Owen Miller

My name is Owen Miller.

I worked on AOL's CERT team from 2011 to 2016.

I received a report of abuse on my network from a specific IP at a specific time and was told it was related to potential Bayrob activity.

I went ahead and started taking a look at that and started pivoting around.

We were able to connect specific domains that they were using and accessing with various accounts, various AOL accounts that were being used in order to tunnel traffic through us.

AOL allowed anyone to sign up for a free account and then tunnel network traffic through our dial-up IP allocation space.

So we were basically like,

a very large free open proxy service.

And we're also a free email provider.

And basically we built a full packet capture indexing system.

At the time it was called Moloch and is now called Archemy.

We had deployed at ISP level.

And so us and others as well that offer those same types of services were heavily being leveraged by this group.

in order to, you know, create new accounts, chat with people, all that good stuff.

And so we just started digging around and seeing when they would connect in, where they would connect from, start going through all of the network traffic that they had presented to us.

Yeah, sure.

So one of the members of the group was typing in his email address to log in on like gmx.de or one-on-one internet.

They did not use SSL at the time for the login form.

So when he typed in his email address, he typed in his personal email address and then went, oops, and then logged in with his, you know, quote unquote work email address.

And so we have the same IP address at the same, within like, you know, 10 seconds, like typing in someone's email address and then this actor's email address.