers on X, was also targeted by sextortion scammers. He told Rest of World nearly all of his tweets contain sex-related spam in their replies, severely disrupting his use of the platform. “Chinese-language Twitter feels like a bus full of political dissidents pulled up to a red-light district,” he said.

The AI Power Paradox

Ian Bremmer, President and Founder of Eurasia Group and GZERO Media, and Mustafa Suleyman, CEO and Co-Founder of Inflection AI and co-founder of DeepMind, in Foreign Affairs, dig deep into how nation-states should begin to think about governing artificial intelligence’s promises and perils now before the technology fully takes hold.

All this plays out on a global field: once released, AI models can and will be everywhere. And it will take just one malign or “breakout” model to wreak havoc. For that reason, regulating AI cannot be done in a patchwork manner. There is little use in regulating AI in some countries if it remains unregulated in others. Because AI can proliferate so easily, its governance can have no gaps.

What is more, the damage AI might do has no obvious cap, even as the incentives to build it (and the benefits of doing so) continue to grow. AI could be used to generate and spread toxic misinformation, eroding social trust and democracy; to surveil, manipulate, and subdue citizens, undermining individual and collective freedom; or to create powerful digital or physical weapons that threaten human lives. AI could also destroy millions of jobs, worsening existing inequalities and creating new ones; entrench discriminatory patterns and distort decision-making by amplifying bad information feedback loops; or spark unintended and uncontrollable military escalations that lead to war.

Nor is the time frame clear for the biggest risks. Online misinformation is an obvious short-term threat, just as autonomous warfare seems plausible in the medium term. Farther out on the horizon lurks the promise of artificial general intelligence, the still uncertain point where AI exceeds human performance at any given task, and the (admittedly speculative) peril that AGI could become self-directed, self-replicating, and self-improving beyond human control. All these dangers need to be factored into governance architecture from the outset.