What Lurks in the Dark Web?
October 20, 2016
Organizations concerned about cyber security can effectively thwart any threats conditionally they know a threat is lurking in the dark. An Israeli SaaS-based startup claims it can bridge this gap by offering real-time analysis of data on Dark Web.
TechCrunch in an article Sixgill claims to crawl the Dark Web to detect future cybercrime says:
Sixgill has developed proprietary algorithms and tech to connect the Dark Web’s dots by analyzing so-called “big data” to create profiles and patterns of Dark Web users and their hidden social networks. It’s via the automatic crunching of this data that the company claims to be able to identify and track potential hackers who may be planning malicious and illegal activity.
By analyzing the data, Sixgill claims that it can identify illegal marketplaces, data leaks and also physical attacks on organizations using its proprietary algorithms. However, there are multiple loopholes in this type of setup.
First, some Dark Web actors can easily insert red herrings across the communication channels to divert attention from real threats. Second, the Dark Web was created by individuals who wished to keep their communications cloaked. Mining data, crunching it through algorithms would not be sufficient enough to keep organizations safe. Moreover, AI can only process data that has been mined by algorithms, which is many cases can be false. TOR is undergoing changes to increase the safeguards in place for its users. What’s beginning is a Dark Web arms race. A pattern of compromise will be followed by hardening. Then compromise will occur and the Hegelian cycle repeats.
Vishal Ingole, October 20, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Pattern of Life Analysis to Help Decrypt Dark Web Actors
October 18, 2016
Google funded Recorded Future plans to use technologies like natural language processing, social network analysis and temporal pattern analysis to track Dark Web actors. This, in turn, will help security professionals to detect patterns and thwart security breaches well in advance.
An article Decrypting The Dark Web: Patterns Inside Hacker Forum Activity that appeared on DarkReading points out:
Most companies conducting threat intelligence employ experts who navigate the Dark Web and untangle threats. However, it’s possible to perform data analysis without requiring workers to analyze individual messages and posts.
Recorded Future which deploys around 500-700 servers across the globe monitors Dark Web forums to identify and categorize participants based on their language and geography. Using advanced algorithms, it then identifies individuals and their aliases who are involved in various fraudulent activities online. This is a type of automation where AI is deployed rather than relying on human intelligence.
The major flaw in this method is that bad actors do not necessarily use same or even similar aliases or handles across different Dark Web forums. Christopher Ahlberg, CEO of Recorded Future who is leading the project says:
A process called mathematical clustering can address this issue. By observing handle activity over time, researchers can determine if two handles belong to the same person without running into many complications.
Again, researchers and not AI or intelligent algorithms will have to play a crucial role in identifying the bad actors. What’s interesting is to note that Google, which pretty much dominates the information on Open Web is trying to make inroads into Dark Web through many of its fronts. The question is – will it succeed?
Vishal Ingole, October 18, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Demand for British Passports Surge on Dark Web Post Brexit
October 17, 2016
A Freedom of Information Act request submitted by British general insurer Esure reveals that 270,000 British passports have been reported missing so far in 2016. A tiny percentage of these passports are for sale on Dark Web for a premium.
In an article by Jennifer Baker titled Dark Web awash with pricey British passports after UK vote for Brexitstates:
The value of a fake British passport has increased by six percent since the vote in favor of Brexit, and is predicted to rise further if rules on European Union freedom of movement change
Each passport is being sold for around $3,360 and upwards in Bitcoin or its equivalent. Restriction of movement across borders from the European Union to the United Kingdom is considered to be the primary reason for the surge in demand for British passports.
While the asking price for smaller EU nation passports remains tepid on Dark Web, experts are warning that instances of British passport thefts will increase by 20 percent next year.
The offline and online black market for British passports is estimated to be around $57 million a year. According to Ms Baker:
The most common hotspots for passport theft included bars and restaurants (14 percent), the beach (14 percent), busy streets (14 percent) and hotel rooms (13 percent). However, it isn’t just overseas as one in five (19 percent) of people reported a passport being stolen from their own homes.
A stolen passport can be used without any hassles till it is reported lost or stolen, and Brexit rules come into force. Even after being reported, the passport can still be used for identity theft and other online scams. Can there be a better way to curb this practice of identity theft, Brexit or not?
Vishal Ingole, October 17, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Malware with Community on the Dark Web
October 14, 2016
While Mac malware is perhaps less common than attacks designed for PC, it is not entirely absent. The Register covers this in a recent article, EasyDoc malware adds Tor backdoor to Macs for botnet control. The malware is disguised as a software application called EasyDoc Converter which is supposed to be a file converter but does not actually perform that function. Instead, it allows hackers to control the hacked mac via Tor. The details of the software are explained as follows,
The malware, dubbed Backdoor.MAC.Eleanor, sets up a hidden Tor service and PHP-capable web server on the infected computer, generating a .onion domain that the attacker can use to connect to the Mac and control it. Once installed, the malware grants full access to the file system and can run scripts given to it by its masters. Eleanor’s controllers also uses the open-source tool wacaw to take control of the infected computer’s camera. That would allow them to not only spy on the victim but also take photographs of them, opening up the possibility of blackmail.
A Computer World article on EasyDoc expands on an additional aspect of this enabled by the Dark Web. Namely, there is a Pastebin agent which takes the infected system’s .onion URL, encrypts it with an RSA public key and posts it on Pastebin where attackers can find it and use it. This certainly seems to point to the strengthening of hacking culture and community, as counterintuitive of a form of community, it may be to those on the outside.
Megan Feil, October 14, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Hacking Federal Agencies Now a Childs Play
October 12, 2016
A potentially dangerous malware called GovRat that is effective in cyber-espionage is available on Dark Web for as low as $1,000.
IBTimes recently published an article Malware used to target US Government and military being sold on Dark Web in which the author states –
The evolved version of GovRat, which builds on a piece of malware first exposed in November last year, can be used by hackers to infiltrate a victim’s computer, remotely steal files, upload malware or compromised usernames and passwords.
The second version of this malware has already caused significant damage. Along with it, the seller is also willing to give away credentials to access US government servers and military groups.
Though the exact identity of the creator of GovRat 2.0 is unknown, the article states:
Several of these individuals are known as professional hackers for hire,” Komarovexplained. He cited one name as ROR [RG] – a notorious hacker who previously targeted Ashley Madison, AdultFriendFinder and the Turkish General Directorate of Security (EGM).
Data of large numbers of federal employees are already compromised and details like email, home address, login IDs and hashed passwords are available for anyone who can pay the price.
InfoArmor a cybersecurity and identity protection firm while scanning the Dark Web forums unearthed this information and has already passed on the details to relevant affected parties. The extent of the damage is unknown, the stolen information can be used to cause further damage.
Vishal Ingole, October 12, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Need a Low Cost College Degree? Dark Web U Is for You
October 11, 2016
The lawless domain just got murkier. Apart from illegal firearms, passports, drugs and hitmen, you now can procure a verifiable college degree or diploma on Dark Web.
The Next Web in an article Dark Web crooks are selling fake degrees and certifications for the price of a smartphone REPORTS:
Cyber criminals have created a digital marketplace where unscrupulous students can
purchase or gain information necessary to provide them with unfair and illegal
academic credentials and advantages.
The certificates for these academic credentials are near perfect. But what makes this cybercrime more dangerous is the fact that hackers also manipulate the institution records to make the fake credential genuine.
The article ADDS:
A flourishing market for hackers who would target universities in order to change
grades and remove academic admonishments
This means that under and completely non-performing students undertaking an educational course need not worry about low grades or absenteeism. Just pay the hackers and you have a perfectly legal degree that you can show the world. And the cost of all these? Just $500-$1000.
What makes this particular aspect of Dark Web horrifying interesting is the fact that anyone who procures such illegitimate degree can enter mainstream job market with perfect ease and no student debt.
Vishal Ingole, October 11, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
New Terrorism and Technology Reports Released
October 11, 2016
Attempting to understand the level of threat a terrorist organization poses continues to be difficult. DefenseSystems.com published Report: Electronic jihad grows in sophistication, which shares the cyber-jihad survey from the Institute for Critical Infrastructure Technology. The authors of this survey present social media and other cyberspace tools to be “the great equalizer” in warfare. In addition to social media, there are a few hacker groups which have launched attacks on western websites and Arab media: the Cyber Caliphate, the dedicated hacker division of the Islamic State, and the Terrorist Team for Electronic Jihad. The write-up explains,
The cyber jihad survey notes that ISIS has mostly dedicated its expanding offensive cyber capabilities to specific social media accounts, including the Twitter and YouTube accounts of U.S. Central Command. Offensive capabilities are thought to include the use of malware, insider threats and “preconfigured tools.” Malware efforts have included spear-phishing emails containing malware designed to sweep up the IP addresses and geolocation data about anti-ISIS groups in the ISIS stronghold of Raqqa, Syria. As ISIS and other cyber-jihadists become more sophisticated and aggressive, experts worry that they will eventually attempt more audacious attacks.
However, a report from the federal government suggests ISIS’ Twitter traffic dropped 45 percent in the past two years. While terrorist group’s technology may be expanding in the arena of offensive strikes, officials believe the decline in Twitter popularity suggests recruitment may be slowing. We think there needs to more analysis of recruitment via Dark Web.
Megan Feil, October 11, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
Hundreds of Thousands of Patient Records Offered up on the Dark Web
September 19, 2016
Some of us suspected this was coming, despite many assurances to the contrary. Softpedia informs us, “Hacker Selling 651,894 Patient Records on the Dark Web.” Haughtily going by the handle TheDarkOverlord, the hacker responsible is looking to make over seven hundred grand off the data. Reporter Catalin Cimpanu writes:
The hacker is selling the data on The Real Deal marketplace, and he [or she] says he breached these companies using an RDP (Remote Desktop Protocol) bug. TheDarkOverlord has told DeepDotWeb, who first spotted the ads, that it’s ‘a very particular bug. The conditions have to be very precise for it.’ He has also provided a series of screenshots as proof, showing him accessing the hacked systems via a Remote Desktop connection. The hacker also recalls that, before putting the data on the Dark Web, he contacted the companies and informed them of their problems, offering to disclose the bug for a price, in a tactic known as bug poaching. Obviously, all three companies declined, so here we are, with their data available on the Dark Web. TheDarkOverlord says that all databases are a one-time sale, meaning only one buyer can get their hands on the stolen data.
The three databases contain information on patients in Farmington, Missouri; Atlanta, Georgia; and the Central and Midwest areas of the U.S. TheDarkOverloard asserts that the data includes details like contact information, Social Security numbers, and personal facts like gender and race. The collection does not, apparently, include medical history. I suppose that is a relief—for now.
Cynthia Murrell, September 19, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark Web meet up on September 27, 2016.
Information is at this link: https://www.meetup.com/Louisville-Hidden-Dark-Web-Meetup/events/233599645/
Ancient History Tumblr Hack Still Beats Myspace Passwords Sale
September 19, 2016
Personal information remains a hot ticket item on the darknet. Metro shared an article highlighting the latest breach, More than 65million Tumblr emails sold on the darknet. While the leak happened in 2013, Tumblr has now reported the magnitude of the database that was hacked. As a call to action, the article reports Tumblr’s recommendation for users to change their passwords and look out for phishing attempts. The article reports,
The database includes email addresses and passwords. These are heavily protected by a procedure which makes it extremely difficult to reproduce the passwords. The database has turned up on the darknet marketplace The Real Deal at a price of £102, reports Motherboard.
Troy Hunt, who runs the security research site Have I Been Pwned, said the leak is an example of a ‘historical mega breach’. Users who fear their credentials were involved in the Tumblr hack can find out here.
Let’s not forget the more recent hack of potentially the largest login credentials theft: Hacker offers 427 million MySpace passwords for just $2,800. Many are commenting on the low price tag for such a huge quantity of personal information as a sign of MySpace’s lack of appeal even on the Dark Web. When login information including passwords are stolen, phishing attempts on the site are not the only issue for victims to be concerned with; many individuals use the same login credentials for multiple accounts.
Megan Feil, September 19, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark Web meet up on September 27, 2016.
Information is at this link: https://www.meetup.com/Louisville-Hidden-Dark-Web-Meetup/events/233599645/
Enterprise Technology Perspective on Preventing Security Breaches
September 16, 2016
When it comes to the Dark Web, the enterprise perspective wants solutions to prevent security breaches. Fort Scale released an article, Dark Web — Tor Use is 50% Criminal Activity — How to Detect It, speaking to this audience. This write-up explains the anonymizer Tor as The Onion Router, a name explained by the multiple layers used to hide an IP address and therefore the user’s identity. How does the security software works to detect Tor users? We learned,
There are a couple of ways security software can determine if a user is connecting via the Tor network. The first way is through their IP address. The list of Tor relays is public, so you can check whether the user is coming from a known Tor relay. It’s actually a little bit trickier than that, but a quality security package should be able to alert you if user behaviors include connecting via a Tor network. The second way is by looking at various application-level characteristics. For example, a good security system can distinguish the differences between a standard browser and a Tor Browser because among other things,Tor software won’t respond to certain history requests or JavaScript queries.
Many cybersecurity software companies that exist offer solutions that monitor the Dark Web for sensitive data, which is more of a recovery strategy. However, this article highlights the importance of cybersecurity solutions which monitor enterprise systems usage to identify users connecting through Tor. While this appears a sound strategy to understand the frequency of Tor-based users, it will be important to know whether these data-producing software solutions facilitate action such as removing Tor users from the network.
Megan Feil, September 16, 2016
Sponsored by ArnoldIT.com, publisher of the CyberOSINT monograph
There is a Louisville, Kentucky Hidden Web/Dark Web meet up on September 27, 2016.
Information is at this link: https://www.meetup.com/Louisville-Hidden-Dark-Web-Meetup/events/233599645/
-
- Subscribe to Beyond Search
Feature archive
News archive
-
