Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco - - PowerPoint PPT Presentation

cybercrime and attacks in in the
SMART_READER_LITE
LIVE PREVIEW

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco - - PowerPoint PPT Presentation

Apr 13, 2023 558 likes •967 views

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher at Trend Micro http://www.madlab.it @embyte * With the cooperation of Mayra Rosario and Vincenzo Ciancaglini The Dark Ecosystem Dark Nets TOR

slide-1
SLIDE 1

Cybercrime and Attacks in in the Dark Sid ide of the Web

  • Dr. Marco Balduzzi*

Senior Researcher at Trend Micro http://www.madlab.it @embyte

*With the cooperation of Mayra

Rosario and Vincenzo Ciancaglini

slide-2
SLIDE 2
slide-3
SLIDE 3

The Dark Ecosystem

Dark Nets

  • TOR
  • I2P
  • Freenet

Custom DNS

  • Namecoin
  • Emercoin

Rogue TLDs

  • Cesidian Root
  • OpenNIC
  • NewNations
slide-4
SLIDE 4

A perfect platform for Cybercrime

slide-5
SLIDE 5

Our Investigative System: DEMO

timestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace

slide-6
SLIDE 6

Our Gateway to the Dark Internet

Privoxy + + TOR ano anonymizer

Sq Squid transparent pr proxy

Poli

  • lipo +

+ TOR OR 64 ins nstances I2P Fr Freenet Cus Custom DN DNS res esol

  • lver (D

(DNSMASQ) SQ) Na Namecoi

  • in

DN DNS rogue

  • gueTLD DNS

Cesi Cesidia ian roo

  • ot

Ope Opennic ic

Nam ameSpac ace …

slide-7
SLIDE 7

Data Exploration

Headless browser

HAR Log Page DOM Screen Shot Title Text

Metadata

Raw HTML Links Email Bitcoin Wallets

slide-8
SLIDE 8

Headless Browser

Scrapinghub's Splash

  • QTWebkit browser, Dockerized, LUA scriptable
  • Full HTTP traces

Crawler based on Python's Scrapy + multiprocess + Splash access

  • Headers rewrite
  • Shared queue support
  • Har log -> HTTP redirection chain

Extract links, emails, bitcoin wallets

slide-9
SLIDE 9

Data Analysis

Embedded links classification (WRS)

  • Surface Web links
  • Classification and

categorization

Page translation

  • Language detection
  • Non-English to English

Significant wordcloud

  • Semantic clustering
  • Custom algorithm
slide-10
SLIDE 10

Significant Wordcloud

Pag age text Tok

  • keniz

izatio ion Fi Filterin ing Sem Semantic ic di distance ma matrix ix Hie Hierarchic ical l clusterin ing Cl Clus uster lab abel l and and po popu pula larit ity Wor

  • rd

d clou

  • ud

Scrap text from HTML, clean up, strip spaces, etc Create list of (word, frequency) pairs Keep only substantives How “far” are words from one another? Group similar words Label clusters, sum frequencies Draw using summed frequencies

lxml NLTK.wordnet Wor

  • rdcloud

(p (pil illo low)

slide-11
SLIDE 11

The Dark Portal

slide-12
SLIDE 12

Examples

slide-13
SLIDE 13

Guns

slide-14
SLIDE 14

Identities and Passports

slide-15
SLIDE 15

Credit Cards

slide-16
SLIDE 16

Accounts, e.g. Israeli Paypal

slide-17
SLIDE 17

Cashout services

slide-18
SLIDE 18

Bulletproof Hosting Providers

slide-19
SLIDE 19

Impact on organizations

Dark Web traffic is difficult to be detected by traditional systems (IDS) Resilient and stealth malware Persistence and monitoring (APT)

slide-20
SLIDE 20

TorrentLocker, i.e. variant of CryptoLocker Payment page hosted in TOR

◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019 ◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775

Cashout via BITCOINS

Ransomware

slide-21
SLIDE 21

Keylogger

slide-22
SLIDE 22

Organized Attacks

slide-23
SLIDE 23

We simulated a cybercriminal installation in the Dark Web

slide-24
SLIDE 24

Honeypot

  • I. Black Market
  • II. Hosting Provider
  • III. Underground Forum
  • IV. Misconfigured Server

(FTP/SSH/IRC)

Technology

  • I. Wordpress + Shells
  • II. OsCommerce
  • III. Custom Web App
  • IV. Custom OS (Linux)
slide-25
SLIDE 25
slide-26
SLIDE 26

Registration-Only Forum

slide-27
SLIDE 27

Exposes a Local File Inclusion

slide-28
SLIDE 28

A 7-months experiment

Month 1: Different advertisement strategies to honeypot #1

# # Daily Daily POST OST Re Requests

Average of 1.4 malicious uploads per day

slide-29
SLIDE 29

Manual VS Automated Attacks

Pre-installed web shells attracted the most of “visitors” CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom CMS #2 reached via TOR’s search engine’s query “Index of /files/images/” (http://hss3uro2hsxfogfq.onion)

# Attacks # Days with Attacks

slide-30
SLIDE 30

Traditional Web Attacks

slide-31
SLIDE 31

Password-protected Shells

slide-32
SLIDE 32

Smart use of Obfuscation

slide-33
SLIDE 33

Abuse of Tor for Anonymized Attacks

slide-34
SLIDE 34

(Anonymized) Phishing Campaign

slide-35
SLIDE 35

Rival Gangs

  • Cyber-criminal gangs

compromising opponents

  • Self-promoting their

“business”

slide-36
SLIDE 36

(TOR Keys)

Used to compute the hidden service descriptor

Instruction Points Public Key Private Key Instruction Points Public Key XYZ.onion Signing Keypair Generation

slide-37
SLIDE 37

HS’ Private Key theft

400+ attacks MiTM, hijack and decryption

slide-38
SLIDE 38

Dark Web as “corner case” of the Internet… NO! Active and Dynamic Underground Market Motivated and Knowledgeable Attackers Manual and Targeted Attacks Modern and Sophisticated Threats

Lessons Learned

slide-39
SLIDE 39

Thank You!

  • Dr. Marco Balduzzi*

Senior Researcher at Trend Micro http://www.madlab.it @embyte

*With the cooperation of Mayra

Rosario and Vincenzo Ciancaglini