Bad Actors (cyber criminals, terrorists, foreign spies) and their Tactics, Techniques, and Procedures (TTPS).
How is evolving the criminal underground in the Dark Web?
The response of the law enforcement.
3. Current scenario
Deep Web vs Dark Web
3
â˘âŻ Deep Web
â⯠It represents the part of the web
that has not yet been indexed by
common search engines
â˘âŻ Dark Web
â⯠Set of publicly accessible content
that are hosted on websites whose
IP address is hidden but to which
anyone can access it as long as it
knows the address
â⯠Set of private content exchanged
in a closed network of computers
for file sharing
Deep
Â
Â
Web
Â
Â
Â
Dark
Â
Web
Â
Bright
 o
Â
clear
 Web
Â
4. Current scenario
Dark Web
4
â˘âŻ The Onion Router (TOR)
â⯠Tor directs Internet traffic through a free, worldwide, volunteer
network consisting of more than six thousand relays to conceal
a user's location and usage from anyone conducting network
surveillance or traffic analysis.Â
â˘âŻ I2P - The Invisible Internet Project
â⯠Network âPeer-to-Peerâ (P2P)
â⯠I2P is an anonymous overlay network - a network within a
network, Ordinary services running on a secure network
â˘âŻ Freenet - A Distributed Anonymous Information Storage and
Retrieval System.
â˘âŻ anoNet is a decentralized friend-to-friend network built
using VPNs and software BGP routers
5. Current scenario
Why
 Tor
 is
 so
 popular
 in
 the
 criminal
 ecosystem?
Â
5
â˘âŻ Anonymity
â˘âŻ TOR provides "hidden services" that could be
used for several illegal activities.
â˘âŻ Law enforcement face difficulties in de-
anonymizing TOR users.
â˘âŻ Impossible to conduct monitoring on a large-
scale.
â˘âŻ Excellent aggregator - It hosts principal
underground communities.
â˘âŻ TOR allows bypassing Internet Filtering (i.e.
Censorship).
7. âCybercrime is a fast-growing area of crime. More and more
criminals are exploiting the speed, convenience and anonymity of
the Internet to commit a diverse range of criminal activities that
know no borders, either physical or virtual.â INTERPOL
Cyber crimes can be grouped in the following categories:
â˘âŻ Attacks against computer hardware and software
â˘âŻ Financial crimes
â˘âŻ Abuse (i.e. child pornography)
Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Cybercrime
Dark
 Net
 as
 a
 facilitator
 for
 cybercrime
Â
7
Darknets
 are
 the
 right
 place
 where
 search
Â
for
 anything
 related
 above
 crimes
Â
8. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Malware and DarkNets
The
 oďŹer
 of
 Darknets
Â
8
â˘âŻ Darknets are a privileged
environment for malware
authors and botmasters.
â˘âŻ Hiding C&C infrastructure
â˘âŻ Availability of authenticated
hidden services
â˘âŻ Availability of black markets to
buy and sells their products.
9. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Cybercrime
The
 oďŹer
 of
 Darknets
Â
9
10. 2012:
 One
Â
C&C
 server
 for
Â
data
Â
exďŹltraHon
Â
(Skynet)
Â
2013:
 3
 C&C
Â
servers
Â
controlled
 a
Â
botnet
 of
 million
Â
machines
Â
2014:
Â
OnionDuke
Â
Campaign
 -Ââ
 3
Â
C&C
 servers
Â
cyber
 espionage
Â
2015:
 2
 C&C
Â
server
 in
 tor
Â
and
 2
 on
Â
 I2P
Â
(Ransomware)
Â
Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Malware and DarkNets
The
 oďŹer
 of
 Darknets
Â
10
11. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Malware and DarkNets
Whatâs
 about
 2015
Â
11
â˘âŻ A new variant of the popular Zeus banking trojan dubbed was
Sphinx is appeared for sale on the black market, it operates
entirely through the Tor network.
â˘âŻ Security experts at Sensecy have uncovered ORX-Locker, a
Darknet Ransomware-as-a-service platform that could allow
everyone to become a cyber criminal.
12. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
 Tor network abuse in
financial crimes
Tor
 Anonymity
 and
 Financial
 Frauds
Â
12
â˘âŻ Dec. 2014 - non-public report realized by the US Treasury
Department found that a majority of bank account takeovers
exploits the anonymizing the Tor network.
â˘âŻ 6,048 suspicious activity reports (SARs) filed by financial
organizations between August 2001 and July 2014, focusing for
those involving one of more than 6,000 known Tor network nodes.
â˘âŻ 975 hits corresponding to reports totaling nearly $24 million in likely
fraudulent activity.
â˘âŻ From October 2007 to March 2013, filings increased by 50 percent,â
the report observed. âDuring the most recent period â March 1,
2013 to July 11, 2014 â filings rose 100 percent.â
13. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Tor network abuse in
financial crimes
Tor
 Anonymity
 and
 Financial
 Frauds
Â
13
14. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
Whatâs
 about
 2015
Â
14
â˘âŻ Black Markets are places on the web where it is possible to
acquire or rent âmaliciousâ services and products.
â˘âŻ Anonymity and virtual currencies.
â˘âŻ Efficient facilitators of criminal activities.
â˘âŻ Most commercialized products are drugs, userâs PII, stolen card
data and hacking services.
â˘âŻ The Feedback mechanism and escrowing services increase
mutual trust between buyers and sellers.
â˘âŻ Competition (Mr Nice Guy hired a blackmailer to hit TheRealDeal
and its competitors. TheRealDeal hacked back.)
15. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
Dark
 markets
 are
 crowded
 places
Â
15
16. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
Tor
 Black
 Markets
Â
16
Black
 Markets
 Onion
 address
Â
Abraxas
 abraxasdegupusel.onion
Â
Agora
 agorahooawayyfoe.onion
Â
Â
AlphaBay
 pwoah7foa6au2pul.onion
Â
Nucleus
 nucleuspf3izq7o6.onion
Â
Outlaw
 ouIor6jwcztwbpd.onion
Â
Italian
 DarkNet
 Community
 2qrdpvonwwqnic7j.onion
Â
Dream
 Market
 ltxocqh4nvwkoďŹl.onion
Â
Haven
 havenpghmfqhivfn.onion
Â
Middle
 Earth
 mango7u3rivtwxy7.onion
Â
17. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
Product
 Pricing
 List
 Sample
Â
17
â˘âŻ PII record for $1. (Trend Micro)
â˘âŻ PayPal and eBay go up to $300 each. (Trend Micro)
â˘âŻ Bank account offered for a price ranging from $200 and $500 per
account (balance, history).
â˘âŻ Document scans from $10 to $35 per document. (Trend Micro)
â˘âŻ Credit card fraud CVVs ($3-$25), Dump ($20-$60), Fullz ($25-$125)
[Data Preview -Annual Card Fraud Report IT Ministry of Treasury and
Finance]
â˘âŻ Counterfeit documents, including non-US passports, from $200 to
$1000. Fake US driverâs licenses run for $100-$150, meanwhile
counterfeit Social Security cards run between $250 and $400 on
average.
18. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
Services
 -Ââ
 Pricing
 List
Â
18
â˘âŻ Hacking services
ĂźďźâŻ Social media account
hacking $50-$100 (FB,
Twitter, etc.)
ĂźďźâŻ Remote Access Trojan
$150-$400 (FB, Twitter, etc.)
ĂźďźâŻ Banking Malware
Customization (i.e. Zeus
source code) $900 - $1500
ĂźďźâŻ Rent a botnet for DDoS
attack (24 hours) $900 -
$1500
â˘âŻ Carding
â˘âŻ Money Laundering Services
â˘âŻ Assassinations services
â˘âŻ Training and Tutorials
19. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Black Markets
A
 successful
 Business
 Model
Â
19
â˘âŻ Silk Road realized $22 Million In Annual Sales only
related to the drug market. (Carnegie Mellon
2012)
â˘âŻ USD 1.9 million per month Sellersâ Total revenue
â˘âŻ Silk Road operators earned about USD 143,000
per month in commissions.
â˘âŻ Principal Dark 35 marketplaces raked from $300,000 to $500,000 a day.
â˘âŻ About 70% of all sellers never managed to sell more than $1,000 worth of
products. Another 18% of sellers were observed to sell between $1,000
and $10,000 but only about 2% of vendors managed to sell more
than $100,000
2012
Â
2015
Â
20. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Pedophilia
Pedos
 in
 the
 dark
Â
20
â˘âŻ A study conducted by the University of Portsmouth revealed that
over 80% of Tor network visits is related to pedo sites.
