The Dark Web - can fraudsters stay anonymous? · Let‘sgo underground 11/10/2015 5 Deep Web o Not...
Transcript of The Dark Web - can fraudsters stay anonymous? · Let‘sgo underground 11/10/2015 5 Deep Web o Not...
The Dark Web - can fraudsters stay anonymous?
11/10/2015
2
• How TOR and Anonymisation works
• Which activities are going on in the Dark Web
• Case Study: Succesful takedown by Law Enforcement
Martin KÖB,
Raiffeisen Bank International
Security & Business Continuity Management
The underground is going social - clearnet
11/10/2015
3
Fully undetectable malware
11/10/2015
4
Let‘s go underground
11/10/2015
5
Deep Webo Not indexed or searchable by Google, Bing etc.
o Frequently behind logins, accessible by invitation only
o Uses DNS
Dark Web o Peer-to-peer networks using technologies such as TOR and I2P,
Freenet and others
o No DNS used
• Focus todayo TOR + Hidden Services (HS)
Generally: VPN & Proxy – many clients, easy to use
11/10/2015
6
TOR+Anonymity
11/10/2015
7
TOR: install & let‘s see if it works
11/10/2015
8
How to get to the Darkside
11/10/2015
9
Find „entry point“, e.g.: Ahmia.fi
Search directories, e.g.:
11/10/2015
10
„domain names“ in Onionland
11/10/2015
11
Strange domain names:
16-character alpha-semi-numeric hashes which are automatically generated (based on a public key) when a Hidden Service is configured
Human-readable .onion URL (e.g. starting with an organization name) - by generating massive numbers of key pairs until a sufficiently desirable URL is found.
Principles
11/10/2015chapter
13
Hidden Services publish their „descriptor“ in a table (public key, intro points)
This list is distributed to certain relays
Client needs this table to find the .onion site
Complete connection between client and hidden service consists of 6 relays: 3 of them were picked by the client with the third being the rendezvous point and the other 3 were picked by the hidden service.
Many of those 3k sites have „alert“ in theirdescription – interesting…
11/10/2015
14
Those are the „Alert!“ pages
11/10/2015
15
Room for improvement:
11/10/2015
16
Many sites have similar names, to phish credentials, collect bitcoins – andto steal business…
Honeypots by LE?
https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html
Add your own site to „directories“
11/10/2015
17
I want my own shop!
11/10/2015
18
• Someone has my private key for .onion name and BTC wallet?
Agora – the new silkroad?
11/10/2015
19
Exposed in the internet
11/10/2015
21
This just in: August 27th
22.
Fake Ids – fake site?
11/10/2015
23
„Search engine“ specialised in ads - Nice Logo
11/10/2015
24
Vendor feedback on Grams
11/10/2015chapter
25
Paypal Accounts
11/10/2015
26
Credit cards
11/10/2015
27
Iota Bank .onion and .com
11/10/2015
28
Murder for hire
11/10/2015
29
What LE is doing to
11/10/2015chapter
30
QUESTIONS
Sigaint.org
11/10/2015
31
Sikroad 1 10.2013
11/10/2015
32http://www.theverge.com/2013/10/2/4794780/fbi-seizes-underground-drug-market-silk-road-owner-indicted-in-new
Hidden services taken offline 11.14
11/10/2015
33
https://www.europol.europa.eu/content/global-action-against-dark-markets-tor-network
Tor Project is speculating
11/10/2015
34
“Unfortunately, the authorities did not specify how they managed to locate the hidden services.”
…We don't know.
• Possibly real information on hidden services – e.g.: email adresses
• SQL injections
• …quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.
• Bitcoin deanonymization
• …Tor relays were seized …the Tor network was attacked to reveal the location of
those hidden services.
• …
• or
• Hidden Service site is compromised with spyware (flashfile)
See https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymoushttps://www.deepdotweb.com/2015/10/05/fbi-unmasked-cp-website-user-using-a-spyware/
Deanonymization techniques for Tor
11/10/2015
35 https://crypto.stanford.edu/seclab/sem-14-15/stanford-2014.svg#1_0
Silkroad 2: the beginning
11/10/2015
36
Example of investigation – Silk Road 2.0
11/10/2015
37
• After SR1 went down, forum started with the idea to start again
• UC agent is in the forum and becomes member of support system (and has access to log in times of admin and exchanges private messages)
• …the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time
• Server image is done, SR website slows down
• customer contacts provider not to touch the server, IP (from wich support forum was accessed) is logged
• customers email adress for server alerts/notifications is also identified
• Google (search warrant) provides access to mail account:
• IP to access gmail matches above
• Email content matches above (notifications from provider, exchange about the hosting contract)
• Email content proves BTC address same as on forum
Example of investigation – Silk Road 2.0
11/10/2015
38
• Login to SR from Hotel: IP confirms login, mails confirm he was at the hotel
• First BTC transaction 1 day after opening SR2, down payment for car matches emails andtransactions
• Logged into SR Forum without TOR to Forum and BTC exchange
• Physical surveillance starts (Address is known to ISPs of logins), vehicles registered, Names confirmed
• Online presence matches him enter/leave several locations (Relatives, Home, Hotel)
• Tor traffic matches above
• Busted! 11.2014
• See: „http://www.justice.gov/sites/default/files/usao-sdny/legacy/2015/03/25/Benthall,%20Blake%20Complaint.pdf
BTC address
Real Name
IP address
Mail account
Real Address
Identified alleged admin of SR2
11/10/2015
39
Silkroad 2: the end
11/10/2015
40
Silkroad 3.0 – up again 8.15
11/10/2015
41
Takeaway (1)
11/10/2015
42
My opinion:• Overrated, not as big as advertised in media
• Sites constantly come and disappear, very unstable and slow, no completeindex – therefore not searchable
• Content: mostly criminal, but not only• Main activities: hacking, drugs, weapons, counterfeit ID and currency, scams, stolen credit cards,
paypal accounts – even faked coupons… )
• Also: Many Anonymity and Privacy groups (leaks, discussion forums, rants about left/rightwingpolitics, cat facts)
• And few serious criminal activities: murder, CP
Takeaway (2)
11/10/2015
43
My opinion:• Fraudsters make mistakes and don‘t keep their 2 lives separated consistantly
• You can‘t trust ANY body – downside of privacy
• Therefore connections to the „normal“ web definitely exist and can beinvestigated further
• Even hidden services on TOR can be infiltrated – and shut down
• There is no „real“ anonymity in the Web, just a question how deep oneinvestigates
Interested? Research required
11/10/2015
44
• How big is the Dark Web really? Create spider and index ANY.onion site?*
• How to attack hidden services to reveal their IP (only your sites own please!)
• OTHER Ideas?
• Further reading:
• http://people.csail.mit.edu/devadas/pubs/circuit_finger.pdf
• https://www.europol.europa.eu/content/internet-organised-crime-threat-assessment-iocta-2015
• https://www.deepdotweb.com/
• http://industryofanonymity.com/
• * https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-soska-updated.pdf
• https://www.torproject.org/docs/hidden-services.html.en
• http://donncha.is/2013/05/trawling-tor-hidden-services/
• Gareth Owen http://ghowen.me/ccc and video:
• https://media.ccc.de/v/31c3_-_6112_-_en_-_saal_2_-_201412301715_-_tor_hidden_services_and_deanonymisation_-_dr_gareth_owen
Back up: Bitcoins
11/10/2015
45
Update 10.2015: malware with TOR functionality
11/10/2015chapter
46
Some more screenshots
11/10/2015
47
Rating of Markets UPDATE
11/10/2015
48
Murder for hire
11/10/2015
49
11/10/2015
50
Multiply your bitcoins - scam
11/10/2015
51
Round 1: Bet on presidential candidate
11/10/2015
52
Counterfeit Cash
11/10/2015
53
Hacked
11/10/2015
54
New Player
11/10/2015chapter
55
For Whistleblowers
11/10/2015
56
Guns
11/10/2015
57
Legitimate Art Space – Kunsthalle St. Gallen
11/10/2015
58
Ashley Madison dumps
11/10/2015
59