dark web impact on hidden services in the tor-based criminal ecosystem dr

Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem

Dr. Marco Balduzzi @embyte

Sr. Researcher at Trend Micro

Forward-Looking Threat Research

A perfect platform for eCrime

Courtesy Ionut Ilascu, Softpedia

What do attackers do?

What do attackers do? After…

How to Study such Attacks?(In the Dark Web)

We simulate a cyber-criminal installation in Tor

Honeypot

I. Black market

II. Hosting/service provider in Tor

III. Underground forum

IV. Misconfigured server (FTP/SSH/IRC)

Technology

I. OsCommerce

II. WordPress + Shells

III. Custom

IV. Debian Linux

Honeypot #3

Registration Only Forum

Exposes a Local File Inclusion vuln

Role of Tor2web proxies

Data Collection and Advertisement

• 7 months experiment

• Month 1: Different advertisement strategies to honeypot #1

• Month 2: Advertised ALL honeypots using ALL strategies

• Month 3-7: Restricted access by blocking incoming Tor2web traffic

Daily POST Requests

Attacks and Files Uploads

• Phase 2 onwards

• Average of 1.4 malicious uploads per day

[Canali et al. NDSS 2013]

Traditional Web Attacks

Password-protected Shells

Obfuscation

Abuse of Tor Anonymity for Attacks

• Specifically targeting underground services in Tor like marketplaces, forums

• Our honeypot!

Case of Tor-centric defacement

• Cyber-criminal gangs compromising opponents

• Self-promoting their “business”

Tor’s private key theft

• Used to compute the hidden service descriptor

Instruction Points

Public Key

Private Key

Instruction Points

Public Key

XYZ.onion

Signing

KeypairGeneration

Tor’s private key theft

• Over 400 attempts

• MiTM, hijack, decryption

Discussion

• Tor2web proxies play important role!

– Make the dark web not as private as someone would think

• Hidden services are equally visible and exposed as surface services

– Receive attacks within days

Discussion

• Dark Web is not safe heaven

– Attackers are actively conducting attacks against hidden services

– Both automated and manuals

• Cyber-criminals are looking for services operated by opponent groups

– Voluntarily attack them

• This work represents a first result in the direction of understanding the attacks landscape in the Dark Web.

Dr. Marco Balduzzi @embyte

Sr. Researcher at Trend Micro

Forward-Looking Threat Research

http://www.madlab.it/papers/sac17_darknets.pdf