Dark Web Markets
HOW TO ADDRESS THE DARK WEB THREATS
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com About the Speaker 23 books (2 more in progress)
Over 40 industry certifications
2 Masters degrees
D.Sc. in Cybersecurity in progress
13 Computer science related patents
Over 25 years experience, over 15 years teaching/training
Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8
Created ECES, created OSFCE
Frequent consultant/expert witness
Frequent speaker/presenter including: Defcon, Hakon India, Hakon Africa, SecureWorld, ISC2 Security Congress, AAFS, IAFSL, etc.
Conducts security related training internationally www.chuckeasttom.com [email protected]
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Networks
TOR, https://www.torproject.org/, is an anonymous network of proxy servers. One can use the TOR network to send any sort of network traffic, including emails. This makes tracing the traffic back to its source extremely difficult.
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accessing a website VIA TOR Each proxy just sends the packet on and only knows the last and next hop. Proxy #2 The path can change
Users Machine Proxy #1 each route The target server only knows the last hop the packet came from The user only knows the first proxy in the chain
Proxy #3
Proxy #4
Target Server. Onion site Dark Web Threats with Chuck Easttom www.ChuckEasttom.com IP address ??? What does this mean
Searching from my home in Texas, it appears I am in Romania
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 6 How they work
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web
https://hss3uro2hsxfogfq.onion.to/ is a good general dark web search engine
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 8 Torch http://xmh57jrzrnw6insl.onion/
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com What’s for sale?
U.S. Bank Account Information Sold on Dark Web Market Place https://verafin.com/2016/08/u-s- bank-account-information-sold-dark-web- marketplace/
April 6, 2017 Tax information for sale on the Dark Web https://www.bloomberg.com/news/articles/2017- 04-06/your-tax-refund-is-selling-cheap-on-the- dark-web
April 24 2017 Health Care Records for sale on the Dark Web http://www.csoonline.com/article/3189869/data- breach/healthcare-records-for-sale-on-dark- web.html
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web http://msydqstlz2kzerdg.onion/ is a good general dark web search engine
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dream Market
Search for Chase Bank
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accounts for sale 9/18/2017
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3 – some products as of 10 Feb 2017
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 15 Traderroute (9/17/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 16 Traderroute (9/17/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 17 WallStreet (9/18/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 18 WallStreet (9/18/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 19 EuroGuns (9/18/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 20 Valhalla (Finnish) (9/12/2017)
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com The Blue Moon Group
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Some sites have been removed
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 23 Dark Web Realities
February 7, 2017 the Derry Journal reports 6 people hospitalized in the last 10 days from drugs purchased on the dark web.
February 3, 2017 a man in Seattle admits to selling heroin over the dark web.
February 4, 2017 reports emerge that some dark web markets are paying bug bounties.
January 31, 2017, reports emerge of dark web markets paying employees for insider information on their organizations.
February 7, 2017, ISIS is recruiting via the dark web.
February 8, 2017, Boko Haram is fund raising via the dark web
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 24 Law Enforcement Techniques
Watering Holes
Deanonymizing
Fake Reviews
Monitoring
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 25 Watering Holes
Basically a site to attract the targets of choice. Watering Holes were used in the Playpen case. The FBI agents monitored a bulletin board hidden service launched in August 2014, named Playpen. Playpen was a hidden service used for in the dark web for “the advertisement and distribution of child pornography,” it reached in just one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The FBI agents were able to discover nearly 1300 IP addresses belonging to the visitors.
Servers with contraband images were used to spread a tool for deanonymizing Tor users.
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 26 NIT
Network Investigative Technique used to deanonymize suspects using TOR.
“The NIT was a Flash based application that was developed by H.D. Moore and was released as part of Metasploit. The NIT, or more formally, Metaspolit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” NIT was used in the Playpen case.
IP address through the TCP connection, operating system, CPU architecture and session identification. The researchers were able to determine that if a TOR browser accessing the FBI controlled website had proper up-to-date controls configured the NIT would not be able to reveal the true IP address of the users.
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 27 Fake Reviews
Panos Makopoulos and Dmietri Xefteris from the University of Cyprus and Chrysanthos Dellarocas Boston University, wrote a paper advocating law enforcement using fake reviews of Dark Web drug markets to lower traffic. http://www.fox.temple.edu/conferences/cist/papers/S esson%201A/CIST_2015_1A_2.pdf
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 28 Monitoring
Jason Koebler of Motherboard recommended Law Enforcement and Intel consider the following:
Mapping the hidden services directory
Looking at web connections to non standard domains.
