How to Address Dark Web Markets

Dark Web Markets

HOW TO ADDRESS THE DARK WEB THREATS

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com About the Speaker  23 books (2 more in progress)

 Over 40 industry certifications

 2 Masters degrees

 D.Sc. in Cybersecurity in progress

 13 Computer science related patents

 Over 25 years experience, over 15 years teaching/training

 Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8

 Created ECES, created OSFCE

 Frequent consultant/expert witness

 Frequent speaker/presenter including: Defcon, Hakon India, Hakon Africa, SecureWorld, ISC2 Security Congress, AAFS, IAFSL, etc.

 Conducts security related training internationally www.chuckeasttom.com [email protected]

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Networks

TOR, https://www.torproject.org/, is an anonymous network of proxy servers. One can use the TOR network to send any sort of network traffic, including emails. This makes tracing the traffic back to its source extremely difficult.

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accessing a website VIA TOR Each proxy just sends the packet on and only knows the last and next hop. Proxy #2 The path can change

Users Machine Proxy #1 each route The target server only knows the last hop the packet came from The user only knows the first proxy in the chain

Proxy #3

Proxy #4

Target Server. Onion site Dark Web Threats with Chuck Easttom www.ChuckEasttom.com IP address ??? What does this mean

 Searching from my home in Texas, it appears I am in Romania

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 6 How they work

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web

 https://hss3uro2hsxfogfq.onion.to/ is a good general dark web search engine

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 8 Torch http://xmh57jrzrnw6insl.onion/

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com What’s for sale?

 U.S. Bank Account Information Sold on Dark Web Market Place https://verafin.com/2016/08/u-s- bank-account-information-sold-dark-web- marketplace/

 April 6, 2017 Tax information for sale on the Dark Web https://www.bloomberg.com/news/articles/2017- 04-06/your-tax-refund-is-selling-cheap-on-the- dark-web

 April 24 2017 Health Care Records for sale on the Dark Web http://www.csoonline.com/article/3189869/data- breach/healthcare-records-for-sale-on-dark- web.html

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web  http://msydqstlz2kzerdg.onion/ is a good general dark web search engine

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dream Market

 Search for Chase Bank

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accounts for sale 9/18/2017

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3 – some products as of 10 Feb 2017

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 15 Traderroute (9/17/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 16 Traderroute (9/17/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 17 WallStreet (9/18/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 18 WallStreet (9/18/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 19 EuroGuns (9/18/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 20 Valhalla (Finnish) (9/12/2017)

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com The Blue Moon Group

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Some sites have been removed

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 23 Dark Web Realities

 February 7, 2017 the Derry Journal reports 6 people hospitalized in the last 10 days from drugs purchased on the dark web.

 February 3, 2017 a man in Seattle admits to selling heroin over the dark web.

 February 4, 2017 reports emerge that some dark web markets are paying bug bounties.

 January 31, 2017, reports emerge of dark web markets paying employees for insider information on their organizations.

 February 7, 2017, ISIS is recruiting via the dark web.

 February 8, 2017, Boko Haram is fund raising via the dark web

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 24 Law Enforcement Techniques

Watering Holes

Deanonymizing

Fake Reviews

Monitoring

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 25 Watering Holes

 Basically a site to attract the targets of choice. Watering Holes were used in the Playpen case. The FBI agents monitored a bulletin board hidden service launched in August 2014, named Playpen. Playpen was a hidden service used for in the dark web for “the advertisement and distribution of child pornography,” it reached in just one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The FBI agents were able to discover nearly 1300 IP addresses belonging to the visitors.

 Servers with contraband images were used to spread a tool for deanonymizing Tor users.

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 26 NIT

 Network Investigative Technique used to deanonymize suspects using TOR.

 “The NIT was a Flash based application that was developed by H.D. Moore and was released as part of Metasploit. The NIT, or more formally, Metaspolit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” NIT was used in the Playpen case.

 IP address through the TCP connection, operating system, CPU architecture and session identification. The researchers were able to determine that if a TOR browser accessing the FBI controlled website had proper up-to-date controls configured the NIT would not be able to reveal the true IP address of the users.

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 27 Fake Reviews

 Panos Makopoulos and Dmietri Xefteris from the University of Cyprus and Chrysanthos Dellarocas Boston University, wrote a paper advocating law enforcement using fake reviews of Dark Web drug markets to lower traffic. http://www.fox.temple.edu/conferences/cist/papers/S esson%201A/CIST_2015_1A_2.pdf

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 28 Monitoring

Jason Koebler of Motherboard recommended Law Enforcement and Intel consider the following:

 Mapping the hidden services directory

 Looking at web connections to non standard domains.

 Social Media monitoring

 Snapshot hidden services

 Marketplace profiling

http://motherboard.vice.com/read/six-ways-law- enforcement-monitors-the-dark-web

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 29 Scanning Dark Web Sites

http://ichidanv34wrx7m7.onion/search?query=SSH

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 30 Other Tor Link Lists

 linkzbg4nwodgic.onion just basic link lists

 jdpskjmg5kk4urv.onion Dark Web Links

 Note: some of these reference each other.

 The following are search engines for the Dark Web

 anon4jmy3fozlv6.onion

 xmh57jzmw6insl.onion The Torch Search Engine

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 31 OnionDir OnionDir - http://dirnxxdraygbifgc.onion

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 32 Other Tor Link Lists

 The Hub - http://thehub7dnl5nmcz5.onion

 Bugged Planet - http://6sgjmi53igmg7fm7.onion

 Doxbin - http://npieqpvpjhrmdchg.onion

 Torchan - http://zw3crggtadila2sg.onion

 Grams - http://grams7enufi7jmdl.onion

 Tor Search - http://kbhpodhnfxl3clb4.onion

 Tor Find - http://ndj6p3asftxboa7j.onion

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Setup a TOR identity  Setup a TOR based email

 http://365u4txyqfy72nul.onion/ - Anonymous E-mail sevice

 http://torbox3uiot6wchz.onion/ - [TorBox] The Tor Mail Box

 http://notestjxctkwbk6z.onion/ - NoteBin - Create encrypted self-destructing notes

 Post in some forums

 http://2gxxzwnj52jutais.onion/phpbb/index.php - Onion Forum 2.0 renewed

 http://npdaaf3s3f2xrmlo.onion/ - Twitter clone

 http://hbjw7wjeoltskhol.onion – social network: File sharing, messaging and much more. Use a fake email to register

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web Search Map

 Setup parameters

 Create identity

 Locate and profile 6 to 12 markets you like

 Search engines

 At least 2 you have identified you prefer

 Search markets

 At least 4 or 5

 Identify specific items

 Verify/profile the seller

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web General Guidelines

Safe Searching

Build your identity

Profile Markets – keep dossier

Profile Sellers – keep dossier

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Basic Identity

Get Post in Interact Email Forums

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – intermediate Steps  Build your own website- make it a collection of links to articles, search engines, etc.

 Buy a few low end items. Accounts from your client, innocuous documents, etc.

 Give reviews to sellers, positive reviews

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Advanced Steps

 Have a second (or multiple identities), sell a few items to yourself. Give yourself good reviews (but not too good

 The perfect identity has

 Forum posts

 Responds to emails

 Makes appropriate commentaries

 Has bought and/or sold



Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Further Reading

 Global law enforcement strikes deep into 'Dark Web' http://www.alternet.org/progressive-wire/global-law-enforcement- strikes-deep-dark-web-0

 The Ultimate Guide To The Dark Web for Law Enforcement Professionals http://blog.mcafeeinstitute.com/the-ultimate-guide-to- the-deep-web-for-law-enforcement-professionals/

 Operation Onymous https://www.swansea.ac.uk/media/GDPO%20SA%20Onymous.pdf

 Dark Web News https://darkwebnews.com

 The rise and challenge of the Dark Web markets https://www.swansea.ac.uk/media/The%20Rise%20and%20Challenge %20of%20Dark%20Net%20Drug%20Markets.pdf

 Dark Web- The Smart Persons Guide http://www.techrepublic.com/article/dark-web-the-smart-persons- guide/

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Further Reading

 Evans and Grothoof of the University presented "Deanonymizing Tor" at Defcon 16.https://www.defcon.org/images/defcon-16/dc16- presentations/defcon-16-evans-grothoff.pdf

 Motherboard published an article in 2015 Tor Attack Could Unmask New Hidden Sites in Under Two Weeks https://motherboard.vice.com/en_us/article/tor-attack-could- unmask-new-hidden-sites-in-under-two-weeks

 The Inside Story of Tor, the Best Internet Anonymity Tool the Government Ever Built https://www.bloomberg.com/news/articles/2014-01-23/tor- anonymity-software-vs-dot-the-national-security-agency

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com