JGL Closet Traceroutes

Fulfills Step 3 of GSUSA Senior Cybersecurity Investigator badge requirements.

Items Needed

Instructions

Investigate a fictional cybercrime affecting JGL Closet. Share these key details:
- The malicious activity has been narrowed down to four suspects located in Amsterdam, Germany, Singapore, and Canada.
- Each traceroute represents a different page of JGL Closet’s website, and scouts will analyze them to find clues about what’s happening.
Divide scouts into groups of 4–6. Provide each group with a copy of the JGL Closet Traceroutes. Groups review their traceroutes, looking for anything unusual, and circle suspicious details.
If groups need help, ask guiding questions:
- How many hops does each traceroute have?
- Are any traceroutes longer or shorter than the rest?
- Do you notice errors in the URLs?
- Are the locations traveled by the data the same or different across the traceroutes?
- Does each traceroute end at the same destination?
Support scouts in identifying these key traceroute clues:
- URL Error: The store page URL contains a typo.
- Length of the Traceroute: The store page traceroute is significantly longer than the others.
- Hop Differences: The store page traceroute includes different hops compared to the others.
- Final IP Address: The store page ends at a different IP address (hop #25).
After 10 minutes, bring scouts back together to discuss their findings. Questions to ask:
- Did you find anything unusual?
- Where did the data travel in the store page traceroute?
- What do you think happened to the store page?

Leader Answers:

Scouts should conclude that the suspect in Frankfurt has hacked the store page to steal customer credit card information. The findings should be:
- The store page URL has a typo, causing it to redirect.
- Its traceroute is longer, with additional hops crossing into Europe.
- The final IP address indicates the page is hosted by a suspect in Frankfurt, Germany.

Tia Kennard