Social Media monitoring
Snapshot hidden services
Marketplace profiling
http://motherboard.vice.com/read/six-ways-law- enforcement-monitors-the-dark-web
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 29 Scanning Dark Web Sites
http://ichidanv34wrx7m7.onion/search?query=SSH
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 30 Other Tor Link Lists
linkzbg4nwodgic.onion just basic link lists
jdpskjmg5kk4urv.onion Dark Web Links
Note: some of these reference each other.
The following are search engines for the Dark Web
anon4jmy3fozlv6.onion
xmh57jzmw6insl.onion The Torch Search Engine
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 31 OnionDir OnionDir - http://dirnxxdraygbifgc.onion
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 32 Other Tor Link Lists
The Hub - http://thehub7dnl5nmcz5.onion
Bugged Planet - http://6sgjmi53igmg7fm7.onion
Doxbin - http://npieqpvpjhrmdchg.onion
Torchan - http://zw3crggtadila2sg.onion
Grams - http://grams7enufi7jmdl.onion
Tor Search - http://kbhpodhnfxl3clb4.onion
Tor Find - http://ndj6p3asftxboa7j.onion
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Setup a TOR identity Setup a TOR based email
http://365u4txyqfy72nul.onion/ - Anonymous E-mail sevice
http://torbox3uiot6wchz.onion/ - [TorBox] The Tor Mail Box
http://notestjxctkwbk6z.onion/ - NoteBin - Create encrypted self-destructing notes
Post in some forums
http://2gxxzwnj52jutais.onion/phpbb/index.php - Onion Forum 2.0 renewed
http://npdaaf3s3f2xrmlo.onion/ - Twitter clone
http://hbjw7wjeoltskhol.onion – social network: File sharing, messaging and much more. Use a fake email to register
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web Search Map
Setup parameters
Create identity
Locate and profile 6 to 12 markets you like
Search engines
At least 2 you have identified you prefer
Search markets
At least 4 or 5
Identify specific items
Verify/profile the seller
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web General Guidelines
Safe Searching
Build your identity
Profile Markets – keep dossier
Profile Sellers – keep dossier
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Basic Identity
Get Post in Interact Email Forums
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – intermediate Steps Build your own website- make it a collection of links to articles, search engines, etc.
Buy a few low end items. Accounts from your client, innocuous documents, etc.
Give reviews to sellers, positive reviews
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Advanced Steps
Have a second (or multiple identities), sell a few items to yourself. Give yourself good reviews (but not too good
The perfect identity has
Forum posts
Responds to emails
Makes appropriate commentaries
Has bought and/or sold
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Further Reading
Global law enforcement strikes deep into 'Dark Web' http://www.alternet.org/progressive-wire/global-law-enforcement- strikes-deep-dark-web-0
The Ultimate Guide To The Dark Web for Law Enforcement Professionals http://blog.mcafeeinstitute.com/the-ultimate-guide-to- the-deep-web-for-law-enforcement-professionals/
Operation Onymous https://www.swansea.ac.uk/media/GDPO%20SA%20Onymous.pdf
Dark Web News https://darkwebnews.com
The rise and challenge of the Dark Web markets https://www.swansea.ac.uk/media/The%20Rise%20and%20Challenge %20of%20Dark%20Net%20Drug%20Markets.pdf
Dark Web- The Smart Persons Guide http://www.techrepublic.com/article/dark-web-the-smart-persons- guide/
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Further Reading
Evans and Grothoof of the University presented "Deanonymizing Tor" at Defcon 16.https://www.defcon.org/images/defcon-16/dc16- presentations/defcon-16-evans-grothoff.pdf
Motherboard published an article in 2015 Tor Attack Could Unmask New Hidden Sites in Under Two Weeks https://motherboard.vice.com/en_us/article/tor-attack-could- unmask-new-hidden-sites-in-under-two-weeks
The Inside Story of Tor, the Best Internet Anonymity Tool the Government Ever Built https://www.bloomberg.com/news/articles/2014-01-23/tor- anonymity-software-vs-dot-the-national-security-agency
Dark Web Threats with Chuck Easttom www.ChuckEasttom.com