Watermarks in the Internet Underground (and echatology footnotes)

Security researchers getting on their forum and posting screenshots in public of various members advertising criminality started getting on the nerves of one Internet crime forum’s members… so the admin devised a clever watermarking system.

As long as the screenshots contained the “author” column (generally needed to show the username of the person posting) the admin would be able to tell the UID of the account used to take the screenshot. How? It gets encoded in the “Rep” field.

As it happens, white hat hackers figured this out and the admin had to move to more advanced “mole” hunting methods. It didn’t help for long… the white hats eventually hacked the admin accounts and just started reading private messages.

(I would have done the whole thing a little differently: the more you change the greater the risk. Instead of altering the “Rep” field, I’d just look at the “post count” field. After all, given database access, you can tell precisely when a given user had the listed number of forum posts. If multiple users are depicted in a thread screenshot, the temporal resolution goes up further.

Now correlate that to logs of which users were looking at the thread at that time, and look for overlap between correlations across multiple screenshots. Chances are no more than one user account will be present at the end of the analysis, perhaps zero — in which case the screenshots were taken from separate accounts and more data is needed.

Not fun to do by hand, but probably trivial to script. Either way, the “white hats” have started wiping those fields from their screenshots so there isn’t much point.)

Eschatology footnotes:
I forgot to mention the fertilizer explosion tragedy. (http://www.reuters.com/article/2013/04/19/us-usa-explosion-texas-fatalaties-idUSBRE93I0LP20130419)

Also, the massive gold price drop has seen one interesting effect. Relative to previous weeks, the “premium” on a 1 ounce gold coin went up 11.13% — that is, the price you have to pay to buy your gold as a coin instead of “on paper” in the markets. The premium gold shops were PAYING to buy a gold coin (versus the “on paper” price) went up even more, 13.98%. In other words, not only were people buying more physical gold than the “paper” variety, but the physical variety was in quite short supply. (article in German, spreadsheet in numbers: http://www.goldreporter.de/aufgeld-fur-goldmunzen-und-goldbarren-stark-angestiegen/gold/32098/ )


” leaked private forum messages indicate that the administration of Darkode came up with the fake Java 0day idea after determining that their clever watermarking scheme had been exposed. Forum admin Mafi devised a system for secretly tagging each Web page on the forum with unique markers that could help identify and then ban forum accounts that were being used by security researchers to take screen grabs.

Mafi’s watermarking system can extract the user ID used to take any screen grab as long as that image includes the information under the “Author” sidebar on the left edge of the forum page: As explained in the screen shot to the left, the watermarking system computes two qualities present in that area: the “rep” or reputation field, and the user’s number of posts.”

%d bloggers like this: