Dark Web Markets HOW TO ADDRESS THE DARK WEB THREATS Dark Web Threats with Chuck Easttom www.ChuckEasttom.com About the Speaker 23 books (2 more in progress) Over 40 industry certifications 2 Masters degrees D.Sc. in Cybersecurity in progress 13 Computer science related patents Over 25 years experience, over 15 years teaching/training Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8 Created ECES, created OSFCE Frequent consultant/expert witness Frequent speaker/presenter including: Defcon, Hakon India, Hakon Africa, SecureWorld, ISC2 Security Congress, AAFS, IAFSL, etc. Conducts security related training internationally www.chuckeasttom.com [email protected] Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Networks TOR, https://www.torproject.org/, is an anonymous network of proxy servers. One can use the TOR network to send any sort of network traffic, including emails. This makes tracing the traffic back to its source extremely difficult. Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accessing a website VIA TOR Each proxy just sends the packet on and only knows the last and next hop. Proxy #2 The path can change Users Machine Proxy #1 each route The target server only knows the last hop the packet came from The user only knows the first proxy in the chain Proxy #3 Proxy #4 Target Server. Onion site Dark Web Threats with Chuck Easttom www.ChuckEasttom.com IP address ??? What does this mean Searching from my home in Texas, it appears I am in Romania Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 6 How they work Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web https://hss3uro2hsxfogfq.onion.to/ is a good general dark web search engine Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 8 Torch http://xmh57jrzrnw6insl.onion/ Dark Web Threats with Chuck Easttom www.ChuckEasttom.com What’s for sale? U.S. Bank Account Information Sold on Dark Web Market Place https://verafin.com/2016/08/u-s- bank-account-information-sold-dark-web- marketplace/ April 6, 2017 Tax information for sale on the Dark Web https://www.bloomberg.com/news/articles/2017- 04-06/your-tax-refund-is-selling-cheap-on-the- dark-web April 24 2017 Health Care Records for sale on the Dark Web http://www.csoonline.com/article/3189869/data- breach/healthcare-records-for-sale-on-dark- web.html Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Search the dark web http://msydqstlz2kzerdg.onion/ is a good general dark web search engine Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dream Market Search for Chase Bank Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Accounts for sale 9/18/2017 Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3 Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Tor Site #3 – some products as of 10 Feb 2017 Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 15 Traderroute (9/17/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 16 Traderroute (9/17/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 17 WallStreet (9/18/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 18 WallStreet (9/18/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 19 EuroGuns (9/18/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 20 Valhalla (Finnish) (9/12/2017) Dark Web Threats with Chuck Easttom www.ChuckEasttom.com The Blue Moon Group Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Some sites have been removed Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 23 Dark Web Realities February 7, 2017 the Derry Journal reports 6 people hospitalized in the last 10 days from drugs purchased on the dark web. February 3, 2017 a man in Seattle admits to selling heroin over the dark web. February 4, 2017 reports emerge that some dark web markets are paying bug bounties. January 31, 2017, reports emerge of dark web markets paying employees for insider information on their organizations. February 7, 2017, ISIS is recruiting via the dark web. February 8, 2017, Boko Haram is fund raising via the dark web Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 24 Law Enforcement Techniques Watering Holes Deanonymizing Fake Reviews Monitoring Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 25 Watering Holes Basically a site to attract the targets of choice. Watering Holes were used in the Playpen case. The FBI agents monitored a bulletin board hidden service launched in August 2014, named Playpen. Playpen was a hidden service used for in the dark web for “the advertisement and distribution of child pornography,” it reached in just one year over 200,000 users, with over 117,000 total posts mainly containing child pornography content. The FBI agents were able to discover nearly 1300 IP addresses belonging to the visitors. Servers with contraband images were used to spread a tool for deanonymizing Tor users. Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 26 NIT Network Investigative Technique used to deanonymize suspects using TOR. “The NIT was a Flash based application that was developed by H.D. Moore and was released as part of Metasploit. The NIT, or more formally, Metaspolit Decloaking Engine was designed to provide the real IP address of web users, regardless of proxy settings.” NIT was used in the Playpen case. IP address through the TCP connection, operating system, CPU architecture and session identification. The researchers were able to determine that if a TOR browser accessing the FBI controlled website had proper up-to-date controls configured the NIT would not be able to reveal the true IP address of the users. Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 27 Fake Reviews Panos Makopoulos and Dmietri Xefteris from the University of Cyprus and Chrysanthos Dellarocas Boston University, wrote a paper advocating law enforcement using fake reviews of Dark Web drug markets to lower traffic. http://www.fox.temple.edu/conferences/cist/papers/S esson%201A/CIST_2015_1A_2.pdf Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 28 Monitoring Jason Koebler of Motherboard recommended Law Enforcement and Intel consider the following: Mapping the hidden services directory Looking at web connections to non standard domains. Social Media monitoring Snapshot hidden services Marketplace profiling http://motherboard.vice.com/read/six-ways-law- enforcement-monitors-the-dark-web Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 29 Scanning Dark Web Sites http://ichidanv34wrx7m7.onion/search?query=SSH Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 30 Other Tor Link Lists linkzbg4nwodgic.onion just basic link lists jdpskjmg5kk4urv.onion Dark Web Links Note: some of these reference each other. The following are search engines for the Dark Web anon4jmy3fozlv6.onion xmh57jzmw6insl.onion The Torch Search Engine Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 31 OnionDir OnionDir - http://dirnxxdraygbifgc.onion Dark Web Threats with Chuck Easttom www.ChuckEasttom.com 32 Other Tor Link Lists The Hub - http://thehub7dnl5nmcz5.onion Bugged Planet - http://6sgjmi53igmg7fm7.onion Doxbin - http://npieqpvpjhrmdchg.onion Torchan - http://zw3crggtadila2sg.onion Grams - http://grams7enufi7jmdl.onion Tor Search - http://kbhpodhnfxl3clb4.onion Tor Find - http://ndj6p3asftxboa7j.onion Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Setup a TOR identity Setup a TOR based email http://365u4txyqfy72nul.onion/ - Anonymous E-mail sevice http://torbox3uiot6wchz.onion/ - [TorBox] The Tor Mail Box http://notestjxctkwbk6z.onion/ - NoteBin - Create encrypted self-destructing notes Post in some forums http://2gxxzwnj52jutais.onion/phpbb/index.php - Onion Forum 2.0 renewed http://npdaaf3s3f2xrmlo.onion/ - Twitter clone http://hbjw7wjeoltskhol.onion – social network: File sharing, messaging and much more. Use a fake email to register Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web Search Map Setup parameters Create identity Locate and profile 6 to 12 markets you like Search engines At least 2 you have identified you prefer Search markets At least 4 or 5 Identify specific items Verify/profile the seller Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Dark Web General Guidelines Safe Searching Build your identity Profile Markets – keep dossier Profile Sellers – keep dossier Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Basic Identity Get Post in Interact Email Forums Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – intermediate Steps Build your own website- make it a collection of links to articles, search engines, etc. Buy a few low end items. Accounts from your client, innocuous documents, etc. Give reviews to sellers, positive reviews Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Building the perfect identity – Advanced Steps Have a second (or multiple identities), sell a few items to yourself. Give yourself good reviews (but not too good The perfect identity has Forum posts Responds to emails Makes appropriate commentaries Has bought and/or sold Dark Web Threats with Chuck Easttom www.ChuckEasttom.com Further Reading Global law enforcement strikes deep into 'Dark Web' http://www.alternet.org/progressive-wire/global-law-enforcement- strikes-deep-dark-web-0 The Ultimate Guide To The Dark Web for Law Enforcement Professionals http://blog.mcafeeinstitute.com/the-ultimate-guide-to-