Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017
-
Upload
codemotion -
Category
Technology
-
view
152 -
download
3
Transcript of Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017
![Page 1: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/1.jpg)
Cybercrime and Attacks in the Dark Side of the Web
Dr. Marco Balduzzi*
Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini
![Page 2: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/2.jpg)
![Page 3: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/3.jpg)
The Dark Ecosystem
Dark Nets• TOR• I2P• Freenet
Custom DNS• Namecoin
• Emercoin
Rogue TLDs• Cesidian Root• OpenNIC• NewNations• …
![Page 4: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/4.jpg)
A perfect platform for Cybercrime
![Page 5: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/5.jpg)
Our Investigative System: DEMOtimestamp:[2015\-01\-01 TO 2015\-12\-31] AND title:marketplace
![Page 6: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/6.jpg)
Our Gateway to the Dark Internet
Privoxy + TOR
anonymizerSquid transparent proxy
Polipo + TOR 64
instancesI2P Freenet Custom DNS resolver (DNSMASQ)
Namecoin DNS
rogueTLD DNS
Cesidian root
Opennic NameSpace …
![Page 7: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/7.jpg)
Data Exploration
Headless browser
HAR LogPage DOM
Screen
Shot
Title
Text
Metadata
Raw HTML
Links
BitcoinWallets
![Page 8: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/8.jpg)
Headless Browser
Scrapinghub's Splash• QTWebkit browser, Dockerized, LUA scriptable• Full HTTP traces
Crawler based on Python's Scrapy + multiprocess + Splash access• Headers rewrite• Shared queue support• Har log -> HTTP redirection chain
Extract links, emails, bitcoin wallets
![Page 9: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/9.jpg)
Data Analysis
Embedded links classification (WRS)• Surface Web links• Classification and
categorization
Page translation• Language detection•Non-English to English
Significant wordcloud• Semantic clustering• Custom algorithm
![Page 10: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/10.jpg)
Significant Wordcloud
Page text
Tokenization
Filtering
Semantic distance matrix
Hierarchical clustering
Cluster label and popularity
Word cloud
Scrap text from HTML, clean up, strip spaces, etc
Create list of (word, frequency) pairs
Keep only substantives
How “far” are words from one another?
Group similar words
Label clusters, sum frequencies
Draw using summed frequencies
lxml
NLT
K.w
ord
net
Wordcloud(pillow)
![Page 11: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/11.jpg)
The Dark Portal
![Page 12: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/12.jpg)
Examples
![Page 13: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/13.jpg)
Guns
![Page 14: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/14.jpg)
Identities and Passports
![Page 15: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/15.jpg)
Credit Cards
![Page 16: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/16.jpg)
Accounts, e.g. Israeli Paypal
![Page 17: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/17.jpg)
Cashout services
![Page 18: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/18.jpg)
Bulletproof Hosting Providers
![Page 19: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/19.jpg)
Impact on organizations
Dark Web traffic is difficult to be detected by traditional systems (IDS)
Resilient and stealth malware
Persistence and monitoring (APT)
![Page 20: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/20.jpg)
TorrentLocker, i.e. variant of CryptoLocker
Payment page hosted in TOR◎wzaxcyqroduouk5n.onion/axdf84v.php/user_code=qz1n2i&user_pass=9019
◎wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775
Cashout via BITCOINS
Ransomware
![Page 21: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/21.jpg)
Keylogger
![Page 22: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/22.jpg)
Organized Attacks
![Page 23: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/23.jpg)
We simulated a cybercriminal
installation in the Dark Web
![Page 24: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/24.jpg)
Honeypot
I. Black Market
II. Hosting Provider
III. Underground Forum
IV. Misconfigured Server (FTP/SSH/IRC)
Technology
I. Wordpress + Shells
II. OsCommerce
III. Custom Web App
IV. Custom OS (Linux)
![Page 25: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/25.jpg)
![Page 26: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/26.jpg)
Registration-Only Forum
![Page 27: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/27.jpg)
Exposes a Local File Inclusion
![Page 28: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/28.jpg)
A 7-months experiment
Month 1: Different advertisement strategies to honeypot #1
# D
aily
PO
ST R
equ
ests
Average of 1.4 malicious uploads per day
![Page 29: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/29.jpg)
Manual VS Automated Attacks
Pre-installed web shells attracted the most of “visitors”
CMS #1-2 reached via Google Dorks (on Tor2Web), CMS #3 no because custom
CMS #2 reached via TOR’s search engine’s query “Index of /files/images/”(http://hss3uro2hsxfogfq.onion)
# Attacks
# Days with Attacks
![Page 30: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/30.jpg)
Traditional Web Attacks
![Page 31: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/31.jpg)
Password-protected Shells
![Page 32: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/32.jpg)
Smart use of Obfuscation
![Page 33: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/33.jpg)
Abuse of Tor for Anonymized Attacks
![Page 34: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/34.jpg)
(Anonymized) Phishing Campaign
![Page 35: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/35.jpg)
Rival Gangs
• Cyber-criminal gangs compromising opponents
• Self-promoting their “business”
![Page 36: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/36.jpg)
(TOR Keys)
Used to compute the hidden service descriptor
Instruction
Points
Public
Key
Private Key
Instruction
Points
Public
Key
XYZ.onion
Signing
Keypair
Generation
![Page 37: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/37.jpg)
HS’ Private Key theft
400+ attacks
MiTM, hijack and decryption
![Page 38: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/38.jpg)
Dark Web as “corner case” of the Internet… NO!
Active and Dynamic Underground Market
Motivated and Knowledgeable Attackers
Manual and Targeted Attacks
Modern and Sophisticated Threats
Lessons Learned
![Page 39: Marco Balduzzi - Cyber-crime and attacks in the dark side of the web - Codemotion Milan 2017](https://reader034.fdocuments.us/reader034/viewer/2022051710/5a64798d7f8b9a3b568b4797/html5/thumbnails/39.jpg)
Thank You!
Dr. Marco Balduzzi*
Senior Researcher at Trend Microhttp://www.madlab.it @embyte
*With the cooperation of Mayra Rosario and Vincenzo Ciancaglini