cybercrime and attacks in in the
play

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco - PowerPoint PPT Presentation

Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher at Trend Micro http://www.madlab.it @embyte * With the cooperation of Mayra Rosario and Vincenzo Ciancaglini The Dark Ecosystem Dark Nets TOR


  1. Cybercrime and Attacks in in the Dark Sid ide of the Web Dr. Marco Balduzzi * Senior Researcher at Trend Micro http://www.madlab.it @embyte * With the cooperation of Mayra Rosario and Vincenzo Ciancaglini

  2. The Dark Ecosystem Dark Nets • TOR • I2P • Freenet Rogue TLDs Custom DNS • Cesidian Root • Namecoin • OpenNIC • NewNations • Emercoin • …

  3. A perfect platform for Cybercrime

  4. Our Investigative System: DEMO timestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace

  5. Our Gateway to the Dark Internet Privoxy + + Sq Squid transparent pr proxy TOR ano anonymizer Poli olipo + + TOR OR 64 I2P Fr Freenet Custom DN Cus DNS res esol olver (D (DNSMASQ) SQ) ins nstances Na Namecoi oin rogue ogueTLD DNS DN DNS Cesi Cesidia ian Ope Opennic ic Nam ameSpac ace … roo oot

  6. Data Exploration HAR Log Bitcoin Page Wallets DOM Screen Email Shot Headless browser Links Title Raw Text HTML Metadata

  7. Headless Browser Scrapinghub's Splash • QTWebkit browser, Dockerized, LUA scriptable • Full HTTP traces Crawler based on Python's Scrapy + multiprocess + Splash access • Headers rewrite • Shared queue support • Har log -> HTTP redirection chain Extract links, emails, bitcoin wallets

  8. Data Analysis Embedded links Page translation Significant wordcloud classification (WRS) • Semantic clustering • Language detection • Custom algorithm • Surface Web links • Non-English to English • Classification and categorization

  9. Significant Wordcloud Pag age text lxml Scrap text from HTML, clean up, strip spaces, etc Tok okeniz izatio ion Create list of (word, frequency) pairs Filterin Fi ing Keep only substantives NLTK.wordnet Sem Semantic ic How “far” are words from one another? di distance ma matrix ix Hie Hierarchic ical l Group similar words clusterin ing Cl Clus uster lab abel l Label clusters, sum frequencies and and po popu pula larit ity Wor ordcloud Wor ord d clou oud Draw using summed frequencies (p (pil illo low)

  10. The Dark Portal

  11. Examples

  12. Guns

  13. Identities and Passports

  14. Credit Cards

  15. Accounts, e.g. Israeli Paypal

  16. Cashout services

  17. Bulletproof Hosting Providers

  18. Impact on organizations Dark Web traffic is difficult to be detected by traditional systems (IDS) Resilient and stealth malware Persistence and monitoring (APT)

  19. Ransomware TorrentLocker, i.e. variant of CryptoLocker Payment page hosted in TOR ◎ wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019 ◎ wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775 Cashout via BITCOINS

  20. Keylogger

  21. Organized Attacks

  22. We simulated a cybercriminal installation in the Dark Web

  23. Honeypot Technology I. Black Market I. Wordpress + Shells II. Hosting Provider II. OsCommerce III. Underground Forum III. Custom Web App IV. Misconfigured Server IV. Custom OS (Linux) (FTP/SSH/IRC)

  24. Registration-Only Forum

  25. Exposes a Local File Inclusion

  26. A 7-months experiment Month 1: Different advertisement strategies to honeypot #1 Average of 1.4 malicious uploads per day Requests OST Re Daily POST # Daily #

  27. Manual VS Automated Attacks Pre-installed web shells attracted the most of “visitors” CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom CMS #2 reached via TOR’s search engine’s query “Index of /files/images/” (http://hss3uro2hsxfogfq.onion) # Attacks # Days with Attacks

  28. Traditional Web Attacks

  29. Password-protected Shells

  30. Smart use of Obfuscation

  31. Abuse of Tor for Anonymized Attacks

  32. (Anonymized) Phishing Campaign

  33. Rival Gangs • Cyber-criminal gangs compromising opponents • Self-promoting their “business”

  34. (TOR Keys) Used to compute the hidden service descriptor Instruction Points Instruction Points XYZ.onion Public Key Public Key Signing Keypair Generation Private Key

  35. HS’ Private Key theft 400+ attacks MiTM, hijack and decryption

  36. Lessons Learned Dark Web as “corner case” of the Internet… NO! Active and Dynamic Underground Market Motivated and Knowledgeable Attackers Manual and Targeted Attacks Modern and Sophisticated Threats

  37. * With the cooperation of Mayra Rosario and Vincenzo Ciancaglini Thank You! Dr. Marco Balduzzi * Senior Researcher at Trend Micro http://www.madlab.it @embyte

Recommend


More recommend