cybercrime and attacks in the dark side of the web · significant wordcloud page text tokenization...
TRANSCRIPT
![Page 1: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/1.jpg)
Cybercrime and Attacks in the Dark Side of the Web
Dr. Marco Balduzzi*
Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini
![Page 2: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/2.jpg)
![Page 3: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/3.jpg)
The Dark Ecosystem
Dark Nets• TOR• I2P• Freenet
Custom DNS• Namecoin
• Emercoin
Rogue TLDs• Cesidian Root• OpenNIC• NewNations• …
![Page 4: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/4.jpg)
A perfect platform for Cybercrime
![Page 5: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/5.jpg)
Our Investigative System: DEMOtimestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace
![Page 6: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/6.jpg)
Our Gateway to the Dark Internet
Privoxy + TOR
anonymizerSquid transparent proxy
Polipo + TOR 64
instancesI2P Freenet Custom DNS resolver (DNSMASQ)
Namecoin DNS
rogueTLD DNS
Cesidian root
Opennic NameSpace …
![Page 7: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/7.jpg)
Data Exploration
Headless browser
HAR LogPage DOM
Screen
Shot
Title
Text
Metadata
Raw HTML
Links
BitcoinWallets
![Page 8: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/8.jpg)
Headless Browser
Scrapinghub's Splash• QTWebkit browser, Dockerized, LUA scriptable• Full HTTP traces
Crawler based on Python's Scrapy + multiprocess + Splash access• Headers rewrite• Shared queue support• Har log -> HTTP redirection chain
Extract links, emails, bitcoin wallets
![Page 9: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/9.jpg)
Data Analysis
Embedded links classification (WRS)• Surface Web links• Classification and
categorization
Page translation• Language detection•Non-English to English
Significant wordcloud• Semantic clustering• Custom algorithm
![Page 10: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/10.jpg)
Significant Wordcloud
Page text
Tokenization
Filtering
Semantic distance matrix
Hierarchical clustering
Cluster label and popularity
Word cloud
Scrap text from HTML, clean up, strip spaces, etc
Create list of (word, frequency) pairs
Keep only substantives
How “far” are words from one another?
Group similar words
Label clusters, sum frequencies
Draw using summed frequencies
lxml
NLT
K.w
ord
net
Wordcloud(pillow)
![Page 11: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/11.jpg)
The Dark Portal
![Page 12: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/12.jpg)
Examples
![Page 13: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/13.jpg)
Guns
![Page 14: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/14.jpg)
Identities and Passports
![Page 15: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/15.jpg)
Credit Cards
![Page 16: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/16.jpg)
Accounts, e.g. Israeli Paypal
![Page 17: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/17.jpg)
Cashout services
![Page 18: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/18.jpg)
Bulletproof Hosting Providers
![Page 19: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/19.jpg)
Impact on organizations
Dark Web traffic is difficult to be detected by traditional systems (IDS)
Resilient and stealth malware
Persistence and monitoring (APT)
![Page 20: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/20.jpg)
TorrentLocker, i.e. variant of CryptoLocker
Payment page hosted in TOR◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019
◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775
Cashout via BITCOINS
Ransomware
![Page 21: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/21.jpg)
Keylogger
![Page 22: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/22.jpg)
Organized Attacks
![Page 23: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/23.jpg)
We simulated a cybercriminal
installation in the Dark Web
![Page 24: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/24.jpg)
Honeypot
I. Black Market
II. Hosting Provider
III. Underground Forum
IV. Misconfigured Server (FTP/SSH/IRC)
Technology
I. Wordpress + Shells
II. OsCommerce
III. Custom Web App
IV. Custom OS (Linux)
![Page 25: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/25.jpg)
![Page 26: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/26.jpg)
Registration-Only Forum
![Page 27: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/27.jpg)
Exposes a Local File Inclusion
![Page 28: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/28.jpg)
A 7-months experiment
Month 1: Different advertisement strategies to honeypot #1
# D
aily
PO
ST R
equ
ests
Average of 1.4 malicious uploads per day
![Page 29: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/29.jpg)
Manual VS Automated Attacks
Pre-installed web shells attracted the most of “visitors”
CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom
CMS #2 reached via TOR’s search engine’s query “Index of /files/images/”(http://hss3uro2hsxfogfq.onion)
# Attacks
# Days with Attacks
![Page 30: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/30.jpg)
Traditional Web Attacks
![Page 31: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/31.jpg)
Password-protected Shells
![Page 32: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/32.jpg)
Smart use of Obfuscation
![Page 33: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/33.jpg)
Abuse of Tor for Anonymized Attacks
![Page 34: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/34.jpg)
(Anonymized) Phishing Campaign
![Page 35: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/35.jpg)
Rival Gangs
• Cyber-criminal gangs compromising opponents
• Self-promoting their “business”
![Page 36: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/36.jpg)
(TOR Keys)
Used to compute the hidden service descriptor
Instruction
Points
Public
Key
Private Key
Instruction
Points
Public
Key
XYZ.onion
Signing
Keypair
Generation
![Page 37: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/37.jpg)
HS’ Private Key theft
400+ attacks
MiTM, hijack and decryption
![Page 38: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/38.jpg)
Dark Web as “corner case” of the Internet… NO!
Active and Dynamic Underground Market
Motivated and Knowledgeable Attackers
Manual and Targeted Attacks
Modern and Sophisticated Threats
Lessons Learned
![Page 39: Cybercrime and Attacks in the Dark Side of the Web · Significant Wordcloud Page text Tokenization Filtering Semantic distance matrix Hierarchical clustering Cluster label and popularity](https://reader035.vdocuments.site/reader035/viewer/2022070904/5f70ce645751ef14381a522d/html5/thumbnails/39.jpg)
Thank You!
Dr. Marco Balduzzi*
Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini