Upload
voquynh
View
219
Download
2
Embed Size (px)
Citation preview
#RSAC
SESSION ID:SESSION ID: CCT-W04
Cybercrime and Attacks in the Dark Side of the Web
Dr. Marco Balduzzi*Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini
#RSAC
A perfect platform for Cybercrime
#RSAC
Our Investigative System: DEMOtimestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace
#RSAC
A Russian Marketplace
#RSAC
Data Exploration
Headless browser
HAR LogPage DOM
ScreenShot
Title
Text
Metadata
Raw HTML
Links
BitcoinWallets
#RSAC
Data Analysis
Embedded links classification (WRS)• Surface Web links• Classification and
categorization
Page translation• Language detection• Non-English to English
Significant wordcloud• Semantic clustering• Custom algorithm
#RSAC
Results
#RSAC
Guns
#RSAC
Identities and Passports
#RSAC
Credit Cards
#RSAC
Accounts, e.g. Israeli Paypal
HacktivismCampaigns
#RSAC
Cashout services
#RSAC
Bulletproof Hosting Providers
#RSAC
Selling of WannaCry Ransomware
#RSAC
Impact on organizations
Dark Web traffic is difficult to be detected by traditional systems (IDS)
Resilient and stealth malware
Persistence and monitoring (APT)
#RSAC
Courtesy Ionut Ilascu, Softpedia
Bankers
#RSAC
Keylogger
#RSAC
TorrentLocker, i.e. variant of CryptoLocker
Payment page hosted in TOR◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775
Cashout via BITCOINS
Ransomware
#RSAC
Organized Attacks
#RSAC
We simulated a cybercriminal
installation in the Dark Web
#RSAC
Honeypot
I. Black MarketII. Hosting ProviderIII. Underground ForumIV. Misconfigured Server
(FTP/SSH/IRC)
Technology
I. Wordpress + ShellsII. OsCommerceIII. Custom Web AppIV. Custom OS (Linux)
#RSAC
Registration-Only Forum
#RSAC
Exposes a Local File Inclusion
#RSAC
A 7-months experiment
Month 1: Different advertisement strategies to honeypot #1#
Daily
PO
ST R
eque
sts
Average of 1.4 malicious uploads per day
#RSAC
Attacks
Pre-installed web shells attracted the most of “visitors”
CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom
CMS #2 reached via TOR’s search engine’s query “Index of /files/images/”(http://hss3uro2hsxfogfq.onion)
# Attacks
# Days with Attacks
#RSAC
Traditional Web Attacks
#RSAC
Password-protected Shells
#RSAC
Smart use of Obfuscation
Abuse of Tor’s Anonymity for Attacks
#RSAC
(Anonymized) Phishing Campaign
#RSAC
Rival Gangs
• Cyber-criminal gangs compromising opponents
• Self-promoting their “business”
#RSAC
(TOR Keys)
Used to compute the hidden service descriptorInstruction
Points
Public Key
Private Key
Instruction Points
Public Key
XYZ.onion
Signing
KeypairGeneration
#RSAC
HS’ Private Key theft
400+ attacks
MiTM, hijack and decryption
#RSAC
Dark Web as “corner case” of the Internet… NO!
Active & Dynamic Offerings in the Middle East
“Far-west looking” ecosystem with gangs attacking each other
Modern threats pose significant challenges for organizations
Lessons Learned
#RSAC
Improve on both endpoint and network security, e.g. X-Gen IDS
Understand the “Tor2Web effect” (makes the Dark Web not as dark as someone would think)
Protect your asset and do not assume TOR does it for you
Apply
#RSAC
Thank You!
Dr. Marco Balduzzi*Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini