#RSAC

SESSION ID:SESSION ID: CCT-W04

Cybercrime and Attacks in the Dark Side of the Web

Dr. Marco Balduzzi*Senior Researcher at Trend Microhttp://www.madlab.it @embyte

*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini

#RSAC

A perfect platform for Cybercrime

#RSAC

Our Investigative System: DEMOtimestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace

#RSAC

A Russian Marketplace

#RSAC

Data Exploration

Headless browser

HAR LogPage DOM

ScreenShot

Title

Text

Metadata

Raw HTML

Links

Email

BitcoinWallets

#RSAC

Data Analysis

Embedded links classification (WRS)• Surface Web links• Classification and

categorization

Page translation• Language detection• Non-English to English

Significant wordcloud• Semantic clustering• Custom algorithm

#RSAC

Results

#RSAC

Guns

#RSAC

Identities and Passports

#RSAC

Credit Cards

#RSAC

Accounts, e.g. Israeli Paypal

HacktivismCampaigns

#RSAC

Cashout services

#RSAC

Bulletproof Hosting Providers

#RSAC

Selling of WannaCry Ransomware

#RSAC

Impact on organizations

Dark Web traffic is difficult to be detected by traditional systems (IDS)

Resilient and stealth malware

Persistence and monitoring (APT)

#RSAC

Courtesy Ionut Ilascu, Softpedia

Bankers

#RSAC

Keylogger

#RSAC

TorrentLocker, i.e. variant of CryptoLocker

Payment page hosted in TOR◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775

Cashout via BITCOINS

Ransomware

#RSAC

Organized Attacks

#RSAC

We simulated a cybercriminal

installation in the Dark Web

#RSAC

Honeypot

I. Black MarketII. Hosting ProviderIII. Underground ForumIV. Misconfigured Server

(FTP/SSH/IRC)

Technology

I. Wordpress + ShellsII. OsCommerceIII. Custom Web AppIV. Custom OS (Linux)

#RSAC

Registration-Only Forum

#RSAC

Exposes a Local File Inclusion

#RSAC

A 7-months experiment

Month 1: Different advertisement strategies to honeypot #1#

Daily

PO

ST R

eque

sts

Average of 1.4 malicious uploads per day

#RSAC

Attacks

Pre-installed web shells attracted the most of “visitors”

CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom

CMS #2 reached via TOR’s search engine’s query “Index of /files/images/”(http://hss3uro2hsxfogfq.onion)

# Attacks

# Days with Attacks

#RSAC

Traditional Web Attacks

#RSAC

Password-protected Shells

#RSAC

Smart use of Obfuscation

Abuse of Tor’s Anonymity for Attacks

#RSAC

(Anonymized) Phishing Campaign

#RSAC

Rival Gangs

• Cyber-criminal gangs compromising opponents

• Self-promoting their “business”

#RSAC

(TOR Keys)

Used to compute the hidden service descriptorInstruction

Points

Public Key

Private Key

Instruction Points

Public Key

XYZ.onion

Signing

KeypairGeneration

#RSAC

HS’ Private Key theft

400+ attacks

MiTM, hijack and decryption

#RSAC

Dark Web as “corner case” of the Internet… NO!

Active & Dynamic Offerings in the Middle East

“Far-west looking” ecosystem with gangs attacking each other

Modern threats pose significant challenges for organizations

Lessons Learned

#RSAC

Improve on both endpoint and network security, e.g. X-Gen IDS

Understand the “Tor2Web effect” (makes the Dark Web not as dark as someone would think)

Protect your asset and do not assume TOR does it for you

Apply

#RSAC

Thank You!

Dr. Marco Balduzzi*Senior Researcher at Trend Microhttp://www.madlab.it @embyte

*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini