dark web impact on hidden services in the tor-based criminal ecosystem dr
TRANSCRIPT
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem
Dr. Marco Balduzzi @embyte
Sr. Researcher at Trend Micro
Forward-Looking Threat Research
A perfect platform for eCrime
Courtesy Ionut Ilascu, Softpedia
What do attackers do?
What do attackers do? After…
How to Study such Attacks?(In the Dark Web)
We simulate a cyber-criminal installation in Tor
Honeypot
I. Black market
II. Hosting/service provider in Tor
III. Underground forum
IV. Misconfigured server (FTP/SSH/IRC)
Technology
I. OsCommerce
II. WordPress + Shells
III. Custom
IV. Debian Linux
Honeypot #3
Registration Only Forum
Exposes a Local File Inclusion vuln
Role of Tor2web proxies
Data Collection and Advertisement
• 7 months experiment
• Month 1: Different advertisement strategies to honeypot #1
• Month 2: Advertised ALL honeypots using ALL strategies
• Month 3-7: Restricted access by blocking incoming Tor2web traffic
Daily POST Requests
Attacks and Files Uploads
• Phase 2 onwards
• Average of 1.4 malicious uploads per day
[Canali et al. NDSS 2013]
Traditional Web Attacks
Password-protected Shells
Obfuscation
Abuse of Tor Anonymity for Attacks
• Specifically targeting underground services in Tor like marketplaces, forums
• Our honeypot!
Case of Tor-centric defacement
• Cyber-criminal gangs compromising opponents
• Self-promoting their “business”
Tor’s private key theft
• Used to compute the hidden service descriptor
Instruction Points
Public Key
Private Key
Instruction Points
Public Key
XYZ.onion
Signing
KeypairGeneration
Tor’s private key theft
• Over 400 attempts
• MiTM, hijack, decryption
Discussion
• Tor2web proxies play important role!
– Make the dark web not as private as someone would think
• Hidden services are equally visible and exposed as surface services
– Receive attacks within days
Discussion
• Dark Web is not safe heaven
– Attackers are actively conducting attacks against hidden services
– Both automated and manuals
• Cyber-criminals are looking for services operated by opponent groups
– Voluntarily attack them
• This work represents a first result in the direction of understanding the attacks landscape in the Dark Web.
Dr. Marco Balduzzi @embyte
Sr. Researcher at Trend Micro
Forward-Looking Threat Research
http://www.madlab.it/papers/sac17_darknets.pdf