Jump to content

Search the Community

Showing results for tags 'dark web'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Categories

  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions

Categories

  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 18 results

  1. Canadian aircraft manufacturer Bombardier Inc. is the latest victim of a cyberattack with stolen data published on the dark web. Bombardier Tuesday described the attack as a “limited cybersecurity breach” that involved an “unauthorized party accessed and extracted data by exploiting a vulnerability affecting a third-party file-transfer application.” The dark web is a shady corner of the internet where illicit goods and services, including data troves, are bought and sold. According to the company, the data stolen included personal and other confidential information relating to employees, customers and suppliers. Bombardier then ticked off the standard list of responses follow an attack — informing those who have had their data stolen, employing third-party cybersecurity and forensic professions, and notifying appropriate authorities, including law enforcement. Although Bombardier may have been somewhat light in providing details, where the stolen data went points to the form of attack: It appeared on a site run by the Clop ransomware gang, according to ZDNet. Another hint as to how the attack took place is in Bombardier’s mention that access was obtained by “exploiting a vulnerability affecting a third-party file-transfer application.” Recent Clop ransomware attacks, including those targeting law firm Jones Day and the Office of the Washington State Auditor, involved exploiting a vulnerability in software from Accellion Inc. Even though Bombardier has not confirmed that the attack involved ransomware, previous Clop attacks, including one targeting German tech giant Software AG, involved a demand for a payment of about $20 million with a threat that if the ransom isn’t paid, the data stolen in the attack would be published online. “The breach announced by Bombardier follows a Feb. 22 announcement by Accellion acknowledging attacks against its legacy file transfer application,” John Shier, senior security advisor at security company Sophos Group plc, told SiliconANGLE. “The significance of this breach is notable not only by its latest victim but also in the aggregate of previous leaks attributed to the same criminal group and using the same vulnerability. It highlights the potential risks posed by legacy applications that are allowed to persist in production networks.” Trevor Morgan, product manager with data security specialists comforte AG, said the lesson here is that software should always be up-to-date or replaced with next-generation software that’s supported by the vendor. “If you think you’re safe from breaches like this, then it’s probably time you really reconsider your data security strategy and methods,” Morgan added. “Complacency is your worst enemy and if you’re still depending on security methods that protect borders and perimeters, it’s probably time to think from a more data-centric perspective. If the data is the valuable part, protect the data and not the walls around it. That’s the data-centric approach in a nutshell.” SOURCE
  2. High Demand for Hacker Services on Dark Web Forums Nine in 10 (90%) users of dark web forums are searching for a hacker who can provide them with a particular resource or who can download a user database. This is according to new research by Positive Technologies, which analyzed activity on the 10 most prominent forums on the dark web, which offer services such as website hacking and the buying/selling of databases. The study highlights the growing demand for hackers’ services and stolen data, exacerbated by the increased internet usage by both organizations and individuals since the start of COVID-19. Gaining access to a web resource was found to be the most common goal of dark web forum users, with this making up 69% of ad inquiries. Obtaining user or client databases from a targeted resource was the next most frequent type of inquiry, comprising 21% of all ads. The researchers noted that the parties most interested in acquiring this type of information were competitors and spammers who collect lists of addresses for targeted phishing attacks aimed at a specific audience. Just 7% of forum messages involved individuals offering their services to hack websites while 3% were focused on promoting hacking tools, programs and finding like-minded people for sharing hacking experience. In addition, a consistently high demand for access to online store sites was observed, with prices ranging from $50-$2000 for purchasing and selling hacking services and website access. This is fuelled by the fact that users enter their credit card details on such sites, providing attackers with the opportunity to inject malicious JavaScript code into these websites to intercept the information entered, according to the researchers. Positive Technologies analyst Yana Yurakova commented: “Since March 2020, we have noticed a surge of interest in website hacking, which is seen by the increase in the number of ads on forums on the dark web. This may have been caused by an increase in the number of companies available via the internet, which was triggered by the COVID-19 pandemic. As a result of this, organizations that previously worked offline were forced to go online in order to maintain their customers and profits, and cyber-criminals, naturally, took advantage of this situation.” Vadim Solovyov, senior information security analyst at Positive Technologies, added: “Insufficient web application security and the ability of criminals to easily find an experienced hacker or a ready-made tool for hacking a web resource pose an undoubted threat to both users and companies. Hacking a company’s web applications can lead to global consequences, ranging from data leaks to penetrating the company’s local network and using its resources in subsequent attacks.” Source: High Demand for Hacker Services on Dark Web Forums
  3. A look into the pricing of stolen identities for sale on dark web After a data breach, much of that stolen personal and sometimes highly personally identifiable information (PII) is sold on markets residing within the dark web. But, how much does the sale of stolen information work, exactly, and how much money are criminals making from stolen data? Comparitech researchers analyzed listings across 40+ dark web marketplaces gathering data on how much stolen identities, credit cards and hacked PayPal accounts are worth to cybercriminals. Here are some key findings: Americans have the cheapest "fullz" (full credentials e.g. SSN, name, DOB etc), averaging $8 per record. Japan and the UAE have the most expensive identities at an average of $25. Not all fullz are the same. While SSN, name, and DOB are all fairly standard in fullz, other information can be included or excluded and thereby change the price. Fullz that come with a driver’s license number, bank account statement, or utility bill will be worth more than those without, for example. Some fullz even include photos or scans of identification cards, such as a passport or driver’s license. Prices for stolen credit cards range widely from $0.11 to $986. Hacked PayPal accounts range from $5 to $1,767. The median credit limit on a stolen credit card is 24 times the price of the card. The median account balance of a hacked PayPal account is 32 times the price on the dark web. Credit cards, Paypal accounts, and fullz are the most popular types of stolen information traded on the dark web, but they’re far from the only data worth stealing, says Comparitech. Other types of stolen information usually for sale are: passports, driver’s licenses, frequent flyer miles, streaming accounts, dating profiles, social media accounts, bank accounts, and debit cards. This data - most often stolen through phishing, credential stuffing, data breaches, and card skimmers - is bought and sold on dark web marketplaces. Here’s a few tips for avoiding those attacks, from Comparitech researchers: There’s not much an end user can do about data breaches except to register fewer accounts and minimize your digital footprint. Keep an eye out for card skimmers at points of sale, particularly unmanned ones such as those at gas stations. Learn how to spot and avoid phishing emails and other messages. Credential stuffing can be avoided by using strong, unique passwords on all of your accounts. For the full blog, please visit https://www.comparitech.com/blog/vpn-privacy/dark-web-prices/ Source: A look into the pricing of stolen identities for sale on dark web
  4. Cybercriminals can use stolen information for extortion, scams and phishing schemes, and the direct theft of money, says Kaspersky. Cybercriminals who capture your personal information often do one of two things with it. They'll either use it themselves to directly hack your accounts, or they'll sell it on the Dark Web. And once your personal data is up for sale, buyers can use it for financial gain or for doxing, a practice where malicious actors publicly reveal private information about you for all to see. In a blog post published Tuesday, security provider Kaspersky looks at the sale of personal data on the Dark Web and offers advice on how to protect your own data. Kaspersky's blog post entitled "Dox, steal, reveal. Where does your personal data end up?" describes doxing as a form of cyberbullying. The goal is to embarrass or target the victim by publishing embarrassing photos, private correspondence, a physical address, private contacts, job details, and medical or financial data. Journalists, bloggers, activists, lawyers, sex industry workers, and law enforcement officers all run a higher risk of being doxed, according to Kaspersky. People with high-profile internet personas also are at greater risk for doxing. However, "ordinary" people can be doxed as well. Doing or saying something online that upsets a lot of people can make you an open target for angry reactions, even in cases of mistaken identity where you didn't actually do or say the thing that got you in trouble. Personal data that finds its way to the Dark Web can be sold at relatively low prices, certainly for less than the average person would think. For its report, Kaspersky scanned several Dark Web forums and marketplaces to determine the going rates for certain types of information. Dark Web data and prices ID card data: 50 cents to $10 Containing sensitive information such as Social Security numbers, ID cards are the main form of identification in many regions, including the US and Europe. Though such cards seem important, they don't fetch much on the Dark Web. A card or document with a full name and insurance number can cost as little as 50 cents per person. A full pack with name, ID number, SSN, date of birth, email address, and phone number can go for $10 per person. Passport scans: $6 to $15 Another popular form of identification, passports are typically used in countries such as Russia and Ukraine for any type of government or financial service. Such documents can easily find their place on the Dark Web when you consider the number of times someone's passport is scanned at a post office, an airport, or another location. Passport scans can sell for anywhere from $6 to $15 depending on the quality of the scan, the country of origin, and whether the scan includes just the full page or the entire booklet. Driver's license scans: $5 to $25 Driver's licenses are also used as a means of identification with scans of a license and all the visible information up for grabs on the Dark Web. Selling for anywhere from $5 to $25, these license scans can be used by criminals to rent cars, commit insurance fraud, and present as an ID for different services. Medical records: $1 to $30 As medical records become more digitized, they also become more susceptible to cyber theft. The type of data sold on the Dark Web varies from medical forms with full names, email addresses, and insurance numbers to full records with a patient's entire medical history, prescriptions, and other data. Selling for anywhere from $1 to $30 per record, such information can also be used for ransomware. In one example, the Finnish mental health organization Vastaamo was hit by a breach that compromised the data of at least 2,000 patients. After offering the stolen information on the Dark Web, the attackers wanted a ransom payment to delete it before turning their attention directly to the patients. Image: Kaspersky How to protect yourself To protect yourself and your data from being stolen and sold on the Dark Web, Kaspersky offers this advice: Never reuse your passwords across accounts. Use a unique password for each account and a password manager to store them. Protect your devices with fingerprint/face scan or with a PIN or password. Use two-factor authentication. Remember that using an application that generates one-time codes is more secure than receiving the second factor via SMS. If you need additional security, invest in a hardware 2FA key. Always check permission settings on the apps you use. The idea is to minimize the likelihood of your data being shared or stored by third parties without your knowledge. Check for any accounts that may have been compromised. Certain tools and websites tell you if any of your online accounts have been caught in a data breach. The site known as have i been pwned? and Google's Password Checkup tool and Password Manager can warn you of potentially leaked passwords. Think twice before you post on social media channels. Always consider how the content you share online might be interpreted and used by others. Could there be unforeseen consequences of making your views or information public? Could content be used against you or to your detriment now or in the future? Source
  5. Cyber-criminals are increasingly downsizing from selling their wares on large dark web marketplaces in a bid to build trust with buyers, according to McAfee. The security giant claimed in its latest threat report for Q3 that the trend can also be seen as a response to law enforcement activity. Police effected the major takedowns of Hansa and Alpha Bay in 2017 while marketplace Olympus fell silent in September after a suspected exit scam. “Cyber-criminals are very opportunistic in nature,” said John Fokker, head of cyber-criminal investigations at McAfee. “The cyber-threats we face today once began as conversations on hidden forums and grew into products and services available on underground markets. Additionally, the strong brands we see emerging offer a lot to cyber-criminals: higher infection rates, and both operational and financial security. ” The move on the part of these business-minded hackers with strong underground ‘brands’ to set up shop on their own has brought with it a cottage industry in website designers offering to build their digital stores, McAfee claimed. Elsewhere, the security firm blocked an average of 480 new threats per minute during the three-month period, with IoT malware (73%), cryptomining malware (71%) and new ransomware (10%) all increasing from the previous quarter. Overall, new malware samples increased 53%, with new macro malware up 32%. It’s no surprise that malware was the most popular attack vector, followed by account hijacking, leaks, unauthorized access and vulnerabilities. However, instances of new mobile malware declined by 24% in Q3, and McAfee customers reported 36% fewer infections in the quarter. Data breaches in the financial sector jumped 20% and sextortion scams continued to grow in popularity, driven by Gamut, the top spam-producing botnet. source
  6. Vulnerabilities, stolen credentials and an evolution of marketplaces mark the Dark Web in Q3. In the wake of Hansa and AlphaBay being dismantled on the Dark Web, Dream Markets and Wall Street Market have become the largest marketplaces in the criminal underground, according to Q3 analysis from McAfee. Meanwhile, vulnerabilities and stolen credentials continue to dominate the cybercriminal discussion. Illicit playgrounds for selling narcotics, hacking tools, hackers for hire and data records, these markets continue to thrive even in the wake of law enforcement action. According to threat research out this month from the McAfee, the disruption of Hansa and AlphaBay created a ripple effect during the quarter, driving cybercriminals to competing, smaller markets, including Dream Market, Wall Street Market and Olympus Market. However, “Olympus Market, which was well on its way to being one of the top markets, suddenly disappeared in Q3,” the report noted. “There is speculation that the disappearance was an exit scheme initiated by the market’s administrators to steal money from their own vendors and customers.” At the same time, several individual sellers have moved away from large markets and have opened their own specific marketplaces, McAfee said. “They hope to fly under the radar of law enforcement and build a trusted relationship with their customers without the fear of a quick exit by the market owners,” according to the report. “This shift has sparked a new line of business: Defiant website designers who offer to build hidden marketplaces for aspiring vendors.” Stolen digital data, which drives much of the profits, will continue to be a key motivator both in large markets and more niche underground hacker forums, McAfee noted. The forums, which are less accessible to the public and focus on cybercrime-related topics, thrive mainly on leaked user credentials. “Credential abuse is one of the most popular topics on the underground scene, and the large data breaches we read about help maintain this popularity,” the report noted. “The use of valid accounts makes it child’s play for cybercriminals to access and take over an individual’s personal life.” Cybercriminals often show an interest in email accounts because these are regularly used to restore login credentials for other online services, the research found. “Password reuse, not enabling two-factor authentication, and failing to change passwords on a regular basis are the main factors that make these attacks so effective.” CVE discussions are popular too, the research found, with recently published vulnerabilities becoming hot topics in discussions of browser exploit kits—RIG, Grandsoft and Fallout—and of ransomware, especially GandCrab. “In the English-speaking, less technical underground forums we observed several discussions of old CVE implementations in familiar tools such as Trillium MultiSploit,” McAfee said. “These threads show that cybercriminals are eager to weaponize both new and old vulnerabilities. The popularity of these topics in underground forums should warn organizations to make vulnerability management a priority in their cyber-resilience plans.” source
  7. Wicked (dark web) wish list The dark web can be a fairly lawless place, but even the most hidden corners of the darknet are not immune to the laws of supply and demand. Malware programs, cybercriminal services and stolen data can skyrocket in popularity on the underground market just as quickly as they can fall out of favor – same as any product sold in the legitimate economy. A couple of black market cyber trends truly took off in 2018 with experts predicting a few new ones will spring up in 2019. Malicious software and services It happens all the time: A pioneering hacker or sophisticated threat group becomes the first to introduce a new malware or exploit – and suddenly a whole clowder of copycats emerge. As demand for these malicious tools grow on the darknet, developers and buyers begin to offer the same functionality – sometimes in the form of malware, other times as malware-as-a-service. Take, for example, Magecart, the e-commerce payment card skimmer toolset that turned into a high-profile threat last year after multiple cybercrime groups used it to carry out major attacks against British Airways, Ticketmaster and Newegg. By December, researchers at Armor reported the discovery of what they identified as the first-ever Magecart-like tool available for sale on the dark web. This sequence of events fits a common pattern, according to Corey Milligan, senior security researcher with Armor’s Threat Resistance Unit (TRU), who says that there is a “tendency for certain attack types [and] techniques to spike in conjunction with an increase in open-source reporting – including news coverage – detailing their successful use.” “The underground community follows security news just as closely, if not more so, as the security community,” Milligan continues. “Thus, the attack trends, at least with regard to the lower-level threat actors that conduct the majority of attacks, can be predicted based on the release of breach reports, malware analysis and vulnerability proof-of-concept code.” Of course, this is but one example. Other categories of malware also continue to see spikes and dips in dark web demand. In 2018, cryptominers in many respects surpassed ransomware in terms of cybercriminal demand. Now, just as suddenly, researchers believe we could see a reserving of that trend in 2019. “Among criminal actors, expect cryptomining to fall off and ransomware to return,” says Allan Liska, senior solutions architect at Recorded Future. “Cryptomining has not been as profitable for many cybercriminals as originally intended. Unless an attacker can infect tens or hundreds of thousands of devices it is difficult to make even close to the money that can be made from a successful ransomware campaign.” “On the other hand, ransomware actors behind the SamSam, BitPaymer and CrySIS ransomware campaigns have created a blueprint for a new generation of ransomware attacks… by using open RDP servers as a method of entry,” as opposed to more traditional methods such as phishing and web exploits. “We are already starting to see new ransomware variants copy this model and we expect to see a new crop of ransomware families” emerge on the dark web and offer to expand this method of attack, Liska continues. Armor’s TRU team has also observed the ransomware market steadily increasing, while cryptominer demand on the dark web continues to decline from its peak in May-June 2018. “Expect that downward trend to continue into 2019, following the drop in price for cryptocurrencies,” says Milligan, noting that Armor “has seen less chatter about cryptominers on the underground hacker forums… Do not expect them to go away completely, but rather take a back seat to ransomware [and] credit card sniffers. Black market buzz for certain types of cyber weapons can also be influenced by security professionals’ and law enforcement’s latest activity. Wherever the good guys are training their focus on or bolstering defenses, the bad guys want to be somewhere else. Allison Nixon, director of security research at Flashpoint, believes DDoS services are losing steam in underground marketplaces “as more and more targets are able to successfully mitigate attacks. Attacks are still happening, but you don’t hear about major outages happening nearly as often anymore.” Allison Nixon, director of security research at Flashpoint. On the other hand, the demand for criminal proxy services that can disguise where the real attack is coming from is on the upswing because “We haven’t seen much law enforcement attention yet against criminal and shady proxy networks,” Nixon explains. Stolen data The digital-age business philosophy that “data is king” applies to the criminal underworld as well. Information equals money – the right stolen data in the wrong hands can be used to hijack a bank account or spoof an email address to help perpetrate a financial scam. If it’s sensitive information you’re after, investing in a malware service to collect it may not even be necessary. There’s plenty of stolen data already available on the dark web, including highly prized credentials, payment card numbers and Social Security numbers. If you’re lucky or devious enough to get your hands on a particular victim’s complete set of personally identifiable information (PII), then you’ve really hit the jackpot. Scammers call such packages “fullz.” For law-abiding citizens, such threats to their personal data begin at an early age. More than ever, in fact, it starts as early as birth. “I’m… watching for an increase or steady supply of younger personal information – infant data, particularly,” says Emily Wilson, vice president of research at Terbium Labs. “We’ve seen isolated listings for infant fullz and child SSNs pop up over the last few years. I’m expecting to see that market grow over time, shifting from a novelty item to a specialty item: available regularly, but with lower supply and a higher price.” Emily Wilson, vice president of research at Terbium Labs. Fullz even remain valuable after death – not death of the person, necessarily, but of his or her payment cards. Wilson explains cybercriminals are increasingly finding worth in “dead fullz,” which refers to fullz containing data for payment cards that have expired or were cancelled. Even though they can’t use the payment cards to score quick cash, attackers can still take advantage of these fullz because the stolen information can be used to compromise other accounts that do remain active. “The availability of ‘dead fullz’ marks another milestone in the shift toward increased monetization of personal data,” says Wilson. “Payment cards may cash out more quickly, but personal data can be used to compromise existing accounts, create new ones, and facilitate a host of other fraud schemes (e.g. tax fraud, business email compromise, identity theft). The rise in synthetic identity theft across industries shows that fraudsters are also building an appetite for playing the long game – building credit profiles, aging them, and cashing out when the time comes.” Meanwhile, non-traditional forms of consumer data are also starting to draw interest from the dark web community. For instance, notes Milligan, cybercriminals have recently been observed compromising and exploiting online loyalty and rewards programs. “The hospitality industry has taken some hits recently. I believe this simultaneously serves to feed the market for new rewards account data and increase awareness around the need for greater security for rewards accounts.” In a recent report predicting dark web trends in 2019, Terbium Labs prognosticates that the advent of new technologies such as biometrics, Internet of Things (IoT) devices and autonomous vehicles will only expand the array of sources from which data can be stolen. Biometric data in particular could become a hot-ticket item, the report states, because such data lasts for the victim’s entire lifetime, and cannot be altered, even if there is a breach. “Compromised payment cards are simply canceled and reissued; no similar recourse exists for compromised fingerprints or retina scans,” the report says. “Criminals on the dark web look for data they can monetize; right now, there is not sufficiently broad adoption of biometric technologies to warrant mining and marketing that data on criminal markets,” the report says. “Once we see increased use of biometric technologies across multiple industries, however – especially if biometric tech becomes a favored replacement for passwords or two-factor authentication – expect to see that data make its way into the dark web economy.” Dark Humor: The weirdest finds on dark net sites SC Media asked several dark web experts about the strangest things they’ve seen while researching dark web marketplaces and cybercriminal forums. Here are their responses: Allison Nixon, director of security research, Flashpoint: “My absolute favorite thing this year is how many of these criminal websites now have a GDPR compliance privacy page that you have to agree to before you can buy people’s stolen info.” Emily Wilson, VP of research, Terbium Labs: “My favorite strange find has to be a fishing guide. Yes, fishing. Fraudsters sell guides on the dark web – written documentation on how to execute schemes or specific types of fraud – designed to serve as instruction manuals for new criminals, or for those branching out into a new type of crime. In a multi-pack of fraud guides, one vendor threw in a bonus item: a guide on how to catch kingfish. I guess you could call them a king-phisher.” Source
  8. The Gazorp online builder makes it easy to start stealing passwords, credit-card information, cryptocurrency wallet data and more. A malicious build-it-yourself platform for the Azorult info-stealing malware has debuted on the Dark Web. The online builder, which its authors have named Gazorp, allows cybercriminals to generate their very own strains of Azorult, along with the apparatus to control it. And, it’s free. “Threat actors [gain] the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address,” wrote Check Point researchers Nikita Fokin, Israel Gubi and Mark Lechtik, in a posting last week on the generator. “This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.” Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0. Azorult is a fairly popular commercial malware, which is used for harvesting various kinds of information, including passwords, credit-card information, cryptocurrency wallet data and more. It also can download additional malware. It’s been around since at least 2016, when Proofpoint researchers identified it as part of a secondary infection via the Chthonic banking trojan. Azorult 3.0 debuted five months ago, and while there have been two subsequent versions released into the wild since then with major improvements, “the outdated version has multiple stealing capabilities which can be leveraged by any actor to gather victim information and misuse it,” the Check Point team noted. The researchers added that the Gazorp platform claims to offer multiple upgrades and enhancements to the Azorult’s existing leaked C2 panel code, which was uploaded to Github a few months ago. Check Point said that Gazorp offers “major differences and additions” from the leaked source panel in Gazorp, with a main enhancement being a global heat map that provides statistics by country. Gazorp is also in active development, and its creators are taking a hacker community-minded approach to the proceedings. The service has its own Telegram channel, where interested parties can get updates on the project and weigh in with their own ideas. So far, the Gazorp authors have promised future extensibility with a “modules” library, and features like the ability to configure the panel and export the various databases to a file. “For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code,” researchers said. “However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.” As for monetization, the public can also donate to the project with Bitcoin. There are no fees to use Gazorp – further lowering the barrier to entry for cybercriminals. “Given that the service is free, it is…possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild,” the researchers said. Source
  9. Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users A trojanized version of the Tor Browser is targeting dark web market shoppers to steal their cryptocurrency and tracks the websites they visit. More than 860 transactions are registered to three of the attackers' wallets, which received about $40,000 in Bitcoin cryptocurrency. Careful impersonation The malicious Tor Browser is actively promoted as the Russian version of the original product through posts on Pastebin that are have been optimized to rank high in queries for drugs, cryptocurrency, censorship bypass, and Russian politicians. Spam messages also help the actor(s) distribute the trojanized variant, which is delivered from two domains claiming to provide the official Russian version of the software. Cybercriminals were careful with selecting the two domain names (created in 2014) since to a Russian user they appear to be the real deal: tor-browser[.]org torproect[.]org - for Russian-speaking visitors, the missing "j" may be seen as a transliteration from Cyrillic Furthermore, the design of the pages mimic, to some extent, the official site of the project. Landing on one of these pages shows the visitor a warning that their browser is updated, regardless of the version they run. Translated into English, the message reads: "Your anonymity is in danger! WARNING: Your Tor Browser is outdated. Click the button “Update" In Pastebin messages, the cybercriminals advertise that users would benefit from anti-captcha feature allowing them to get faster to the destination. This is not true, though. Underneath this Tor Browser impersonator is version 7.5 of the official project, released in January 2018. Getting the cryptocurrency The downloaded script can modify the page by stealing content in forms, hiding original content, showing fake messages, or add its own content. These capabilities allow the script to replace in real-time the destination wallet for cryptocurrency transactions. The JavaScript observed by ESET does exactly this. The targets are users of the three largest Russian-speaking darknet markets, the researchers say. For the payload they observed (image above), the script also alters the details for the Qiwi payment service provider. When victims add Bitcoin funds to their account, the script jumps in and changes the wallet address with one belonging to the attackers. Since cryptocurrency wallets are a large string of random characters, users are likely to miss the swap. Darknet profile with altered Bitcoin address At the moment of publishing, the three cryptocurency wallets controlled by the attackers recorded 863 transactions. These are small transfers, supporting the theory that the funds came via the trojanized Tor Browser. One of them received more than $20,000 from over 370 transactions. The largest balance, though, is currently around $50 in one wallet and less than $2 in the other two. The three wallets have been used for this purpose since 2017, the researchers found. Although the amount of Bitcoins that passed through these wallets is 4.8, the total proceedings for the attackers is likely higher because Qiwi payment details are also altered. Source: Malicious Tor Browser Steals Cryptocurrency from Darknet Market Users
  10. Breach Of Popular Audio Streaming Site Exposes 20 Million Accounts The popular audio streaming site Mixcloud has reportedly been hacked. Account information belonging to as many of 22 million of its users is for sale on the Dark Web. Zach Whittaker of TechCrunch reports that the breach occurred earlier this month. The individual claiming responsibility for the breach provided Whittaker with a sample of the data — something hackers will often do to prove the validity of the ill-gotten data. In fact, the very same hacker contacted Whittaker in August to share details about a different breach. That incident involved StockX, a billion-dollar online marketplace that allows users to buy and sell shoes and clothing. Whittaker reports that the hacker is asking .5 bitcoin (just under $3,900 at current rates) for the hacked Mixcloud data. While no payment card data was exposed this time around, the Mixcloud data does include email addresses, usernames, links to their profile photos, IP addresses and encrypted passwords. Mixcloud users do have something to be thankful for on that front: strong encryption. the company reportedly hashed its users’ passwords with SHA-2, a very strong cryptographic standard. As a result, well-chosen passwords will be nearly impossible to crack. In a database with more than 20 million records, however, there’s a very high likelihood that many of the passwords are anything but difficult to guess. No matter how many times the worst passwords of the year get reported, people keep on using them. When a database like this one starts making the rounds, those weak passwords come back to haunt the users who chose them. Mixcloud has yet to offer any official statement regarding the breach. An investigation will likely be forthcoming, however, as the London-based firm could be subjected to a fine of as much as £20 million 4% of its annual turnover under GDPR guidelines. In one of the highest-profile GDPR incidents to date, hotel giant Marriott was hit with a whopping £99 million for a similar — albeit much larger — breach in 2018. Source
  11. A little over 21 million login credentials stolen from Fortune 500 companies have been found in various places on the dark web, many of them already cracked and available in plaintext form. The information was compiled by crawling multiple resources, like markets in the Tor network, web forums, Pastebin, IRC channels, social networks, and messenger chats. Cracked passwords ahead 21,040,296 is the exact number of credentials belonging to companies ranking in the first 500 that security researchers found on the web. Most of them were from tech companies, closely followed by organizations in the financial industry. Entities in the healthcare, energy, telecommunications, retail, industrial, transport, aerospace and defense sectors are also on the list. Not all of them are fresh, though. ImmuniWeb says in a report published today that 16,055,871 of the credentials they found were compromised in the past 12 months. However, the researchers reveal a worrying statistic: "95% of the credentials contained unencrypted, or brute-forced and cracked by the attackers, plaintext passwords." Using machine learning technology, the researchers were able to determine the accuracy and reliability of the data set by cleaning it of fake leaks, duplicates and default passwords set automatically. Hilariously weak popular passwords Despite finding as many as 21 million login records, the report notes that only 4.9 million of them were unique, "suggesting that many users are using identical or similar passwords." Of course the most insecure password and variations of it are present in the data set; and they were found in data sets for companies in almost all verticals, except the financial one, where users relied on other, equally weak logins. Although it was not the most popular in all cases, "password" and its variants exist in the top five most used passwords. A simple glance at the passwords below makes it clear that companies still haven't learned how to protect access to their assets and that recommendation for using a strong password flew right past them. Even an uncomplicated phrase that does not use special symbols, numbers or upper case letters is better than any of them. According to the report, the weakest logins were from the retail industry, where almost half of the passwords were less than eight characters long and could be found in common dictionaries. However, companies in other industries are not far behind in this. Most industries in the top ten with the weakest passwords from ImmuniWeb's report have a third or more logins that could be cracked in seconds. The researchers note that about 11% of the passwords from a data breach are identical. This could be explained by the use of default passwords, bots creating accounts. A reset procedure that defined the same password for a large number of accounts is another possibility, ImmuniWeb says. Additionally, there may be a connection between the number of subdomains with a poor web security grade (C or F) and the exposed credentials as they are proportional. Ilia Kolochenko, CEO and Founder of ImmuniWeb says that cybercriminals focus on the shortest, least resistant path to get what they want. Given the login data in the report, they have no trouble getting their prize. Source
  12. Hacker was selling 141.5GB of data from Huazhu Hotels Group. He also attempted to blackmail the hotel chain to pay for its own data. Huazhu Hotels Group Ltd, a China-based hotel chain, announced this week that Shanghai police arrested the hacker who was selling data on millions of its customers online, on the dark web. The arrest was announced on Monday, September 17, by the hotel group in an investors message, and confirmed two days later by Shanghai police for Chinese media. Police did not release the man's man, but according to local reports, the hacker is a 30-year-old man named Liu. Investigators did not reveal any other details about the investigation, but according to previous reports, it appears that Liu may have gotten hold of the hotel chain's data when a developer accidentally uploaded part of its database on GitHub. The hacker put the Huazhu data up for sale on a dark web hacking forum in mid-August, asking for 8 Bitcoin, which was worth around $56,000, at the time. The data was sold in three file packages, for a total of 141.5GB. The data trove contained over 500 million records, comprising of 240 million pieces of content related to hotel stays such as name, credit card details, and mobile number; 123 million pieces of registration data recorded on the group's official website such as userID and login pin; and 130 million pieces of check-in data, including birthday and home address. China hotel data sold on the dark web The Huazhu Hotels Group is one of China's largest hotel chains, operating 5,162 hotels across 13 hotel brands across in 1,119 Chinese cities. The data sold online was advertised to have originated from customers who stayed at Huazhu's hotel brands, such as Hanting Hotel, Grand Mercure, Joye, Manxin, Novotel, Mercure, CitiGo, Orange, All Season, Starway, Ibis, Elan, and Haiyou. The hotel chain filed a police complaint on the same day news of the hack broke in Chinese media --August 28. In its message to investors, the hotel chain said Liu was unsuccessful in selling the stolen data. They also said the hacker attempted to blackmail the hotel into paying for its own data by leveraging public pressure surrounding the public disclosure of the hack. "To comply with laws and police protocols, the Company cannot disclose additional information on the case at this time," a Huazhu spokesperson said. Source
  13. AlphaBay was one of the largest dark web marketplaces – In 2017, its admin Alexandre Cazes committed suicide in a Thai prison. The Fresno Division of the U.S. District Court for the Eastern District of California has finally concluded a 14-month long civil forfeiture case and allowed seizure of property and assets of a Canadian national Alexandre Cazes who ran AlphaBay market on the dark web, CoinDesk has confirmed. Cazes, for your information, was the one who committed suicide by hanging himself last summer. He was arrested for operating AlphaBay, a dark web marketplace, and was kept in Thai prison where he committed suicide. It must be noted that one of the AlphaBay spokesperson Ronald L. Wheeler III, a/k/a Trappy, 25, of Streamwood, Illinois has already been sentenced to federal prison. Alexandre Cazes Cazes couldn’t be tried in the court but he was accused of facilitating and benefitting from illegal goods and services sales to the US and overseas customers through the AlphaBay. The marketplace was eventually shut down by the law enforcement and Cazes was arrested from outside his primary residence. The police also confiscated an open laptop from his residence from which they obtained key evidence against Cazes including administrative login accounts of AlphaBay forums and servers, text files storing credentials like passwords for AlphaBay website. On 7 July, 2017, he was charged for identity theft, racketeering, money laundering, fraud, and trafficking. The police also disclosed that the accused net worth was a whopping $23million and his property included lavish real estate properties and expensive, luxury vehicles. It became apparent that the 26-year old Canadian citizen had made a lot of money from AlphaBay since the website didn’t accept conventional payment methods but only cryptocurrencies. As per financial reports, Cazes amassed over $8.8m in crypto with nearly 1,605.05 bitcoins, 8,309.27 ether, and 3,691.98 zcash, while the Monero amount is yet unknown. Cazes used various wallets to store cryptocurrencies and used “mixers and tumblers” to split the digital currency across the wallets while the wallets were linked to Cazes and his Thai wife Sunisa Thapsuwan’s bank accounts. It is worth noting that before AlphaBay, authorities also seized and shut down Hansa, another highly popular dark web marketplace known for selling drugs, weapons and stolen databases. Dutch National Police, who played a vital role in the operation against AplhaBay and Hansa also explained how they busted Hansa. Source
  14. Censorship of news on the internet by the government has long been a point of controversy. Indeed, we have had points in the past where the BBC's Vietnamese website got blocked. On other occasions, China has previously blocked BBC's services in the country, and Iran has dabbled in the same as well. In a bid to fight against censorship and restricted access, BBC announced today that it's launching a mirror of its international news website on the dark web. In a statement, the news site said: To access the website, you will need Tor, which is a web browser that allows you to access content on the dark web securely. The web address for the alternate website to the regular BBC News is bbcnewsv2vjtpsuy.onion. Unsurprisingly, the link cannot be opened in regular browsers because of the 'onion' suffix. The 'dark' version of BBC will have foreign language services like BBC Persian, BBC Russian, and BBC Arabic. UK-only content and services including BBC iPlayer will be unavailable due to broadcasting rights. As stated before, the dark web version will be the international variant of BBC, not the UK variant. Source: 1. BBC turns to the dark web in a bid to fight censorship (via Neowin) - main article 2. BBC News launches 'dark web' Tor mirror (via BBC) - reference to the main article
  15. 179 Arrested in Massive Global Dark Web Takedown Operation Disruptor is an unprecedented international law enforcement effort, stemming from last year’s seizure of a popular underground bazaar called Wall Street Market. Operation Disruptor has led to a wave of arrests and seizures, but the dark web drug market has bounced back before.Photograph: Getty Images It’s one of the largest global dark web takedowns to date: 179 arrests spread across six countries; 500 kilograms of drugs seized; $6.5 million in cash and cryptocurrency confiscated. And while it was announced this morning, Operation Disruptor traces its roots back to May 3, 2019. That’s the day that German police seized Wall Street Market, the popular underground bazaar that gave international authorities everything they needed to upend the dark web drug trade. It’s unclear how big a dent Operation Disruptor will make in the long run; the dark web drug market tends to bounce back, even after the high-profile collapses of marketplaces like the Silk Road and AlphaBay. But even if law enforcement is playing an eternal game of Whac-A-Mole, it’s at least gotten extremely proficient at whacking. In the US, Operation Disruptor plays out across dozens of court documents and around 120 arrests. In Ohio, members of a group known as PillCosby were charged with mailing out over a million pills laced with fentanyl. Prosecutors in Washington, DC, allege that David Brian Pate concealed thousands of OxyContin, Xanax, and morphine pills inside souvenir maracas. A pharmacist in Nebraska allegedly planned to firebomb a local competitor after stealing their opiate supply, in service of what officials say was his booming narcotics trafficking business. Photograph: Drug Enforcement Administration Photograph: Drug Enforcement Administration What these cases, along with the dozens of arrests across Europe, have in common is that the investigations largely stem from last year’s Wall Street Market takedown. At the time, German authorities arrested the site’s alleged operators and two of its most prolific vendors. Europol confirmed to WIRED today that it was also able to recover the Wall Street Market backend server, providing investigators with an invaluable trove of evidence. “It provided us with all the information which led to the identification of those arrested today,” says Europol press officer Claire Georges. “We collated the information and then we sent out what we call intelligence packages to all the concerned countries. Basically it’s information or documents where we say, look, we know this person in your country has done this, you may want to open an investigation.” Georges says also that there are more arrests to come. While announced as a package today, the arrests in the US have trickled through over the last several months. In a press conference Tuesday morning, DEA acting administrator Timothy Shea specifically called out Arden McCann, allegedly known as RCQueen, DRXanax, and other aliases across numerous dark web markets. Arrested earlier this year, McCann allegedly shipped over 10 2kilograms of fentanyl and over 300,000 counterfeit Xanax pills every month. “In some ways this is just the perfect-storm combination of traditional criminal activity of all shapes and sizes merging with this more sophisticated technology,” FBI director Christopher Wray said at Tuesday’s press conference. “But the point of today’s announcement is it doesn’t matter where you go to try to do it or how you try to hide it, we’re coming for you.” That has increasingly seemed to be the case. The Wall Street Market seizure is not the first or even most devastating law enforcement takeover of a dark web storefront. In 2017, Dutch police took control of Hansa, a booming darknet market, and the FBI shut down AlphaBay, an even larger competitor. While displaced AlphaBay users flocked to Hansa for their fix, Dutch authorities spent weeks logging their activity, including many of their home addresses. The takedowns and seizures invariably have a cumulative effect. “These people don’t just operate on one market, they cover the full spectrum of the dark web,” says Europol’s Georges. In the US, the arrests fell under the DOJ’s Joint Criminal Opioid and Darknet Enforcement team, which includes investigators from FBI and the United States Postal Service. J-CODE’s most recent operation, called Sabotor, resulted in 61 arrests announced in March 2019. What remains to be seen is whether dark web drug buyers will simply find new suppliers, especially since Operation Disruptor targets individual vendors rather than entire marketplaces. At the very least, though, Tuesday's announcement may give aspiring dark web vendors pause, as it only adds to law enforcement’s track record of cutting through supposedly anonymous corners of the internet. “We have very creative people who are themselves very innovative within the law and using a variety of tools to catch people who think they can hide in the dark net,” Wray said at Tuesday’s press conference. The FBI director declined to comment on specific techniques. 179 Arrested in Massive Global Dark Web Takedown
  16. Mobile-first course charted by privacy-protecting technology The Tor Project is planning to improve network speed and performance, particularly for mobile users and those with older devices or on slower connections. The initiative, the result of many years of collaboration with the research community, has multiple facets. These include streamlining the tuning of the network, deploying smarter methods for balancing traffic, and rolling out the fruits of performance and scalability research. Proactively detecting, diagnosing, and resolving user-facing performance issues will also play a part in the upgrade. Although the total relay capacity (bandwidth) of the Tor network has increased due to events such as the Edward Snowden disclosures over recent years, this has not been matched by corresponding increases in utilisation and throughput. Less than half of the capacity on the Tor network is been used. Speaking during Tor’s State of the Onion conference on Monday, developer Mike Perry said that the two-year upgrade project that began in October is designed to fix these issues. The scheme will include RTT-based congestion control and traffic splitting across multiple circuits, among other technological improvements. Perry explained: “Most of these improvements are client and parameter-based [though] some will require exit [node] upgrade, particularly congestion control. All will require careful tuning and experimentation.” A prototype experiment, with just the client-side improvements, was able to achieve 5 mbps over a full six-hop Onion service circuit where normally only 200-500 kbps is currently possible. These huge performance gains would be diluted if everyone was using the same client but nonetheless illustrate the potential for improving the technology, according to Perry. The State of the Onion, a livestreamed online event, saw key developers and partners to Tor (such as SecureDrop, Library Freedom Project, and Ricochet Refresh) discuss upcoming development plans. A recording of the event has been uploaded to YouTube. Mobile first During the event Tor Browser developer lead ‘Matt’ (nicknamed @sysrqb) explained how the browser was transitioned from an old version of Firefox to a newer version during the second half of 2020. The desktop version of the Tor Browser has moved from Firefox 68 ESR to Firefox 78 ESR as a foundation for enhancements. Over the same period the Android Tor Browser has been upgraded and built using Mozilla’s Fenix browser for Android as part of an evolving strategy to move to a more rapid release cycle and mobile-first focus for the privacy-protecting Tor Browser. The Android version of the Tor Browser is based on Firefox 83, well ahead of the desktop versions (Windows, macOS, and Linux), which are based on Firefox 78 ESR. Bad relays? That’s shallot During the two-hour long livestream event other developers involved in the Tor Project discussed plans to weed out bad relays. A bad relay joins the distributed Tor network to do something malicious instead of helping users to protect their privacy and circumvent censorship. “Identifying bad relays involves scanning the network to identify relays or groups of relays that are behaving in ways that indicate malicious intent,” a Tor Project representative told The Daily Swig. "We have a design proposal for how to improve the situation in a more fundamental way by limiting the total influence from relays we don't ‘know’ to some fraction of the network. “Then we would be able to say that by definition we trust at least 50% (or 75%, or whatever threshold we pick) of the network,” they added. Much of the discussion during the two-hour session, and particularly those from third-party software developers that rely on Tor such as Ricochet Refresh, referenced the depreciation of Tor Onion Service v2, which will be unsupported from July 2021. Source
  17. Click here to download the complete analysis as a PDF. Key Findings The collection of onion sites that is sometimes called the dark web is often portrayed as a vast and mysterious part of the internet. In reality, the number of onion sites is tiny compared to the size of the surface web. Our count of live reachable onion site domains comes to less than 0.005% of the number of surface-web site domains. Out of about 55,000 onion domains that we found, only around 8,400 onion domains had a live site (15%). The popular iceberg metaphor that describes the relationship of the surface web and dark web is upside down. These onion sites are disorganized and unreliable. Scams are prevalent, such as a typosquatting scam that claims to have successfully defrauded users of over 400 popular onion sites, netting thousands of dollars in Bitcoin from victims. Uptime even on popular dark web sites is well below the 99.999% “five nines” availability that is expected for reputable companies on the surface web, and onion sites regularly disappear permanently with or without explanation. From a language standpoint, onion sites are more homogeneous than the surface web. We observed that 86% of onion sites have English as their primary language, with the next two most common being Russian with 2.8% and German with 1.6%. On the surface web, researchers report English is at the top with only 54%. The idea of a dark web that is hidden and mysterious is more likely an extrapolation of a tiny portion of these onion sites — a set of invitation-only and unpublicized communities buried in the most shadowy corners of this part of the internet. On the surface web, popular websites will attract inbound link counts in the millions or more. In our onion site crawl, the site with the highest inbound link count was a popular market with 3,585 inbound links. An onion site offering help setting up onion servers had 279 inbound links. In contrast, we looked at what we view as the top eight onion sites most respected in the criminal community and found that the most visible had a maximum of 15 inbound links with an average of only 8.7 inbound links per site. It is this tiny slice of the dark web that is truly dark. What Is the Dark Web? The dark web is a frequent topic of interest for anyone who cares about cybersecurity, but its mystique has given rise to a number of popular misconceptions, and “dark web” can be a muddled term. To make a more concrete assessment of one precise definition of the term “dark web,” this blog presents our findings of a spider specifically for those sites that are accessible within the Tor network of onion domains. There are plenty of varied definitions for the dark web, the deep web, the criminal underground, and other related concepts, but for this investigation, our exclusive focus is on onion sites. According to Wikipedia, the dark web can be described as any web content that requires specific software, configurations, or authorization to access. This definition overlaps with another common term, the “deep web,” which is commonly used to refer to all the parts of the internet not indexed by search engines. The dark web is also often conflated with the cybercriminal underground, implying that it is solely a place where people traffic illicit and sordid goods and services. While that kind of activity makes up a significant proportion of content on the dark web, the fact that the Tor browser can circumvent surveillance measures also makes it useful for legitimate activities in certain circumstances, like free expression from political dissidents in authoritarian countries. Some prominent surface websites host mirrors of their content on Tor sites for exactly this reason, including The New York Times and Facebook. On the other side of the coin, Insikt Group’s research has shown that much criminal activity happens on sites not requiring any special protocols to access, such as public social media sites like Twitter or messaging services like WhatsApp and Telegram. In this research, we investigated a few things about this network of onion sites: how big it really is, the languages in which it’s written, and how reliable it is to use in terms of uptime and trustworthiness. We spidered about 260,000 onion pages to approximate the full reachable Tor network from a starting set of onion sites that we pulled from public lists and our own content Graphical representation of 8,416 onion domains. The Dark Web Is Tiny The dark web is often portrayed as vast and mysterious, implying that there is a large number of onion sites on Tor, but this is not what we find. This misperception may be in part due to the fact that there are many tragic and horrible things that take place under the anonymity Tor provides. While we cannot contradict the sad reality that those things do happen, we find that in terms of size, the network of onion sites is tiny compared to the surface web, and the part with real threat intelligence value is smaller still. Our crawling found 55,828 different onion domains, but only 8,416 were observed to be live on the Tor network during our crawl. Our findings disprove the misconception that the relationship between the surface web and dark web has an iceberg shape, with the surface web being a small portion of the World Wide Web above the water and the dark web below the visible surface accounting for the majority. The truth is that this iceberg shape is upside down. Pixel representation of the dark web versus the surface web. There are an estimated 200 million unique surface web domains that are active, which positions the current live onion site network at less than 0.005% of the size of the World Wide Web. Onion sites are prone to disappearing from the network, which will cause any attempt to reach the page to fail. The ratio of live to total onion domains was about 15% in our results. A similar ratio (about 15%) holds for the surface web. This number, which provides an estimate for the size of the Tor network, complements the findings of an Onionscan report from 2017, which reported a live rate of 4,400 live sites out of 30,000. Others also claim that the network is shrinking. While we cannot directly compare against their numbers because their approach was not as broad as our spider, we do find that the ratio of live to dead continues to be similar to these previous findings, with about 15% of the sites being live. Percentage of onion domains that will succeed in loading a page. We also found that this tiny network of onion sites is tightly connected. For 82% of the live domains in the network that we’ve crawled, the average degrees of separation from a popular link hub like the Hidden Wiki is 2.47. The data suggests that if you visit the Hidden Wiki onion page, you’d be about three clicks away from 82% of live onion sites. This measure is tighter than might be expected in the surface web. For example, the Facebook social graph has been reported to have an average degree of separation of 3.57 between pairs of users. It’s also notable that the other 18% of crawled domains were completely disconnected from the Hidden Wiki, which might indicate the presence of isolated communities separate from the rest of the network. While this opens the possibility of there being swaths of sites that our approach could not discover, we believe this is unlikely due to our broad starting base, which included all onion domains seen anywhere in our vast open source data as well as our extensive collection focused on the criminal underground. The Dark Web Is Disorganized and Unreliable The dark web is plagued by flakiness. As criminal activity has proliferated across onion sites, so have scams and attacks. The servers of onion websites are taken down when they fall victim to attacks. A prominent example is a site called Daniel’s Hosting, which used to provide Tor hosting services to about 6,500 onion websites. This site was hacked in 2018, causing a massive outage of onion sites. The infrastructure was compromised using a PHP zero-day vulnerability that allowed the hacker to gain access to the full database of sites and delete all the accounts inside. While it was eventually recovered, the victimization and prolonged downtime is a typical example of the level of service found on onion sites. Even popular dark web markets can have uptime well below 90%, with one well-known market having about 65% uptime as of this article. Sites can be down for weeks at a time, which would be unthinkable for reputable service providers on the surface web. For comparison, Facebook’s uptime is measured at 99.95%, and the gold standard is 99.999% availability, known as “five nines.” Onion sites are typically far below that level, and some simply disappear for days, for weeks, or for good. Typosquatting is a tactic used by malicious actors on the surface web, and this has been taken to onion sites as well. Typosquatting is a technique where a malicious actor registers a domain that users of a legitimate website might easily mistake for the website of the service they’re trying to use, which is then exploited by the actor hosting malicious content on the typosquatted domain (for example, a fake login page at “aple[.]com” or “apple[.]co”). We found a blatant example of onion site typosquatting that we’re calling the “Thank You” scam. Our spider found numerous copies of onion sites hosting only a simple banner from someone that claims to have earned more than 200 BTC by hosting slightly modified domain names for over 800 popular onion sites. We speculate that the perpetrator might have asked for user credentials and profited from stealing them, but this is unclear, as the scam landing pages are no longer visible and all the sites instead show the gloating message. Well-known Bitcoin mixers and markets were included in the list of typosquat victims. Recent screenshot for a fake site which was part of the “Thank You” scam. From the “more than 800” fake domains referenced by the scammer, our spider found 430 live sites, all with a landing page where the perpetrator communicates his retirement and thanks the viewer for their money. If indeed there are as many as the banner claims, we believe that the remaining 370 are no longer live. Typosquatting is even easier on onion sites than the surface web due to the way that onion domains work. Onion domains are hashes, so they typically contain many characters that appear entirely random to a human user. For example, the onion domain 7rmath4ro2of2a42.onion does not correspond in any visual sense to the site that it loads, a news site called SoylentNews. This makes it hard for a Tor user to distinguish between a real onion domain and a typosquat. Sharing written onion typosquats would be an effective way to spread them, as many Tor users will not be familiar enough with the real domain to tell the difference. In addition, many fake domains were added to Daniel’s Onion Link List, a popular site for hosting and listing onion domains. Finding phishing links is common enough for Deep Dot Web to make a post warning about it. Even without considering the content of the sites, these factors give the entire network of onion sites a sense of untrustworthiness. Language Usage on the Dark Web Is More Homogeneous Than on the Surface Web Various studies have estimated the language breakdown of the surface web, but such measurements of the dark web are rare. Spidering the Tor network provides a way to measure the breakdown of written languages on onion sites. We estimate that English is the main language for 86% of onion sites, a higher proportion than the surface web, in which English accounts for only 54%. Following English comes Russian at 2.8%, German at 1.6%, and Spanish at 1%. The languages below those in frequency account for less than 1% each and 8.6% as a whole. While the percentages differ, the order of the top four languages by popularity is the same as the order for the surface web. After that, the order diverges as the percentages get smaller. Language usage on the surface web versus onion sites. We formed these estimates using stratified sampling for our spidered data, selecting random pages from each crawled domain and assigning a main language for the whole domain based on a majority vote of the languages detected across the pages. The Hidden Dark Web The idea of a dark web that is hidden and mysterious is better exemplified by a tiny portion of onion sites, a set of invitation-only and generally unpublicized communities buried in the most shadowy corners of the internet. To understand just how hidden these sites are, we measured how many unique onion domains had a link pointing to a given site. This measurement can then be compared to popular sites to evaluate their relative visibility. Popular surface-web sites have inbound link counts in the millions or more. The site with the highest inbound link count across all our crawled onion domains was a popular market with 3,585 inbound links. An onion site providing help with hosting onion servers had 279 inbound links. We chose eight sites that in our qualitative expertise we view as top-tier criminal sites with significant barriers to entry and a high level of obscurity. For these eight sites, we measured an average of 8.7 domains with links to them, and the highest inbound link count for one of these sites was 15 — a stark contrast with the link counts for well-known sites. It is sites like these that are truly dark, and sites like these that have the most value for threat research on the dark web. Methodology Tor (“The Onion Router”) is free, open-source software initially developed by the U.S. military and designed for anonymous communication. The network consists of onion domains and connections between them in the form of direct links. For the purposes of our research, we use the term “dark web” exclusively to refer to websites on onion domains. Websites that are able to be reached without these kinds of specific software or network configurations are known as the surface web. For years, Recorded Future has collected targeted dark web content that is relevant to our clients. For this project, we aimed to collect data from the whole Tor network without regard to whether a site likely contains useful information for threat intelligence data or is just junk. The approach was a web crawler (“spider”) that uses a Tor browser simulator. Our spider has been crawling new onion pages since December 2018. The spider was started on lists of known onions like the Hidden Wiki and as onion pages seen in Recorded Future’s existing data holdings. Estimating the size of the Tor network required two procedures. First, we had to run the spider for enough time to crawl the majority of the onion sites. Second, we had to remove any duplicates from the count. For the former, we measured the rate of new, live domains found per day. This started out at around 2,000 new domains per day and leveled off about two months later. While we do still find some new domains, the overall rate is small enough that there is a high probability that we have found the vast majority of sites that are reachable from our current set of onion pages. It is possible that there are sites that are not reachable from our starting lists of onion sites, which the crawler will never find. While we cannot rule that out, the breadth of our starting lists gives us confidence that we have found the vast majority of onion sites that exist. To count domains after data was collected, we removed any duplicates. One of the largest sources of duplication was 5,941 duplicates of the Deep Dot Web onion site. For an unknown reason, there are thousands of variations for the onion domain for this site using different placements of a non-printing character in the URL. The domains vary only by this inclusion of a unicode character that is not printable. This character, the “soft hyphen,” or “SHY” in unicode, is not visible in the URL bar when copying and pasting the domain. It also appears to have no effect on the returned site, with the same webpage returned regardless of the SHY character. From a human’s point of view, the modified Tor site URL will be an exact copy and will load the same site, but the non-printing characters are visible when the URL is rendered as raw characters, such as when viewing the raw HTML for the site containing the link. It is unclear why Deep Dot Web has decided to use such a great number of different spellings of their domain that are all indistinguishable visually. One possible explanation could be that they are trying to prevent others from indexing their site. In 2015, Deep Dot Web reported having to aggressively shut down fake copies of their onion site that had the onion urls of popular markets replaced by phishing links. We did not attempt to evaluate this strange behavior further, and just removed the duplicate domains from our counts. We did not attempt to determine how many unique servers were underlying the domains we observed. Given that some hosting services may host thousands of sites, like in the case of Daniel’s hosting service, we estimate that the number of different servers is in the hundreds or low thousands. Additional work would be required to obtain greater certainty. To load onion urls, we only used browser-default ports 443 and 80. It is possible that a portion of failed urls will load correctly if requested via different ports. This is another potential future expansion on this work as the spider continues its ongoing scraping. The contents of all live onion pages scraped with the spider are added to the Recorded Future® Platform. Conclusion The dark web is many things, but it is not the vast sprawling network of steely-eyed, hardened criminals that some might imagine it to be. Its 8,400 live onion domains are a tiny fraction of the surface web, with only 15% being live out of a mere 55,000 onion sites total. Onion sites are easy prey for attacks and scams like the “Thank You” typosquatting scam. It is more homogeneous, with 86% of onion sites primarily in English. The part of the dark web that does live up to its reputation is the set of top-tier criminal forums. Inbound link analysis of a select set of sites that we view as top-tier confirmed that they do indeed have less visibility, measured by a reduced number of links pointing to them. If you’re curious for more, with the Recorded Future platform, you can see all of our spidered content yourself and get a deeper sense of what the dark web really is. Source
  18. What is the Dark Web, What's on it & How to Access it This is how the Dark Web differs from the Deep Web, and how you can visit websites on the Dark Web using the Tor browser. We also explain why you probably shouldn't do that The internet is a much, much bigger place than you probably realise. You know about Facebook, Google, Netflix and Amazon and maybe the millions of other websites that you can access from your usual web browser. But there's more: the Dark Web and the Deep Web loom in much shadier corners. You won't see any of this stuff in the results when you do a Google search, so what exactly can be found on these dangerous sounding places? Should you even want to visit the Dark Web or the Deep Web? Here's what you need to know. What is the Dark Web? The Dark Web refers specifically to websites that exist behind multiple layers of encryption and cannot be found by using traditional search engines or visited by using traditional web browsers. Almost all sites on the so-called Dark Web hide their identity using the Tor encryption tool. You may know Tor for its ability to hide your identity and activity. You can use Tor to spoof your location so it appears you're in a different country to where you're really located, just like when you use a VPN service. When a website is run through Tor it has much the same effect. Indeed, it multiplies the effect. To visit a site on the Dark Web that is using Tor encryption, you have to use Tor. Just as your IP address is bounced through several layers of encryption to appear to be at another IP address on the Tor network, so is that of the website. Put simply, there's a lot more secrecy than the already secret act of using Tor to visit a website on the open internet - for both parties. Thus, sites on the Dark Web can be visited by anyone, but it is very difficult to work out who is behind the sites. And it can be dangerous if you slip up and your identity is discovered. You can also read our in-depth guide to using Tor if you want to know more about using the web anonymously and sending messages securely. What's on the Dark Web? Not all Dark Web sites use Tor. Some use similar services such as I2P, for example the Silk Road Reloaded. But the principle remains the same. The visitor has to use the same encryption tool as the site and - crucially - know where to find the site, in order to type in the URL and visit. Infamous examples of Dark Web sites include the Silk Road and its offspring, such as Dream Market. The Silk Road was a website for the buying and selling of recreational drugs, and a lot more scary things besides. But there are also legitimate uses for the Dark Web. People operating within closed, totalitarian societies can use the Dark Web to communicate with the outside world. And given recent revelations about US- and UK government snooping on web use, you may feel it is sensible to take your communication on to the Dark Web. The Dark Web hit the headlines in August 2015 (and many times since) after it was reported that 10GB of data stolen from Ashley Madison, a site designed to enable bored spouses to cheat on their partners, was dumped on to the Dark Web. Hackers stole the data and threatened to upload it to the web if the site did not close down, and they eventually acted on that threat. The spouses of Ashley Madison users received blackmail letters demanding they pay $2500 in Bitcoin or have the infidelity exposed. In March 2015 the UK government launched a dedicated cybercrime unit to tackle the Dark Web, with a particular focus on cracking down on serious crime rings and child pornography. The National Crime Agency (NCA) and UK intelligence outfit GCHQ are together creating the Joint Operations Cell (JOC). Dark Web vs Deep Web Although all of these terms tend to be used interchangeably, they don't refer to exactly the same thing. An element of nuance is required. The Deep Web refers to all web pages that search engines cannot find. Thus the 'Deep Web' includes the 'Dark Web', but also includes all user databases, webmail pages, registration-required web forums, and pages behind paywalls. There are huge numbers of such pages, and most exist for mundane reasons. For example we have a 'staging' version of this very website that is blocked from being indexed by search engines, so we can check stories before we set them live. Thus for every page publicly available on Tech Advisor (and there are literally millions), there is another on the Deep Web. The content management system into which I am typing this article is on the Deep Web. So that is another page for every page that is on the live site. Meanwhile our company intranet is hidden from search engines, and requires a password. You can browse to it if you know the URL, but it won't appear in a Google search. Use an online bank account? The password-protected bits are on the Deep Web. And when you consider how many pages just one Gmail account will create, you understand the sheer size of the Deep Web. This scale is why newspapers and mainstream news outlets regularly trot out scare stories about '90 percent of the internet' consisting of the Dark Web. They are confusing the generally dodgy Dark Web with the much bigger and generally more benign Deep Web. What is the Dark Internet? Confusingly, 'Dark Internet' is also a term sometimes used to describe further examples of networks, databases or even websites that cannot be reached over the internet. In this case either for technical reasons, or because the properties contain niche information that few people will want, or in some cases because the data is private. A basic rule of thumb is that while the phrases 'Dark Web' or 'Deep Web' are typically used by tabloid newspapers to refer to dangerous secret online worlds, the 'Dark Internet' is a boring place where scientists store raw data for research. How to access the Dark Web Technically, this is not a difficult process. And it is not illegal to browse the Dark Web. You simply need to install and use Tor. Go to www.torproject.org and download the Tor Browser Bundle, which contains all the required tools. Run the downloaded file, choose an extraction location, then open the folder and click Start Tor Browser. That's it. The Vidalia Control Panel will automatically handle the randomised network setup and, when Tor is ready, the browser will open; just close it again to disconnect from the network. Depending on what you intend to do on the Dark Web, some users recommend placing tape over your laptop's webcam to prevent prying eyes watching you. A tinfoil hat is also an option. If you're reading in the hope of finding out about torrent files, check out our separate guide on how to use torrent sites in the UK. The difficult thing is knowing where to look on the Dark Web. And since most Dark Web sites are used for illegal purposes I am not going to offer any recommendations. It is at this point l leave you to your own devices and wish you good luck and safe surfing. A warning before you go any further: once you get into the Dark Web, you *will* be able to access those sites to which the tabloids refer. This means that you could be a click away from sites selling drugs and guns, and - frankly - even worse things. Plus, there's a whole host of malware which can cause havoc to your device and data, so there are certainly risks. Aggregation sites such as Reddit offer lists of links, as do several Wikis, including http://thehiddenwiki.org/ - a list that offers access to some very bad places. Have a quick look by all means, but please don't take our linking to it as an endorsement. It really isn't. Also, Dark Web sites do go down from time to time, due to their dark nature. But if you want good customer service, stay out of the dark! And do heed our warning: this article is intended as a guide to what is the Dark Web - not an endorsement or encouragement for you to start behaving in illegal or immoral behaviour. Source: What is the Dark Web, What's on it & How to Access it (Tech Advisor)
×
×
  • Create New...