Explore how cyber offenders engage in Shadow Web discussions- the services they purchase and vend, their driving forces, and even their methods of deceiving each other.
Visible Net vs. Subterranean Net vs. Shadow Web
Cyber threat analysts categorize the internet into three primary segments:
- Visible Net – Online assets accessible through public search engines, encompassing media, blogs, and various pages and websites.
- Subterranean Net – Websites and forums that remain unindexed by search engines. This includes webmail, online banking, corporate intranets, walled gardens, etc. Some hacker forums are situated in the Subterranean Net, necessitating credentials for entrance.
- Shadow Web – Online resources that mandate specific software for entry. These resources are cloaked and exclusive, encompassing Telegram groups and invite-only forums. The Shadow Web harbors Tor, P2P, hacker forums, criminal marketplaces, etc.
As per Etay Maor, Principal Security Planner at Cato Networks, “There has been a shift in criminal communication and operations, transitioning from the peak of the iceberg to its lower tiers. The lower levels offer more protection.”
In Focus: What is Tor?
Tor is a cost-free network, constructed on open-source protocols, enabling concealed correspondence. Although Tor was initially crafted by the United States Naval Research Laboratory, it has evolved into a progressively favored solution for illicit endeavors.
Executing these actions on the Visible Net can result in law enforcement surveillance and tracing back to the perpetrator. However, via Tor, communication is encoded across three strata that are stripped off at each network node jump until exiting the system. Surveillance units monitoring Tor are unable to locate the perpetrator’s IP, but only the Tor exit node, making it challenging to trace the originator.
Tor communication blueprint:
Etay Maor elaborates “During the 2000s, a convergence of digital capabilities enhanced criminal endeavors. Firstly, the Shadow Web emerged. Subsequently, hidden and secure services through Tor. Ultimately, cryptocurrency facilitated secure transactions.”
Illicit Services Accessible on the Shadow Web
Below are a few instances of services that were accessible on the shadow web in preceding times. Presently, numerous of these have been eradicated. Instead, criminals are gravitating towards the Telegram messaging platform, due to its privacy and security attributes.
Instances include –
Illegal substance vendition:
Faux identification services:
A platform for vendor discovery, with a cautionary message regarding fraudulent activities:
The Operations of Criminal Online Platforms: Establishing Credibility in an Unreliable Environment
Malicious actors endeavor to capitalize on weaknesses and infiltrate networks for financial gain. Similar to any business ecosystem, these individuals utilize web-based forums to trade hacking services. Nonetheless, these platforms must instill confidence among participants, even though their foundation lies in illicit activities.
In essence, such platforms were originally structured as:
- Administrator – Responsible for overseeing platform activities
- Escrow Agent – Mediating transactions among participants
- Adjudicator – Resolving disputes related to payments and service standards
- Community Support – Offering diverse forms of aid to enhance user interaction
- Facilitators – Supervisors for specific topics within the platform
- Trusted Merchants – Vendors endorsed by others, in contrast to fraudulent vendors
- Regular Community Members – Individuals within the group. Entry to the platform necessitated verification to filter out fraudsters, law enforcement entities, and other undesirable or precarious members.
From Malicious Malware Infiltration to Corporate Data Breach on the Deep Web
Exploring the representation of various stages of cyber attacks on the Deep Web, exemplified by malware utilized for data theft in ransomware operations:
Pre-event Phases:
1. Information Gathering – Cybercriminals execute extensive global infostealer malware campaigns and extract records of compromised account credentials and device details.
2. Data Providers – Cybercriminals furnish data on Dark Web markets specializing in trading account credentials and device profiles obtained from malware infections.
3. Recent Inventory – The extracted logs are made available for sale in Dark Web markets. Typically, log costs range from a few dollars to $20.
Live Event Phases:
4. Procurement – A cybercriminal specializing in initial network intrusion procures the logs and breaches the network for expanded access. Often, the acquired data includes more than just credentials, encompassing cookie sessions, device profiles, and more. This enables mimicking the victim’s actions to bypass security measures like Multi-Factor Authentication (MFA), heightening the difficulty of detection for attacks.
5. Bidding – The access is put up for bidding in a Dark Web forum and acquired by a skilled threat faction.
According to Etay Maor, “Bidding may involve a competitive process or a ‘Flash’ sale, enabling immediate purchase without competition. Major threat factions, particularly those backed by nation-states or large criminal syndicates, may opt for this route to invest in their ventures.”
6. Coercion – The faction executes the assault, deploying ransomware within the organization and demanding ransom.
Concept showcased in this path highlights the diverse expertise domains within the criminal ecosystem. Consequently, a multi-faceted strategy driven by putting operational threat data into use can notify and potentially avert future occurrences.
Significance of HUMINT
While automated solutions play a crucial role in combating cyber offenses, a comprehensive comprehension of this domain necessitates human intelligence (HUMINT) as well. These include cyber law enforcement personnel who participate in forums undercover as trading entities. Interaction is an expertise that must also be an ART – Actionable, Reliable, and Timely.
Let’s explore some instances of forums monitored by cyber law enforcement officials and their response tactics.
For instance, a perpetrator is advertising VPN logins:
The cyber-crime officer will attempt to engage and identify the VPN or customer associated with these logins.
In another scenario, a perpetrator is offering Citrix access to a UK-based IT infrastructure Solutions and Services Provider.
A cyber crime officer might pose as a prospective buyer and request samples. As the seller is driven by economic factors and might face financial challenges (originating from former-USSR nations), they may be willing to provide samples for marketing purposes.
Safeguarding Against Network Assaults
The Dark Web functions as a financial ecosystem with a setup of buyers, sellers, supply, and demand. Hence, effective defense against network attacks necessitates a layered strategy for each phase of the attack, both prior to the incident and during its course. This strategy encompasses the use of automated tools along with HUMINT – the skill of interacting with cyber criminals online to gather intelligence by emulating their strategies.
To delve into more captivating examples and delve deeper into the realm of HUMINT and Dark Web forums, view the entire masterclass here.
About Author
