Tracking Hackers Down - Then Striking Back

user-pic

Last year, a virus infiltrated my PC and tried to force it to call out to a hacker's server somewhere in the Republic of Moldova. If my Norton software and Windows firewall hadn't blocked the virus's incessant attempts to "call home," my PC would have pulled in still more malware, including keyboard trackers to capture my user IDs, passwords and financial account numbers. Since the attack came from a supposedly "safe" Web site that I had visited, the same could have happened to any PC or server under an IT manager's care.

Then last week, I received four official-looking phishing emails supposedly from Norton/Symantec offering steep discounts on my next subscription renewal. But while the good folks at Norton are HQ'd in California, the bogus emails (using official graphics probably snatched from Norton's own site) came from China, Russia, Africa and Eastern Europe.

SecurityTN-July-6-ART1.jpgAnd how do I know this?

Because I trace attacks and phishing messages. You can too and you should strike back by alerting interested authorities. I especially encourage this for all virus attacks and for emails that pretend to come from organizations with which you do business, such as:

  • Banks
  • Apple
  • Microsoft
  • Amazon
  • Ebay/PayPal
  • The IRS
  • Security vendors (like Norton/Symantec, McAfee and Malwarebytes)

These firms want to know when someone is trying to violate your (and their) security by "spoofing" them. And many of their own Web sites offer dedicated pages for reporting attacks. But you can also report the violations to interested agencies for further investigation. This applies to both individuals who experience attacks at home and IT managers who struggle to maintain their organizations' defenses.

Track the Bastards Down

SecurityTN-July-6-ART2.jpgWhen a computer is attacked, it's often possible to obtain an IP address that's close to the attacker's location. Intrusion alerts from programs like Norton, McAfee and Malwarebytes often provide the best address they can. And you can find similar information in the "full tracking headers" or "message sources" of email messages. These headers have different names in different email systems and are viewed in different ways. But once you determine how to open a full header in your email system, search it for a "from" or "source" IP and trace that address.

To do so, slip the address into a few of the many Web services that map IP locations. My current favorites (in this order) are:


They'll probably map the address to slightly different locations. That's because each service uses a different geolocation database and tries to find the Internet router that's closest to the target IP. The accuracy of the result depends on the database used and the number of known routers in the target IP area.

For example, I just traced my own PC's IP address, and these services mapped it to Medford, Mass.; downtown Boston, and, yes, just down the road in my own hometown. But all locations were within 6 miles of my PC, so the results were pretty darned accurate. Your traces may get equally close to the attackers' locations (and might also tell you the ISPs they are using).

Then Report 'Em

With this information in hand, you can (and should) nail the e-criminals by reporting them to interested authorities. These men in black have tools and powers we don't, such as the ability to obtain court orders for detailed ISP records. In addition to the organizations mentioned earlier, you should report hackers' IP addresses, IP map locations and ISPs to:

  • The FBI. Mouse over the SCAMS & SAFETY tab at the top of the page, and select Report Internet Crime. This opens their Internet Crime Complaint Center (IC3). Click the big red "File a Complaint " link at the bottom of the IC3 page, provide all requested information, and tell them everything you've learned about the hackers and their attack.
  • The US-CERT Incident Reporting System. As with the FBI, tell CERT everything you know abut the intrusion.
  • BroadbandDSLReports.com. They offer great security info for IP managers here and collect attack reports (and even Zipped malware files) here.
  • The Federal Trade Commission, which offers a ton of infosecurity information here and collects identity-theft complaints here.
  • Your own anti-virus/malware and firewall vendors, so they can research and respond to any new intrusions that you see.

By alerting experts like these, you'll help shield other PCs and networks (including your own) from the same and similar attacks because they'll make their way into the malware signature identification capabilities of the scanners we all use. If you don't report attacks you'll only be allowing them to continue.

And Now, I'm Taking a Little Trip


The world has seen a strong up-tick in distributed-denial-of-service attacks. IP managers across the globe are probably losing sleep over them. So ol' Dirkie is slipping undercover for a few months to investigate DDOS perpetrators, solutions and even potential counter-attacks. It may be a harrowing trip, but I hope to return here--propped up against my favorite lamppost-- very soon. Wish me luck!

Email and Social Media Links: Share securely via email |  |






Join the Webtorials Community
Subscription Maintenance


Featured Sponsors























Webtorials TechNotes

Featured Analysts

Gary Audin, Delphi, Inc.

Michael Finneran, dBrn Associates

William A. Flanagan, Flanagan Consulting

Douglas Jarrett, Keller and Heckman LLP

Jim Metzler, Ashton, Metzler & Associates

Lisa Phifer, Core Competence

Dave Powell, Independent Technical Writer

David Rohde, TechCaliber Consulting LLC

Steven Taylor, Distributed Networking Associates, Inc.

Joanie Wexler, Technology Analyst/Editor


Publisher

Steven Taylor

TechNotes is a special program of Webtorials and Distributed Networking Associates, Inc.

Notices

Please note: By downloading this information, you acknowledge that the sponsor(s) of this information may contact you, providing that they give you the option of opting out of further communications from them concerning this information.  Also, by your downloading this information, you agree that the information is for your personal use only and that this information may not be retransmitted to others or reposted on another web site.  Please encourage colleagues to download their own copy after registering at http://www.webtorials.com/reg/.  Continuing past this point indicates your acceptance of our terms of use as specified at Terms of Use.

Webtorial® is a registered servicemark of Distributed Networking Associates. The Webtorial logo is a servicemark of Distributed Networking Associates. Copyright 1999-2013, Distributed Networking Associates, Inc.