Like an iceberg, the vast majority of the Internet is obscured from view. This unindexed section of the Internet is dubbed “the Deep Web.” The recent evolution of the Deep Web has allowed fraud to become increasingly commoditized as new methods continue to emerge to monetize the fraud process. As it continues to mature, we expect to see increasingly sophisticated fraud based on the ability to mine the Deep Web for a variety of information.
In this webinar, we will discuss the current state of fraud evolution and provide an understanding of how the business of fraud is structured, including an exclusive view of stolen credit card black markets.
Attendees will learn:
-- How the “Deep Web” is utilized as an enabler of fraud that targets corporations
-- Emerging fraud trends in 2015 and beyond
-- Best practices for how to tackle fraud from beginning to end
Watch the replay here: http://www.easysol.net/resources-the-deep-web
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
The Deep Web - What's Lurking in the Deep End of the Internet
1. What’s lurking in the deep end of the Internet?
The DeepWeb
Joshua Schleicher
Anti-Fraud SolutionsConsultant
info@easysol.net
2. 95% of the ocean remains
unexplored, unseen by human
eyes
http://oceanservice.noaa.gov/facts/exploration.html
3. Just like an iceberg, the
majority of the Deep Web
remains obscured from view
4. Google has only indexed 200TB of
the Internet's data...an estimated
.004% of the total Internet
Source: https://hewilson.wordpress.com/what-is-the-deep-web/statistics/
10. The recent evolution of the DeepWeb has allowed
fraud to become increasingly commoditized,
simply because there are many ways to monetize
the fraud process itself.
21. Factors affecting Price:
• Validity Rate
• Supply and Demand
• Issuing Region
How much is a card worth?
Source: http://krebsonsecurity.com/2014/02/fire-sale-on-cards-stolen-in-target-breach/
22. How much is Healthcare data worth?
In 2015 – The cost of just one
Medicare number, $470
Source: http://www.npr.org/sections/alltechconsidered/2015/02/13/385901377/the-
black-market-for-stolen-health-care-data
23. Cashing In
Image Source: http://www.tripwire.com/state-of-security/vulnerability-management/how-stolen-target-
credit-cards-are-used-on-the-black-market/
24. Silk Road
The most famous online drug market that was shut down
in 2013 by the FBI
31. My Two Cents
• Tackle the problem from beginning to end
• Look for constant innovation
• Speed and flexibility are critical when fighting back fraud
• Ask for references – especially when something bad happens
• There is no silver bullet
Throughout history, the ocean has been a vital source of sustenance, transport, commerce, growth, and inspiration.
Yet for all of our reliance on the ocean, 95 percent of this realm remains unexplored, unseen by human eyes.
http://oceanservice.noaa.gov/facts/exploration.html
The Deep Web is a collection of different web sites, academic databases, corporate intranets and also criminal databases, marketplaces and forums. The owners of each site have different incentives, from guarding intellectual property to hiding criminal activity from law enforcement.
Read more: http://www.cheatsheet.com/business/a-look-inside-the-deep-web.html/?a=viewall#ixzz3cmJhoOmN
Exactly how large is the Deep Web? If the glacier analogy did not make a big enough impact on the imagination, the following statistics from should help put the immensity of the Deep Web into perspective.
– The Deep Web has between 400 and 550 times more public information than the Surface Web.
– Together, the 60 largest Deep Web sites contain around 750 terabytes of data, surpassing the size of the entire Surface Web 40 times.
– 550 billion individual documents can be found on the Deep Web compared to the Surface Web’s 1 billion individual documents.
Source: https://hewilson.wordpress.com/what-is-the-deep-web/statistics/
Search engines like google and bing crawl the web and index linkable sites. This allows casual internet users to find the majority of the content that people use on a daily basis
These search engines capture less than 1% of all web content.
Things like databases and private academic journals are often not indexed by these search engines, and these make up a considerable amount of data content on the internet. This content is available via targeted browsing or behind paywalls in the case of academic resources.
The main topic of discussion today is going to be the deepest part of the internet, known as the deep web or dark web, among other names
The deep web is only accessible using specific, anonymizing technologies and is the portion of the internet that houses the most sinister functions of the internet, such as forums for the distribution of illegal drugs, pornography, and stolen goods.
The deep web is truly anonymous, you can’t even get on it unless you yourself are anonymous
Your location and browsing habits cannot be picked up
Can only be accessed through a deep web browser, not a normal browser such as Firefox
Most popular browser is called Tor
http://www.sickchirpse.com/deep-web-guide/
Deep Web is filled with illegal things such as drugs, can hire a hitman, weapons, credit card information
Can get access to business credit card accounts and infinite credit card accounts
Most things on the deep web are paid for with bitcoins that uses a similar system such as Paypal:
uses cryptography, the practice of hiding information, to oversee the transfer of money
Transactions are irreversible and verified within anywhere between 10 minutes to an hour.
The Bitcoin network is decentralized, making these transactions solely peer-to-peer.
