TL;DR
Before tools like Tor became common, cybercriminals used a combination of techniques to hide their identities and locations. These included compromised machines (botnets), public Wi-Fi networks, email spoofing, proxy chains, dial-up connections, and physical distance/relays.
How Cybercriminals Stayed Anonymous Before Tor
- Compromised Machines (Botnets)
- Cybercriminals would infect thousands of computers with malware to create a botnet.
- They then used these bots to launch attacks or relay traffic, making it difficult to trace the origin back to them directly.
- The attacker controlled the bots remotely, often using IRC (Internet Relay Chat) channels.
# Example IRC command to send a command to all bots: SEND ALL !attack target_ip
- Public Wi-Fi Networks
- Using open, unsecured public Wi-Fi hotspots allowed criminals to mask their IP address.
- The network’s IP address would be seen instead of the attacker’s home or work IP.
- This was a simple but effective method for basic anonymity.
- Email Spoofing
- Attackers could forge email headers to make it appear as if emails originated from legitimate sources.
- Tools like sendmail and Perl scripts were used to manipulate the ‘From:’ address.
# Example (simplified) email spoofing using sendmail: /usr/sbin/sendmail -t< /path/to/spoofed_email.txt - This was often used in phishing attacks and to spread malware.
- Proxy Chains
- Attackers would route their traffic through multiple proxy servers located in different countries.
- Each proxy server only saw the IP address of the previous one, obscuring the attacker’s original IP.
- Tools like Proxychains allowed easy chaining of proxies.
# Example Proxychains configuration file (/etc/proxychains.conf): strict_chain proxies 127.0.0.1:8080 prompt - The more proxies used, the harder it was to trace the connection.
- Dial-up Connections
- In the early days of the internet, dial-up connections were common and often used dynamic IP addresses.
- Attackers could disconnect and reconnect frequently to get a new IP address, making tracking more difficult.
- The slower speeds also made tracing harder due to limited logging capabilities at the time.
- Physical Distance & Relays
- Some criminals would physically travel to different locations and use internet cafes or public computers.
- They might also enlist accomplices in other countries to act as relays, forwarding traffic through their connections.
- This added a layer of complexity for law enforcement investigations.
- Steganography
- Hiding messages within images or audio files made it difficult to detect malicious communication.
- Tools like Steghide were used to embed data.
# Example using Steghide: steghide embed -cf image.jpg -ef message.txt