Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.

19,273 views

Published on

In this work we explored the Attacks Landscape in the Dark Web. While in the past FTR looked at good and services offered and traded, here we investigated on the attacks and exposure. We observed hacking groups targeting each other, for example by defacing concurrent web sites in order to promote their -- or stealing Onion's private keys to possibly tampering on encrypted traffic in Tor.

Published in: Technology

Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.

  1. 1. Dark Web Impact on Hidden Services in the Tor- based Criminal Ecosystem Dr. Marco Balduzzi @embyte Sr. Researcher at Trend Micro Forward-Looking Threat Research
  2. 2. A perfect platform for eCrime
  3. 3. Courtesy Ionut Ilascu, Softpedia
  4. 4. What do attackers do?
  5. 5. What do attackers do? After…
  6. 6. How to Study such Attacks? (In the Dark Web)
  7. 7. We simulate a cyber-criminal installation in Tor
  8. 8. Honeypot I. Black market II. Hosting/service provider in Tor III. Underground forum IV. Misconfigured server (FTP/SSH/IRC) Technology I. OsCommerce II. WordPress + Shells III. Custom IV. Debian Linux
  9. 9. Honeypot #3
  10. 10. Registration Only Forum
  11. 11. Exposes a Local File Inclusion vuln
  12. 12. Role of Tor2web proxies
  13. 13. Data Collection and Advertisement • 7 months experiment • Month 1: Different advertisement strategies to honeypot #1 • Month 2: Advertised ALL honeypots using ALL strategies • Month 3-7: Restricted access by blocking incoming Tor2web traffic
  14. 14. Daily POST Requests
  15. 15. Attacks and Files Uploads • Phase 2 onwards • Average of 1.4 malicious uploads per day
  16. 16. [Canali et al. NDSS 2013]
  17. 17. Traditional Web Attacks
  18. 18. Password-protected Shells
  19. 19. Obfuscation
  20. 20. Abuse of Tor Anonymity for Attacks
  21. 21. • Specifically targeting underground services in Tor like marketplaces, forums • Our honeypot! Case of Tor-centric defacement
  22. 22. • Cyber-criminal gangs compromising opponents • Self-promoting their “business”
  23. 23. Tor’s private key theft • Used to compute the hidden service descriptor Instruction Points Public Key Private Key Instruction Points Public Key XYZ.onion Signing Keypair Generation
  24. 24. Tor’s private key theft • Over 400 attempts • MiTM, hijack, decryption
  25. 25. Discussion • Tor2web proxies play important role! – Make the dark web not as private as someone would think • Hidden services are equally visible and exposed as surface services – Receive attacks within days
  26. 26. Discussion • Dark Web is not safe heaven – Attackers are actively conducting attacks against hidden services – Both automated and manuals • Cyber-criminals are looking for services operated by opponent groups – Voluntarily attack them
  27. 27. • This work represents a first result in the direction of understanding the attacks landscape in the Dark Web. Dr. Marco Balduzzi @embyte Sr. Researcher at Trend Micro Forward-Looking Threat Research http://www.madlab.it/papers/sac17_darknets.pdf

×