The Dark Web - can fraudsters stay anonymous?

11/10/2015

2

• How TOR and Anonymisation works

• Which activities are going on in the Dark Web

• Case Study: Succesful takedown by Law Enforcement

Martin KÖB,

Raiffeisen Bank International

Security & Business Continuity Management

The underground is going social - clearnet

11/10/2015

3

Fully undetectable malware

11/10/2015

4

Let‘s go underground

11/10/2015

5

Deep Webo Not indexed or searchable by Google, Bing etc.

o Frequently behind logins, accessible by invitation only

o Uses DNS

Dark Web o Peer-to-peer networks using technologies such as TOR and I2P,

Freenet and others

o No DNS used

• Focus todayo TOR + Hidden Services (HS)

Generally: VPN & Proxy – many clients, easy to use

11/10/2015

6

TOR+Anonymity

11/10/2015

7

TOR: install & let‘s see if it works

11/10/2015

8

How to get to the Darkside

11/10/2015

9

Find „entry point“, e.g.: Ahmia.fi

Search directories, e.g.:

11/10/2015

10

„domain names“ in Onionland

11/10/2015

11

Strange domain names:

16-character alpha-semi-numeric hashes which are automatically generated (based on a public key) when a Hidden Service is configured

Human-readable .onion URL (e.g. starting with an organization name) - by generating massive numbers of key pairs until a sufficiently desirable URL is found.

Principles

11/10/2015chapter

13

Hidden Services publish their „descriptor“ in a table (public key, intro points)

This list is distributed to certain relays

Client needs this table to find the .onion site

Complete connection between client and hidden service consists of 6 relays: 3 of them were picked by the client with the third being the rendezvous point and the other 3 were picked by the hidden service.

Many of those 3k sites have „alert“ in theirdescription – interesting…

11/10/2015

14

Those are the „Alert!“ pages

11/10/2015

15

Room for improvement:

11/10/2015

16

Many sites have similar names, to phish credentials, collect bitcoins – andto steal business…

Honeypots by LE?

https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html

Add your own site to „directories“

11/10/2015

17

I want my own shop!

11/10/2015

18

• Someone has my private key for .onion name and BTC wallet?

Agora – the new silkroad?

11/10/2015

19

Exposed in the internet

11/10/2015

21

This just in: August 27th

22.

Fake Ids – fake site?

11/10/2015

23

„Search engine“ specialised in ads - Nice Logo

11/10/2015

24

Vendor feedback on Grams

11/10/2015chapter

25

Paypal Accounts

11/10/2015

26

Credit cards

11/10/2015

27

Iota Bank .onion and .com

11/10/2015

28

Murder for hire

11/10/2015

29

What LE is doing to

11/10/2015chapter

30

QUESTIONS

Sigaint.org

11/10/2015

31

Sikroad 1 10.2013

11/10/2015

32http://www.theverge.com/2013/10/2/4794780/fbi-seizes-underground-drug-market-silk-road-owner-indicted-in-new

Hidden services taken offline 11.14

11/10/2015

33

https://www.europol.europa.eu/content/global-action-against-dark-markets-tor-network

Tor Project is speculating

11/10/2015

34

“Unfortunately, the authorities did not specify how they managed to locate the hidden services.”

…We don't know.

• Possibly real information on hidden services – e.g.: email adresses

• SQL injections

• …quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

• Bitcoin deanonymization

• …Tor relays were seized …the Tor network was attacked to reveal the location of

those hidden services.

• …

• or

• Hidden Service site is compromised with spyware (flashfile)

See https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymoushttps://www.deepdotweb.com/2015/10/05/fbi-unmasked-cp-website-user-using-a-spyware/

Deanonymization techniques for Tor

11/10/2015

35 https://crypto.stanford.edu/seclab/sem-14-15/stanford-2014.svg#1_0

Silkroad 2: the beginning

11/10/2015

36

Example of investigation – Silk Road 2.0

11/10/2015

37

• After SR1 went down, forum started with the idea to start again

• UC agent is in the forum and becomes member of support system (and has access to log in times of admin and exchanges private messages)

• …the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time

• Server image is done, SR website slows down

• customer contacts provider not to touch the server, IP (from wich support forum was accessed) is logged

• customers email adress for server alerts/notifications is also identified

• Google (search warrant) provides access to mail account:

• IP to access gmail matches above

• Email content matches above (notifications from provider, exchange about the hosting contract)

• Email content proves BTC address same as on forum

Example of investigation – Silk Road 2.0

11/10/2015

38

• Login to SR from Hotel: IP confirms login, mails confirm he was at the hotel

• First BTC transaction 1 day after opening SR2, down payment for car matches emails andtransactions

• Logged into SR Forum without TOR to Forum and BTC exchange

• Physical surveillance starts (Address is known to ISPs of logins), vehicles registered, Names confirmed

• Online presence matches him enter/leave several locations (Relatives, Home, Hotel)

• Tor traffic matches above

• Busted! 11.2014

• See: „http://www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/Benthall,%20Blake%20Complaint.pdf

BTC address

Real Name

IP address

Mail account

Real Address

Identified alleged admin of SR2

11/10/2015

39

Silkroad 2: the end

11/10/2015

40

Silkroad 3.0 – up again 8.15

11/10/2015

41

Takeaway (1)

11/10/2015

42

My opinion:• Overrated, not as big as advertised in media

• Sites constantly come and disappear, very unstable and slow, no completeindex – therefore not searchable

• Content: mostly criminal, but not only• Main activities: hacking, drugs, weapons, counterfeit ID and currency, scams, stolen credit cards,

paypal accounts – even faked coupons… )

• Also: Many Anonymity and Privacy groups (leaks, discussion forums, rants about left/rightwingpolitics, cat facts)

• And few serious criminal activities: murder, CP

Takeaway (2)

11/10/2015

43

My opinion:• Fraudsters make mistakes and don‘t keep their 2 lives separated consistantly

• You can‘t trust ANY body – downside of privacy

• Therefore connections to the „normal“ web definitely exist and can beinvestigated further

• Even hidden services on TOR can be infiltrated – and shut down

• There is no „real“ anonymity in the Web, just a question how deep oneinvestigates

Interested? Research required

11/10/2015

44

• How big is the Dark Web really? Create spider and index ANY.onion site?*

• How to attack hidden services to reveal their IP (only your sites own please!)

• OTHER Ideas?

• Further reading:

• http://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf

• https://www.europol.europa.eu/content/internet-organised-crime-threat-assessment-iocta-2015

• https://www.deepdotweb.com/

• http://industryofanonymity.com/

• * https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-soska-updated.pdf

• https://www.torproject.org/docs/hidden-services.html.en

• http://donncha.is/2013/05/trawling-tor-hidden-services/

• Gareth Owen http://ghowen.me/ccc and video:

• https://media.ccc.de/v/31c3_-_6112_-_en_-_saal_2_-_201412301715_-_tor_hidden_services_and_deanonymisation_-_dr_gareth_owen

Back up: Bitcoins

11/10/2015

45

Update 10.2015: malware with TOR functionality

11/10/2015chapter

46

Some more screenshots

11/10/2015

47

Rating of Markets UPDATE

11/10/2015

48

Murder for hire

11/10/2015

49

11/10/2015

50

Multiply your bitcoins - scam

11/10/2015

51

Round 1: Bet on presidential candidate

11/10/2015

52

Counterfeit Cash

11/10/2015

53

Hacked

11/10/2015

54

New Player

11/10/2015chapter

55

For Whistleblowers

11/10/2015

56

Guns

11/10/2015

57

Legitimate Art Space – Kunsthalle St. Gallen

11/10/2015

58

Ashley Madison dumps

11/10/2015

59