Uncover the behaviors of cyber offenders in Shadow Internet forums – the services they purchase and sell, their motivations, and even how they deceive one another.
Visible Internet vs. Subterranean Internet vs. Shadow Internet
Internet security experts categorize the web into three primary sectors:
- Visible Internet – Online assets accessible through standard search engines, encompassing media, blogs, and other openly available pages and websites.
- Subterranean Internet – Web domains and forums that are not indexed by search engines. For instance, webmail, internet banking, company intranets, isolated networks, and more. Several hacker communities reside in the Subterranean Internet, necessitating credentials for entry.
- Shadow Internet – Online entities that demand specific software for access. These sources are obscured and exclusive, encompassing Telegram groups and exclusive forums. The Shadow Internet includes Tor, P2P networks, hacker communities, illegal marketplaces, and others.
As per Etay Maor, Lead Security Strategist at Cato Networks, “There has been an evolution in how criminals communicate and conduct their transactions, transitioning from the summit to the base of the iceberg. The base provides added security.”
In Focus: What is Tor?
Tor represents a no-cost network, constructed on open-source architecture, facilitating anonymous correspondence. While initially devised by the United States Naval Research Laboratory, Tor has garnered popularity as a tool for illicit dealings.
Engaging in such activities on the Visible Internet can lead to surveillance by law enforcement, potentially exposing the culprit. However, with Tor, communication is enciphered across three layers, peeled off at each juncture until leaving the network. Law enforcement entities monitoring Tor can only trace back to the Tor exit node, rather than the criminal’s IP address, intensifying the difficulty of tracing back to the original offender.
Tor communication design:
Etay Maor further states, “In the 2000s, a conjunction of digital capabilities propelled criminal endeavors. Initially, the Shadow Internet appeared, followed by concealed and secure amenities through Tor. Subsequently, cryptocurrency enabled secure transactions.”
Illegal Amenities Accessible via the Shadow Internet
These are some instances of services previously accessible on the shadow internet. Many of these have now been dismantled. Instead, offenders are moving towards the Telegram messaging platform due to its privacy and security attributes.
For instance –
Sale of narcotics:
Fraudulent identity services:
Explore a platform for locating vendors with a caution about phishing endeavors:
What is the Management Strategy of Criminal Discussion Boards? Establishing Faith in an Unreliable Setting
Malefactors aim to leverage security loopholes and breach systems to generate revenue. Similar to any other business environment, they utilize web-based forums to trade hacking services. Nevertheless, these platforms must foster trust within participants, despite being rooted in illicit activities.
In general, such discussion boards were originally structured in the following manner:
- Administrator – Supervises the forum
- Escrow – Facilitates transactions among participants
- Blacklist – Acts as a mediator for resolving disputes like payments and service excellence
- Forum Assistance – Diverse aid to promote community involvement
- Facilitators – Leads of various discussion areas
- Validated Sellers – Merchants endorsed by others, compared to unreliable vendors who engage in scams
- Ordinary Forum Users – The members of the group. Prior to forum access, they were verified to screen out scammers, legal authorities, and other irrelevant or risky individuals.
The Progress from Malware Contamination to Corporate Information Breach in the Shadow Network
Let’s delve into how the diverse stages of an assault manifest in the Shadow Web, using the case of malicious software employed for pilfering data for ransomware intentions:
Pre-problem stages:
1. Information Accumulation – Offenders conduct global infostealer malware campaigns and seize records of compromised access codes and machine identities.
2. Data Merchants – Offenders vend data to Shadow Web markets specializing in access codes and machine identities harvested from malware-infected systems.
3. Novel Provision – The acquired logs are made available for purchase in the Shadow Web market. The cost of a log typically varies from a few dollars to $20.
Active problem stages:
4. Acquisition – A criminal specializing in initial network entry procures the logs and infiltrates the network to escalate access. Often, the acquired information encompasses more than access codes and extends to cookie sessions, machine identities, and more. This enables mimicking the victim’s actions to bypass security measures like MFA, making the assaults more challenging to detect.
5. Bid – The access is auctioned in a Shadow Web discussion board and obtained by a proficient threat collective.
Etay Maor highlights, “Auctions can be conducted as a contest or as a “Flash”, indicating a criminal can acquire instantly without competition. Serious threat groups, particularly if they are sponsored by nation states or are substantial criminal syndicates, can leverage this option to invest in their operations.”
6. Coercion – The collective launches the offensive by embedding ransomware in the organization and demanding compensation.
The path emphasized the diverse expertise in the criminal ecosystem. Hence, implementing threat data in multiple layers can notify and potentially avert future occurrences.
Role of HUMINT
Automated systems are crucial in combatting cybercrime, but comprehending this domain fully necessitates human intelligence (HUMINT). These include cybercrime personnel, law enforcement actors who participate in forums and pose as trading entities. Engagement is an art that must also be actionable, reliable, and timely.
Let’s explore some instances of forums monitored by cybercrime personnel and their responses.
Here’s an instance where an intruder is offering VPN logins:
The cybercrime officer will aim to engage and ascertain the origin of the VPN or client involved.
In another scenario, a perpetrator is selling Citrix access to an IT Solutions and Services Provider in the UK.
A cybercrime officer may pose as a potential buyer, request samples, and since the seller is driven by economic reasons and possibly from ex-Soviet countries, they may be inclined to share samples for promotional purposes.
Defending Against Network Assaults
The Dark Web functions as an economic network with buyers, sellers, and supply-and-demand. Hence, effective defense against network assaults demands a multi-layered strategy for each phase of the attack, both pre-incident and during the incident itself. This strategy encompasses automated tools and HUMINT – the skill of interacting with cybercriminals online to gather intelligence by imitating their methods.
To discover more intriguing instances and delve deeper into HUMINT and Dark Web forums, view the complete masterclass here.
About Author