â˘âŻ The portion of Tor users who search for child abuse materials is
greater that the one that use it to buy drugs or leak sensitive
documents to a journalist.
â˘âŻ âUnstable sites that frequently go offline might generate more visit
counts. And sites visited through the tool Tor2Web, which is
designed to make Tor hidden services more accessible to non-
anonymous users, would be underrepresented. All those factors
might artificially inflate the number of visits to child abuse sites
measured by the University of Portsmouth researchersâ said Tor
executive director Roger Dingledine.
Â
21. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Pedophilia
Pedophilia
 in
 the
 dark
Â
21
â˘âŻ Trend Micro Research identified 8,707
âsuspiciousâ pages. The analysis of the
âSurface Webâ sites that those sites
linked to revealed that the majority of
them fall into the following categories:
ĂźďźâŻ Disease vector (drive-by
download) sites (33.7%).
ĂźďźâŻ Proxy avoidance sites (31.7%).
ĂźďźâŻ Child exploitation (26%).
â˘âŻ Diffusion of Pedo material in the Deep
Web is anyway serious phenomenon.
Â
Â
Â
22. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Terrorism
Terrorists
 in
 the
 Dark
 Web
Â
22
â˘âŻ Propaganda videos and images
â˘âŻ The Dark Web is difficult to
monitor for intelligence
agencies and it is not so easy to
de-anonymize members of
terrorist organizations.
â˘âŻ Hidden services used as
repository of mobile apps used
by the jihadists to communicate
securely.
23. Lorem
 ipsum
 dolor
 sit
 amet,
 consectetur
Â
adipisicing
 elit,
 sed
 do
 eiusmod
 tempor
Â
Terrorism
Terrorists
 in
 the
 Dark
 Web
Â
23
â˘âŻ Donations to fund cells by using virtual
currencies (i.e. Bitcoin)
â˘âŻ Law enforcement fear possible abuses of
crypto currencies that could facilitate
bad actors, including terrorists.
â˘âŻ Bitcoin wa Sadaqat al-Jihad which
translates to: âBitcoin and the Charity of
Violent Physical Struggleâ that explains how
it is possible to buy weapons for the
Mujahideen.
â˘âŻ The ISIS released a manual for its militants
titled â
How to Tweet Safely Without Giving out Your
Location to NSA.â
Â
24. We
 are
 going
 in
 the
 dark
The response of the law
enforcement.
24
â˘âŻ âWeâre past going dark in certain instances. We are dark,â said
Michael Steinbach, assistant director of the FBIâs counter-terrorism
division.
â˘âŻ The FBI warned lawmakers there was no way to monitor encrypted
online communications exploited by Islamic State militants and
sympathizers. (June 2015)
â˘âŻ Michael McCaul, chairman of the committee, confirmed that the
inability to monitor communications among members of the ISIS in
the dark web represents a âtremendous threat to our homeland.â
â˘âŻ DoJ proposal is trying to legitimate FBI hacking operations against
Internet users that make use of any kind of anonymizing technology.
(Sept. 2014)
Â
Â
25. We
 are
 going
 in
 the
 dark
The response of the law
enforcement.
25
â˘âŻ (Dec. 22nd, 2014) In a court case the investigators were informed about
the usage of an FBIâs âNetwork Investigative Techniqueâ (NIT) to
deanonymize suspects while exploiting Tor network. The NIT allowed them
to identify the IP address of TOR users.
â˘âŻ Law enforcement relied on the popular Metasploit framework to first de-
anonymize operators of child porn websites in the Tor network.
â˘âŻ The operation is coded Operation Tornado and the FBI relied upon an
abandoned project of Metaploit dubbed the âDecloaking Engineâ to de-
anonymized users in the 2012.
â˘âŻ âThe NIT was a Flash based application that was developed by
H.D.Moore and was released as part of Metasploit. The NIT, or more
formally, Metaspolit Decloaking Engine was designed to provide the real
IP address of web users, regardless of proxy settings.â states the forensic
report.
Â
26. âThe action aimed to stop the sale,
distribution and promotion of illegal and
harmful items, including weapons and drugs,
which were being sold on online âdarkâ
marketplaces. Operation Onymous,
coordinated by Europolâs European
Cybercrime Centre (EC3), the FBI, the U.S.
