Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017
1 like496 views
The document discusses the intricacies of cybercrime occurring within dark web ecosystems, specifically utilizing platforms like Tor and I2P for illegal activities. It outlines various tools and methods used by cybercriminals, including ransomware, identity theft, and affected organizations, alongside a detailed exploration of dark web traffic and its detection challenges. The research also includes insights from a simulated cybercrime operation conducted over seven months, analyzing attack strategies and the resilience of malware in these environments.
![Our Investigative System: DEMO
timestamp:[2015-01-01 TO 2015-12-31] AND title:marketplace](https://image.slidesharecdn.com/7ge92jmjszqvg9ir5x0a-signature-3f919b293039f69dbe1f313fc87d05a63a603193a986cfd6252895e9bd1c77fc-poli-171117093538/85/Marco-Balduzzi-Cyber-crime-and-attacks-in-the-dark-side-of-the-web-Codemotion-Milan-2017-5-320.jpg)
Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017
- 1. Cybercrime and Attacks in the Dark Side of the Web Dr. Marco Balduzzi* Senior Researcher at Trend Micro http://www.madlab.it @embyte *With the cooperation of Mayra Rosario and Vincenzo Ciancaglini
- 3. The Dark Ecosystem Dark Nets • TOR • I2P • Freenet Custom DNS • Namecoin • Emercoin Rogue TLDs • Cesidian Root • OpenNIC • NewNations • …
- 4. A perfect platform for Cybercrime
- 5. Our Investigative System: DEMO timestamp:[2015-01-01 TO 2015-12-31] AND title:marketplace
- 6. Our Gateway to the Dark Internet Privoxy + TOR anonymizer Squid transparent proxy Polipo + TOR 64 instances I2P Freenet Custom DNS resolver (DNSMASQ) Namecoin DNS rogueTLD DNS Cesidian root Opennic NameSpace …
- 8. Headless Browser Scrapinghub's Splash • QTWebkit browser, Dockerized, LUA scriptable • Full HTTP traces Crawler based on Python's Scrapy + multiprocess + Splash access • Headers rewrite • Shared queue support • Har log -> HTTP redirection chain Extract links, emails, bitcoin wallets
- 9. Data Analysis Embedded links classification (WRS) • Surface Web links • Classification and categorization Page translation •Language detection •Non-English to English Significant wordcloud • Semantic clustering • Custom algorithm
- 10. Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity Word cloud Scrap text from HTML, clean up, strip spaces, etc Create list of (word, frequency) pairs Keep only substantives How “far” are words from one another? Group similar words Label clusters, sum frequencies Draw using summed frequencies lxml NLTK.wordnet Wordcloud (pillow)
- 11. The Dark Portal
- 12. Examples
- 13. Guns
- 15. Credit Cards
- 16. Accounts, e.g. Israeli Paypal
- 17. Cashout services
- 19. Impact on organizations Dark Web traffic is difficult to be detected by traditional systems (IDS) Resilient and stealth malware Persistence and monitoring (APT)
- 20. TorrentLocker, i.e. variant of CryptoLocker Payment page hosted in TOR ◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019 ◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775 Cashout via BITCOINS Ransomware
- 21. Keylogger
- 23. We simulated a cybercriminal installation in the Dark Web
- 24. Honeypot I. Black Market II. Hosting Provider III. Underground Forum IV. Misconfigured Server (FTP/SSH/IRC) Technology I. Wordpress + Shells II. OsCommerce III. Custom Web App IV. Custom OS (Linux)
- 27. Exposes a Local File Inclusion
- 28. A 7-months experiment Month 1: Different advertisement strategies to honeypot #1 #DailyPOSTRequests Average of 1.4 malicious uploads per day
- 29. Manual VS Automated Attacks Pre-installed web shells attracted the most of “visitors” CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom CMS #2 reached via TOR’s search engine’s query “Index of /files/images/” (http://hss3uro2hsxfogfq.onion) # Attacks # Days with Attacks
- 32. Smart use of Obfuscation
- 33. Abuse of Tor for Anonymized Attacks
- 35. Rival Gangs • Cyber-criminal gangs compromising opponents • Self-promoting their “business”
- 36. (TOR Keys) Used to compute the hidden service descriptor Instruction Points Public Key Private Key Instruction Points Public Key XYZ.onion Signing Keypair Generation
- 37. HS’ Private Key theft 400+ attacks MiTM, hijack and decryption
- 38. Dark Web as “corner case” of the Internet… NO! Active and Dynamic Underground Market Motivated and Knowledgeable Attackers Manual and Targeted Attacks Modern and Sophisticated Threats Lessons Learned
- 39. Thank You! Dr. Marco Balduzzi* Senior Researcher at Trend Micro http://www.madlab.it @embyte *With the cooperation of Mayra Rosario and Vincenzo Ciancaglini