The Hacker Factor Blog
Jump first, look later Home
Blog
Swag

About

Dr. Neal Krawetz writes The Hacker Factor Blog. Follow him on Twitter.

Popular Posts

How Not to do Image Analysis Part I and Part II
Looks Like It
Body By Victoria
Direct Deposit, Direct Withdrawl
Point-of-Sale Vulnerabilities

Tools

FotoForensics: Test your own photos.
Gender Guesser: Use your words.

Links

Security
Internet Storm Center
Krebs on Security
Bruce Schneier
Tao Security

Images
Photo Stealers
CG Society
Awkward Family Photos
Unsplash

Debunking News
iMediaEthics
Poynter
Doubtful News

Debunking Politics
FactCheck
PolitiFact

Debunking Other
Snopes
Hoax-Slayer
Math with Bad Drawings

Calendar

« March '19
S M T W T F S
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            

Archives

Feeds

Categories


All categories

Just Say No To Drugs

Saturday, 7 July 2018

Over a month ago, I wrote a blog entry about travel companies, bitcoin bankers, and others that use the public FotoForensics site for commercial purposes. Since this is against the terms of service, I've been showing them a notice and blocking their ability to upload content. Most of them have moved their commercial use off of the public site. Some have moved to the private FotoForensics Lab service. (I did have one person write in, asking how he could use the public service to evaluate pictures containing very personal information. When I explained that the public site was public and that other people could see his pictures, he responded with "oh.")

Be Smart, Don't Start

I have a couple of profiling techniques that can identify patterns associated with commercial use. So far, these patterns have been spot on. I don't know the false-negative rate, but there have been zero false positives.

I really only have one group right now that is being a problem child. I had briefly mentioned them in an earlier blog entry. I call them the "Russian circle group" (RCG). But that's my name for them; I don't know what they call themselves. "Russian" because their text is in Russian and their GPS locations are either in Russia or one of the old Russian states (Belarus, Ukraine, etc.). "Circle" because they initially annotated their pictures with big red circles, and "group" because it's more than one person.

RCG uploads pictures of locations with annotations. Many of the pictures contain GPS coordinates. I used to think that it could be a geo-caching group, or maybe spycraft. But more recently they began uploading pictures of drugs. I believe they are a drug group and they are uploading pictures of their drop locations. (That's definitely a commercial use, and should not be on the public site.) Since they started in November 2017, they have uploaded over 400 pictures to the public service. But most of the pictures have been uploaded in the last 3 months; they are increasing their upload rate.

Some of their pictures include GPS locations, annotations, directions, or drugs. For example: (Click on each picture to view it at FotoForensics.)
The red circle annotation identifies the corner of a building and a large rock. In other pictures, there are instructions describing items stashed under large rocks.
The annotations identify the base of a tree. It also highlights a plastic bottle that they left in the tree as a marker.
Nothing special here -- just a photo of some marijuana plants.
There are no annotations, just a photo of a bag containing white powder. However, the metadata contains GPS coordinates that identifies a building in Saratov, Russia,
The metadata does not contain GPS information, but the screenshot does. The GPS coordinates identify a location in/near Penza, Russia. Using Google Translate, the text roughly translates as:
"20-30 centimeters from the corner of the house there is a blue tile underneath gray slate under it in foil"
The GPS identifies a location in/near Zhdanovichy, Belarus. The text roughly translates as:
"Pickup, from the camera angle but in the middle of the tree at the bottom. Two bundles separately."
(If you can read Russian and provide a better translation, I'll be happy to update this text.)

This is your brain on drugs

What I know about RCG:
  • They have multiple members. It's not just one person, it's a group that all use the same basic approach. However, each member has their own slightly different behavioral patterns. There's at least a dozen people.

  • They annotate pictures with arrows, dots, or circles to mark locations. However, they also appear to leave empty soda bottles or large rocks as physical markers.

  • They practice good operational security (or "OPSEC" as they say in the government). When they see the ban notice that tells them to stop using the public site, they immediately stop for the rest of the day. During that time, they would switch IP addresses and sometimes even switch mobile devices.

  • They learn (kind of). They used to upload a bunch of pictures and then get banned. But now that they know they will be banned, each member typically uploads 1-3 pictures before changing devices or IP addresses. They know it is a public site, they know they will be banned, so they jump before they are banned. For me, this becomes a game of whack-a-mole. But it also tells me that they don't care if other people see their content, and they don't care if they get banned.

  • Financially, they have deep pockets. They use a variety of network addresses. None appear to be open proxies or part of any popular commercial VPN service. Instead, they are burning through IP addresses -- in a wide range of countries -- that have not been used by other people. That kind of usage costs money, and they don't mind spending it.

  • They are a layered organization. One set of people take the photos. A different set annotate the pictures. (The same annotation method is not consistently used on the same kind of pictures.) These annotated pictures are usually uploaded to file sharing sites, like image.ibb.co, s7.uploads.ru, and imagizer.imageshack.us. (I say "usually", because sometimes they use file uploads.) A different person (at least 4 people) retrieves the pictures and upload them to FotoForensics.
In my opinion, there are a few ways they may be using FotoForensics:
  1. They may be using FotoForensics as a second blind drop location for anonymously transferring their pictures to other group members. However, most of their pictures have only been accessed by the person who has uploaded it. Since other people do not access the pictures, I doubt that this is the case.

  2. They could be using FotoForensics to double-check their pictures, making sure they are clean before continuing on. They may be checking for personal information (other than GPS coordinates).