Exchange rate changes from day to day.
Encourages illegal behavior because the authorities cannot track where the money goes.
Downloads of deep web browsers soared in August by almost 100% as the general population became more concerned about privacy amid talk of US intelligence agencies monitoring web traffic
http://www.sickchirpse.com/deep-web-guide/2/
In order for credentials to be sold on the Deep Web, credentials must first be harvested and there are a variety of means for this to be accomplished. We are seeing increased complexity in the methods used by fraudsters to harvest credentials, from routine “mass” phishing schemes to more targeted blended malware attacks.
Here are some examples of advanced malware that can be used to compromise accounts and harvest credentials.
Theft of information is done in a wide variety of ways, but large-scale data breaches form the foundation of the black market economy formed around payment card fraud. Recent breaches have been the result of malware that has been placed on Point of Sale systems, often in situations where the breached organizations have been certified by 3rd parties as having the appropriate security controls in place
These generally occur on secured and segmented internal networks, which require the fraudsters to perform multiple levels of infiltration to reach the POS systems
Access Internal Network, map network and identify secured payments segment, then infect POS terminal devices
This is a sophisticated attack
Recent breaches have also employed RAM-scraping malware for collection of unencrypted, plain-text CC data as it passes through the POS machine memory.
Data Exfiltration
In order to collect the data, it must then be extracted from the internal network. This requires the fraudsters to bypass additional security controls such as Data Loss Prevention tools and outbound firewall rules.
Bypassing these security controls can involve an additional piece or pieces of malware designed with the intent of storing and moving data from the internal networks through the firewall.
Once the data leaves the internal network it is transferred to a drop site, which is frequently a simple FTP server controlled by the fraudster.
The Target breach, for example, employed 3 pieces of malware, both known and unknown. Several of these installations were detected by an existing Intrusion Detection System, but these alerts were ignored. 11 GB of data was ultimately extracted in this manner during the course of the Target breach.
As mobile increase in popularity, we are seeing it targeted more as a means to harvest credentials. Crimeware platforms can be used to find second factors of authentication, such as SMS, to infiltrate accounts.
A user is infected through a drive-by attack or by other malware and a malicious PAC file is installed onto their computer. When the victim visits a targeted website, their browser is redirected to a fake website that will record their login details. The infection is silent, the user is not notified of the change in configuration. The web site will look almost completely legitimate.
http://blogs.technet.com/b/mmpc/archive/2014/02/28/malicious-proxy-auto-config-redirection.aspx
After several years of a relatively low-and-slow assault on retail point-of-sale systems, fraudsters have succeeded at breaching
several big-name merchants. And as a result, their crimes are now considered mainstream news. People who never considered payments security before are now talking about POS, PCI and EMV.
Finding information on the Deep Web is easy, many sites are equipped much like legitimate sites with customer service, easy checkout, technical support and even money back guarantees!
The first thing a credit card buyer would focus on is finding a place to purchase from. This is relatively easy, as there are resources such as the Hidden Wiki to help:
The Hidden Wiki
Comparable to Wikipedia
Can find links to hacking databases
Also a way to find credit card sale sites and forums, which are a major problem for financial institutions around the globe. Let’s expand on the market for stolen credit card data.
The sale of credit card information is done in various ways, but recent years have seen the rise of online card shops that are designed to provide a forum for sellers and buyers to meet and exchange these numbers in a secure manner.
Previously the more common way was to contact sellers via ICQ or Jabber clients, but this seems to have given way to the even more anonymized carding sites
These shops also leverage crypto currencies such as Bitcoin to further anonymize the financial transactions on the site
These shops provide detailed information on each card or group of cards being purchased, including information on issuing bank, cardholder, and BIN
These shops also use names for large-scale influxes of cards as a sort of marketing tool to entice buyers to purchase the most effective card dumps
Names like Barbarossa, Tortuga, and Tripoli
Recently these forums have been found to be employing tactics that are really only seen in the large retailers they steal from, such as one-click buying, easy checkout, robust customer service, and instant refunds for customers that purchase a card number that has been cancelled by the issuer.
<Click through to graphic>
In summary, the markets and forums in which stolen payment card data is sold is becoming increasingly more sophisticated, and this trend will only continue as large-scale data breaches become more prevalent
Factors that affect the price of a stolen card:
Validity Rate – the older a breach is, the more likely the card is to have been cancelled. The above graphic illustrates the rapid decline in validity rates for the Target breach over time, which correlates directly to the average prices for the cards being sold.
Supply and Demand – As in any economy, the main forces driving the price of the commodity are supply and demand. In the case of large breaches like Target, the cards were placed on carding sites and forums over time in several batches to increase salability.
Region – While this variance is also explained by supply and demand, the fact of the matter is that
Based on this information, cards can be worth anywhere from $1 to $120, with European cards from new breaches fetching the highest prices per card. The large variance in the aforementioned factors accounts for the large range of prices.