Immigration and Customs Enforcementâs
(ICE), Homeland Security Investigations (HSI)
and Eurojust, resulted in 17 arrests of vendors
and administrators running these online
marketplaces and more than 410 hidden
services being taken down. In addition,
bitcoins worth approximately USD 1 million,
EUR 180 000 euro in cash, drugs, gold and
silver were seized.âreports the Europol.Â
Operation Onymous
The response of the
law enforcement.
26
27. Operation Onymous
The response of the
law enforcement.
27
â˘âŻ Operation Onymous (On 5 and 6 November 2014) â Law enforcement and judicial
agencies around the globe conducted a joint action against dark markets on Tor
networks.
â˘âŻ Over 400 websites were shut down including black markets on Tor network (Silk
Road 2.0, Cloud 9 and Hydra).
â˘âŻ The 26-year-old software developer â'Defconâ was arrested in San Francisco and
accused of running Silk Road 2.0.
â˘âŻ $1 million in Bitcoin was seized, along with âŹ180,000 in cash, gold, silver and drugs.
â˘âŻ The list of dark markets seized by law enforcement includes Alpaca, Black Market,
Blue Sky, Bungee 54, CannabisUK, Cloud Nine, Dedope, Fake Real Plastic, FakeID,
Farmer1, Fast Cash!, Flugsvamp, Golden Nugget, Hydra, Pablo Escobar Drugstore,
Pandora, Pay Pal Center, Real Cards, Silk Road 2.0, Smokeables, Solâs Unified USD
Counterfeitâs, Super Note Counter, Tor Bazaar, Topix, The Green Machine, The
Hidden Market and Zero Squad.
28. Operation Onymous
DeAnonymizing the
cyber crime on Tor
28
â˘âŻ Security experts hypothesized that law
enforcement has exploited one of the
following scenarios:
ĂźďźâŻ Lack of Operational Security of hidden
services.
ĂźďźâŻ Exploitation of bugs in the web
application.
ĂźďźâŻ Bitcoin de-anonymization.
ĂźďźâŻ Attacks on the Tor network (i.e. Traffic
Analysis Correlation attacks).
â˘âŻ The number of black markets seized by law enforcement led to
speculation that a weakness in the Tor network had been exploited.
â˘âŻ Andrew Lewman, a representative of the not-for-profit Tor project,
excluded it by suggesting that execution of traditional police work such
as following Bitcoins was more likely.
29. Intelligence & Deep
Web
29
Snowden Revelation
Top-secret presentation Tor Stinks leaked by
Snowden shows the techniques implemented by
the NSA to overwhelm Tor Anonymity with
manual analysis.
"We will never be able to de-anonymize all Tor users all the time' but
'with manual analysis we can de-anonymize a very small fraction of
Tor users'"
Â
30. New dedicated cyber units
Law enforcement 30
Dec. 2014 - Prime Minister Cameron announced
that a newborn cyber unit composed by
officials from GCHQ and NCA will fight online
pedophiles even in the Deep Web.
Interpolâs Cyber Research Lab
completed the first training program, as
part of the course the participant built
its own private âDarknetâ network
simulating the management of an
underground marketplace.
31. About me 31
About Pierluigi Paganini:
Pierluigi Paganini is Chief Information Security Officer at Bit4Id, firm leader in
identity management, member of the ENISA (
European Union Agency for Network and Information Security) Threat
Landscape Stakeholder Group, he is also a member of the advisory council
for The European Centre for Information Policy and Security (ECIPS), Security
Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security
expert with over 20 years experience in the field, he is Certified Ethical Hacker
at EC Council in London. The passion for writing and a strong belief that
security is founded on sharing and awareness lead Pierluigi to find the security
blog "Security Affairs" named a Top National Security Resource for US.
Pierluigi is a member of the Dark Reading Editorial team and he is regular
contributor for some major publications in the cyber security field such as
Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News
Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and â
Digital Virtual Currency and Bitcoinâ, coming soon the new book "Spy attack:
come aziende, servizi segreti e hacker possono violare la nostra privacy"
Ing. Pierluigi Paganini
Chief Information Security Officer Bit4id
ppa@bit4id.com
www.bit4id.com
Founder Security Affairs
http://securityaffairs.co/wordpress
pierluigi.paganini@securityaffairs.co