  3. This could be a double-check to make sure the picture hasn't been altered. This would be something like checking that the picture is valid before providing payment to a middleman. There have been a few cases where the same picture (visually the same but different bits) has been uploaded multiple times. They may be looking for fraud. For example, are their own people trying to scam them? (If this is the case, then the answer is a resounding "yes". Especially from the person who uses the Xiaomi Redmi Note 4 device. He's sent some pictures to a person with an iPhone, and I doubt the iPhone user has noticed the content reuse.)
However, these may not be the only options.

Become a positive example

As I understand it, there is not much I can do to stop this violation of my terms of service. For example, US law enforcement has no jurisdiction to investigate drug-related activities in foreign countries when it doesn't impact US citizens.

My primary option is to detect and block. For the last 4 months, this group has been seeing a personal notice: I have been telling them to stop using my public site. Rather than stopping, they have spent time and effort to avoid the simple blocks that I've put in place. I could spend time developing more sophisticated methods to automatically detect and ban their usage. However, that's not worth my effort.

Instead... They know that it is a public site and they know that other people can see their pictures. So, I've just created a dedicated web page for their content and turned them into a training example. Anyone can visit and see RCG's most recent content. Some pictures contain instructions, some contain GPS, and some are just interesting. So far, it includes about 400 pictures -- I'm not including the ones that show people, receipts, and financial statements.

From the public site, to the public: have fun!
Read more about Forensics, FotoForensics, Image Analysis, Privacy | Comments (9) | Direct Link

Comments

#1 Careful There on 2018-07-13 09:16 (Reply)

Careful there! You surely don't want to piss off Scandinavian drug dealers lol

By the way I sent a tip to tips.fbi.gov as I suspect this may be related to a drug onion darkmarket, I will send it later on to Russian authorities so that they catch this criminal network.
#1.1 Dr. Neal Krawetz (Homepage) on 2018-07-13 09:23 (Reply)

Thanks for the notice. However, I'm not too concerned. (Famous last words?) I gave them 4 months notice BEFORE doing exactly what I told them I would be doing.

Personally, I'm surprised that nobody is going to those spots and collecting the drugs before them.

Since I'm not blocking their uploads anymore, I'm also seeing them re-use old IP addresses. I have a list of over 80 IP addresses that appear to be explicitly used by this group.
#1.1.1 Dr. Neal Krawetz (Homepage) on 2018-07-14 06:29 (Reply)

Found an article from last year that contains the same sort of picture used by the RCG: https://theoutline.com/post/857/russian-drug-dealers-are-sending-their-buyers-on-wild-treasure-hunts

TL;DR: Online drug dealers call these "treasure hunts". They use these dead-drops because mailing drugs has too high of a risk for getting caught.
#2 Russians using VPN on 2018-07-13 09:21 (Reply)

Yeah they seem to be using a VPN, look at this example at the top near "YOTA LTE":
https://fotoforensics.com/analysis.php?p=russiancircle&id=a174b584183ac5b3682e0406eecf49cb13743d22.89813

The FBI and Russian authorities will send a couple subpoenas to a bunch of VPNs lol
#2.1 Dr. Neal Krawetz (Homepage) on 2018-07-13 09:25 (Reply)

Cool! I hadn't noticed that. I had been profiling the TCP signatures and saw that they consistently use VPN technologies.

However: they do not appear to be shared VPN services. All traffic from these addresses has been strictly associated with them.
#3 Hey on 2018-07-14 13:22 (Reply)

So why do you think they're using the service exactly? I didn't understand exactly what you meant by people getting ripped off or whatever. How does checking whether the image was altered possibly help them I wonder. And have you checked any of their IPs with a port scanner or something? I'd be curious to know how their VPNs are set up and who is hosting them.
#4 Yuri (Homepage) on 2018-08-10 12:54 (Reply)

It's obviously a drug drop-of service, they are a real epidemic in Russia.

Even though the data is publicly accessible, uploads are hashed from what I can tell. So nobody can access them from your service unless they know the hash or you implement a public browser. I could not find a public browser on your site .

It maybe a person(s) if the gps locations are close, may also be a bot running in the cloud behind vpn(s) that simply uploads the pictures and then scrapes the result checking for any gps identifiers, then it alerts the actual uploader if the image is secure. If not, the user must re-upload the image thats why you see multiple uploads on some of the photos without the GPS metadata.

they probably did not bother to find a tool (or couldn't) such as https://github.com/Ghirensics/ghiro that does it for them on the client side or on their own server or it costs money so they are using your tool as an API because its free and the uploads are (apparently) hashed and nonbrowserable. :-)
#4.1 Dr. Neal Krawetz (Homepage) on 2018-08-10 12:59 (Reply)

Hi Yuri,

If you go to the FotoForensics' tutorials, you'll see a link to the Russian Circle Group. From there, you can see all of their pictures. :-)

RCG sees a personal message that tells them about the tutorial. Initially, I only posted the GPS pictures + drugs. That didn't faze them. When I started also putting their personal photos, receipts (with names), and other pictures from them into the tutorial, they dropped off sharply.

I used to receive up to 20 pics per day from them. Now there are some days with zero pictures, and most days have 1-2. (Days with 3+ right now are usually one person uploading a lot of pictures at once.)

That tutorial also has a lot of interest from Russian gov/law enforcement. Go figure...
#4.1.1 Yuri on 2018-08-10 13:27 (Reply)

Oh yea okay I see it now, thats good that they are accessible. now those guys who posted the receipts might be in trouble, it's clear why you got govt traffic.

I guess then it must have been just dealers (uploading their pictures to an open public site) who want to be more secure and double check for gps/metadata before uploading to the app.

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

Copyright 2002-2019 Hacker Factor. All rights reserved.