22 Bitcoins, exchange rate at the time of sale. Valid seller with 5 star rating!!
There are any number of methods of cashing in on stolen credit card information, from the very simple to the very complex.
The most simple would be a simple ATM transaction for a debit card which was stolen and sold with available PIN information
The Credit to Gift Card Shell Game – Find the Fraud!
One lucrative method of “carding” involves a shell game, where stolen credit cards are used to charge pre-paid cards. These cards are then used to purchase store specific gift cards, such as from Amazon for example.
Shopping & Reshipping
The carder then uses that gift card to purchase high value goods, usually electronics such as cell phones, computers and game consoles. This process makes it difficult for companies to trace. By the time it is figured out and the cards blocked the criminal is in possession of the purchased goods.
These packages are usually then shipped via a re-shipping scam. Unsuspecting individuals are recruited as Mules (re-shippers) usually through legitimate channels such as Craigslist job listings promising “easy work-from-home jobs” and usually in the United States as it raises fewer red flags.
The re-shipper then assembles multiple packages and ships them usually outside the country, or directly to someone who purchases the goods from an auction site the fraudster has posted the goods to.
Reselling Goods for Profit
The carder may then sell the electronics through legitimate channels such as through eBay, or to avoid risk can sell the goods through a hidden underground “deep web” site. Most people know the “deep web” from the Silk Road, which was recently shut down by the FBI, reappeared and then vanished again.
The Silk Road was a marketplace for illegal products such as drugs online. However the Silk Road had somewhat of a code of ethics, as certain products were restricted from sale such as pornography, weapons, personal data (stolen credit cards, passwords etc), poisons, or weapons.
There are many hidden services available that do not have such scruples. There are numerous places on the deep web that sell stolen credit cards and goods acquired through carding.
On these hidden illegal websites the goods are usually sold at deep discounts on the black market, usually around 50% of retail and reshipped or sent to a secure drop (vacant house etc) a purchaser has setup for this purpose.
Silk Road was the most famous online drug market until the FBI shut it down in 2013:
97% success rate, meaning 97% of all transactions were completed successfully
Set up like eBay or Amazon, with a heavy focus on user feedback for buyers and sellers
Been open since 2011
Buy virtually any kind of drug in any quantity you desire
Accessing the Deep Web is relatively simple through use of a TOR Browser, short for “The Onion Router”. The TOR network effectively anonymizes users and services by moving their traffic across numerous TOR network servers and by encrypting the traffic data so that it cannot be traced. Anyone attempting to view or analyze the traffic simply sees traffic coming from random nodes on the TOR network as opposed to the traceable IP information that would identify users browsing the common internet.
The deep web is also the place to encounter professional hackers and fraudsters for hire, who can perform a wide variety of attacks to compromise a target of your choice. All transactions are conducted with cryptocurrencies, and the services available may include:
Account Takeover for social media or banking sites
Tracking of mobile devices for surveillance
Webserver hacking or DDOS attacks
Even tracking of someone who committed fraud against you – FIND YOUR SCAMMER
The availability of these services has created a world in which you do not need “blackhat” hacking skills to run attack campaigns but instead only the ability to pay for a phishing or malware kit. This has been an important aspect in the proliferation of cyber attacks against corporations and financial institutions around the world.
If we are viewing the deep web as a sort of illegal goods superstore, then one of the more common goods to find there would be firearms. Prohibition or restriction on the purchase of firearms varies worldwide, and as a result black markets are created to illegally bypass those restrictions. Dark web operators sanitize the firearms by removing serial numbers and then sell to anyone with the cash to pay for the weaponry. Items sold on the dark web include firearms that are restricted from being sold to the public, such as fully automatic or high-caliber weaponry, to more common weapons being sold to criminals or other individuals who are restricted from purchasing firearms in their country.
Fake documents are also widely available on the deep web, and many of these vendors claim to be able to furnish fully functional passports, drivers licenses and social security numbers for people looking to falsify citizenship or enter a country under false pretenses. This is clearly a significant concern for those governments who are fighting against problems like terrorism and large-scale drug trade, as they often use border checkpoints to monitor the movement of key individuals around the globe.
Often the generation of these documents can lead back to breaches of government or healthcare sites that contain Social Security numbers that can then be used to generate fake documents.
While corporate breaches often grab the most significant headlines, governmental organizations are also vulnerable to attacks that lead to information being sold on the deep web black markets.
Earlier this year, the IRS encountered over 200,000 attempts to file falsified tax returns, and found that over one hundred thousand accounts had been compromised, which included personal information such as SS#, DOB and Street Address. In these instances, the criminals were able to get around the multi-step authentications with personal information about the tax payer
And just recently the federal Office of Personnel Management was breached, potentially exposing the private data of over 4.1 million federal government employees (over 2 decades) this includes extremely sensitive data and personal information and has already been discovered being actively traded in the darknet
Criminals will parse out the most valuable data and sell to interested parties; much as they do with CCs that are sold in batches.