How "hidden code" helped Dutch cops identify drug dealers and child predators online

This here was written a while ago (Aug 26h), but I did not see it posted here.

How hidden code helps cops identify drug dealers and child predators online

Dutch police may have used a modified Excel spreadsheet to reveal the IP address of dark web criminals: report

By Matthew Braga, CBC News Posted: Aug 26, 2017 5:00 AM ET Last Updated: Aug 26, 2017 5:00 AM ET

When Dutch police took the notorious Hansa marketplace offline last month, they had a message for the underground site's pseudonymous drug dealers: we know who you are. The question, of course, was how.

Hansa existed on the dark web, and required a special web browser called Tor to access. Tor is designed to protect its users' privacy by keeping the true location of their computers anonymous. And yet, police said they would be able to unmask some of Hansa's users all the same.

On Friday, The Daily Beast appeared to have figured out why. It reported that Dutch police may have uploaded a specially crafted Microsoft Excel spreadsheet to Hansa's site, with hidden code inside designed to phone home to police.

When a user opened the spreadsheet, it would silently connect to a server controlled by police. Investigators would receive their real IP address, and not the anonymous IP address they would otherwise be assigned by Tor. Number in hand, there's a good chance they could get that user's real name and address from their internet service provider.

In many cases, police don't have to go to such lengths. Some criminals unwittingly give up their IP addresses. But the technique likely used against Hansa's users is becoming increasingly necessary as criminals get better at covering their tracks.

'Designed to avoid suspicion'

There are myriad ways for authorities to get the IP addresses of their targets during criminal investigations. Some, such as the approach used by Calgary Police in a 2012 investigation, are relatively simple.

In that case, Detective Sean Joseph Chartrand of the Calgary Police Service entered a Yahoo chat room posing as an underage girl, court filings show. A man named Michael J. Graff, using a pseudonym, started chatting with Chartrand. Graff sent a series of sexually explicit messages and photos, along with an email address, and invited Chartrand -- who he believed was named Ashley -- to contact him there.

That was Chartrand's in. He used a now-defunct service called SpyPig to hide a tiny invisible image in an email, and sent it to Graff. When Graff opened the email, his computer retrieved the image from SpyPig's server -- and in the process, revealed the IP address of his computer to SpyPig and Calgary Police.

"Det. Chartrand's email using the SpyPig code was specifically designed to avoid suspicion and conceal the SpyPig tracking function," reads a filing from the case.

Kent Teskey, the criminal defence lawyer in the case, was unaware of other cases where similar techniques have been used, as were other privacy lawyers and researchers contacted by CBC News.

Network investigative techniques

The service used by Calgary Police isn't very sophisticated, nor is it exclusively used by police. Internet marketers, for example, have embedded tiny invisible images inside emails for years to track who opens their emails, at what time, and from where.

But in cases where a carefully crafted email or link may be suspicious or impractical, police have turned to more advanced and covert techniques.

In the Hansa drug market investigation, the tracking code was reportedly hidden inside an Excel file listing recent transactions. Similar code was hidden inside a video that contacted an FBI server when played.

But nothing compares in scope or scale to an FBI investigation in 2015, where the agency installed spyware on over 1,000 computers that accessed a child porn site called Playpen. The FBI refers to its hacking tools as network investigative techniques (NIT).

It's unclear whether police in Canada -- who typically decline to comment on operational matters -- have deployed similar software here.


Comments


[12 Points] None:

[deleted]


[8 Points] taimapanda:

Yes it was realised after the bust and posted here at the time.


[5 Points] PommesPizza:

Do this phoning home files work when using tails?


[3 Points] Throwawayyyy63638484:

Definitely posted here before but good read nonetheless


[2 Points] stabBarbie:

How is the media just now reporting on this when its been common knowledge around here for a while?


[2 Points] None:

FUCKING DUTCH! TAKING MY DRUGS AND SHIT MAN! WAT DA FUCK YO! IM TELLING MY MOM!


[1 Points] bfsco:

As long as an OS that funneled all traffic through tor was used there is nothing to worry about with those files. Furthermore, any exploits for office i have seen work only on certain versions of office and only on Windows machines. Even mac should have been safe. Haven't had a chance to analyze a locktime file that was infected, but office exploits existed 2 years ago and are well known now to anyone who knows black hat operations. Word/Excel can be made to execute arbitrary data without approval from the user but only certain versions are susceptible. Honestly they used the lowest form of an exploit for this....a good hacker knowing how to use proper steganography exploits could have done a better job. Rather than phone home on execution, download a payload that infects bios like a bootkit and when the user pulls the usb to use an OS like Windows mac or standard Linux not tunnelled, you would get their legit IP. Any dumb hacker can make a malicious office document, using bios to guarantee a location is something id expect of the feds...but apparently their cyber crime squad is a bunch of skids.


[1 Points] Thx002:

WAIT a video that has malware? How the fuck?