This document discusses cybercrime and attacks on the dark web. It describes the dark web ecosystem including Tor, I2P, Freenet and custom DNS services. The dark web provides an anonymous platform for cybercrime like selling guns, identities, credit cards, and malware. The author describes experiments running a simulated cybercriminal operation on the dark web including black markets, hosting providers and forums. This exposed the site to manual and automated attacks. Lessons learned show the dark web is an active underground market with motivated attackers using modern threats, not just a corner case of the internet.

1. Cybercrime and Attacks in the
Dark Side of the Web
Dr. Marco Balduzzi*
Senior Researcher at Trend Micro
http://www.madlab.it @embyte
*With the cooperation of Mayra
Rosario and Vincenzo Ciancaglini

3. The Dark Ecosystem
Dark Nets
• TOR
• I2P
• Freenet
Custom DNS
• Namecoin
• Emercoin
Rogue TLDs
• Cesidian Root
• OpenNIC
• NewNations
• …

4. A perfect platform for Cybercrime

5. Our Investigative System: DEMO
timestamp:[2015-01-01 TO 2015-12-31] AND title:marketplace

6. Our Gateway to the Dark Internet
Privoxy +
TOR
anonymizer
Squid transparent proxy
Polipo +
TOR 64
instances
I2P Freenet Custom DNS resolver (DNSMASQ)
Namecoin
DNS
rogueTLD DNS
Cesidian
root
Opennic NameSpace …

7. Data Exploration
Headless
browser
HAR Log
Page
DOM
Screen
Shot
Title
Text
Metadata
Raw
HTML
Links
Email
Bitcoin
Wallets

8. Headless Browser
Scrapinghub's Splash
• QTWebkit browser, Dockerized, LUA scriptable
• Full HTTP traces
Crawler based on Python's Scrapy +
multiprocess + Splash access
• Headers rewrite
• Shared queue support
• Har log -> HTTP redirection chain
Extract links, emails, bitcoin wallets

9. Data Analysis
Embedded links
classification (WRS)
• Surface Web links
• Classification and
categorization
Page translation
•Language detection
•Non-English to English
Significant wordcloud
• Semantic clustering
• Custom algorithm

10. Significant Wordcloud
Page text
Tokenization
Filtering
Semantic
distance matrix
Hierarchical
clustering
Cluster label
and popularity
Word cloud
Scrap text from HTML, clean up, strip spaces, etc
Create list of (word, frequency) pairs
Keep only substantives
How “far” are words from one another?
Group similar words
Label clusters, sum frequencies
Draw using summed frequencies
lxml
NLTK.wordnet
Wordcloud
(pillow)

11. The Dark Portal

12. Examples

13. Guns

14. Identities and Passports

15. Credit Cards

16. Accounts, e.g. Israeli Paypal

17. Cashout services

18. Bulletproof Hosting Providers

19. Impact on organizations
Dark Web traffic is difficult to be detected by
traditional systems (IDS)
Resilient and stealth malware
Persistence and monitoring (APT)

20. TorrentLocker, i.e. variant of CryptoLocker
Payment page hosted in TOR
◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019
◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775
Cashout via BITCOINS
Ransomware

21. Keylogger

22. Organized Attacks

23. We simulated a
cybercriminal
installation in the
Dark Web

24. Honeypot
I. Black Market
II. Hosting Provider
III. Underground Forum
IV. Misconfigured Server
(FTP/SSH/IRC)
Technology
I. Wordpress + Shells
II. OsCommerce
III. Custom Web App
IV. Custom OS (Linux)

26. Registration-Only Forum

27. Exposes a Local File Inclusion

28. A 7-months experiment
Month 1: Different advertisement strategies to honeypot #1
#DailyPOSTRequests
Average of 1.4 malicious
uploads per day

29. Manual VS Automated Attacks
Pre-installed web shells attracted the most of “visitors”
CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom
CMS #2 reached via TOR’s search engine’s query “Index of /files/images/”
(http://hss3uro2hsxfogfq.onion)
# Attacks
# Days with Attacks

30. Traditional Web Attacks

31. Password-protected Shells

32. Smart use of Obfuscation

33. Abuse of Tor for Anonymized Attacks

34. (Anonymized) Phishing Campaign

35. Rival Gangs
• Cyber-criminal gangs
compromising opponents
• Self-promoting their
“business”

36. (TOR Keys)
Used to compute the hidden service descriptor
Instruction
Points
Public
Key
Private Key
Instruction
Points
Public
Key
XYZ.onion
Signing
Keypair
Generation

37. HS’ Private Key theft
400+ attacks
MiTM, hijack and decryption

38. Dark Web as “corner case” of the Internet… NO!
Active and Dynamic Underground Market
Motivated and Knowledgeable Attackers
Manual and Targeted Attacks
Modern and Sophisticated Threats
Lessons Learned

39. Thank You!
Dr. Marco Balduzzi*
Senior Researcher at Trend Micro
http://www.madlab.it @embyte
*With the cooperation of Mayra
Rosario and Vincenzo Ciancaglini