Cybercrime in the Deep Web (BHEU 2015)
-
Upload
marco-balduzzi -
Category
Internet
-
view
351 -
download
1
Transcript of Cybercrime in the Deep Web (BHEU 2015)
![Page 1: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/1.jpg)
Cybercrime In The Deep WebMarco Balduzzi, Vincenzo Ciancaglini
Black Hat Europe 2015
1
![Page 2: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/2.jpg)
Dr. Vincenzo CIANCAGLINI◎ M.Sc. in Telecommunication
Engineering◎ Ph.D. in Computer Networking,
Peer to peer networks and next generations protocols
◎ 10+ years experience in R&D
◎ Sr. Research Scientist for Trend Micro
◎ Development of novel proof of concepts and complex systems
About us
Dr. Marco BALDUZZI◎ MSc in Computer Engineering◎ Ph.D. in System Security with
~15 peer-reviewed papers
◎ 13+ years experience in IT Security -- Consultant, engineer and researcher
◎ Turned my hobby into my profession
◎ Sr. Research Scientist for Trend Micro
◎ Bridge scientific research and industry needs
◎ Veteran speaker in major conferences with 50+ talks
2
![Page 3: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/3.jpg)
Roadmap
◎ Introduction◎Deep Web Analyzer (DeWA)
○ Data collection○ Data enrichment○ Storage and indexing
◎ Illegal Trading◎Data Analysis◎Malware◎Conclusions
3
![Page 4: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/4.jpg)
◎Deep Web: Internet not indexed by traditional search engines.
◎Dark Net: Private overlay network.
◎Dark Web: WWW hosted on Dark Nets.
4
![Page 5: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/5.jpg)
“The Deep Web is vast. Thousands of times larger than the surface
web.Alex Winter, Deep Web Documentary, 2015
5
![Page 6: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/6.jpg)
“The Deep Web is vast. Thousands of times larger than the surface
web.Alex Winter, Deep Web Documentary, 2015
6
![Page 7: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/7.jpg)
◎ Infrastructure resilient to LE takedowns◎ Marketplaces for cybercrime goods◎ Safe haven for information exchange and coordination
Our research focus
Dark Web• TOR• I2P• Freenet
Custom DNS• Namecoin• Emercoin
Rogue TLDs• Cesidian Root• OpenNIC• NewNations• …
7
![Page 8: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/8.jpg)
TOR◎ First alpha in 2002◎ Initially used to browse anonymously the Surface Web◎ Hidden services -> effective Dark Web◎ Onion routing: multihop routing with with host key
encryption.
8
![Page 9: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/9.jpg)
◎ First beta in 2003◎ Full Dark Net, no anonymous browsing to the Surface Web◎ Garlic routing: multiple encrypted tunnels, multiple layers
of encryption (transport, tunnel, path)
I2P
9
![Page 10: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/10.jpg)
◎ Oldest one: summer of 1999 (father of I2P)◎ Content distribution and discovery, no service hosting◎ Gossip protocol to lookup a resource (i.e. web page)
Freenet
10
![Page 11: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/11.jpg)
Namecoins, Emercoins◎Blockchain-based domain name server◎Think bitcoins, but instead of payment transactions, DNS registrar transaction
◎Distributed◎Decentralised◎No regulating institution
11
![Page 12: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/12.jpg)
RogueTLDs & PrivateDNSesPlain old DNS, but with custom servers
Custom registrars
Custom domains
12
![Page 13: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/13.jpg)
Roadmap
◎ Introduction◎Deep Web Analyzer (DeWA)
○ Data collection○ Data enrichment○ Storage and indexing
◎ Illegal Trading◎Data Analysis◎Malware◎Conclusions
13
![Page 14: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/14.jpg)
System Overview
14
![Page 15: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/15.jpg)
Data Sources
User data Pastebin sites
Twitter (1% feed)
URL listing sites
TOR gateways
I2P host files
Scouting feedback
15
![Page 16: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/16.jpg)
Deep Web Gateway
Privoxy + TOR
anonymizerSquid transparent proxy
Polipo + TOR 64
instancesI2P Freenet Custom DNS resolver
Namecoin DNS rogueTLD DNS
Cesidian root Opennic NameSpace …
16
![Page 17: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/17.jpg)
Page Scouting
Headless browser
HAR Log
Page DOM
Screenshot
Title
Text
Metadata
Raw HTML
Links
Bitcoin Wallets
17
![Page 18: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/18.jpg)
Headless Browser
◎ Scrapinghub's Splash◎ QTWebkit browser◎ Dockerized◎ LUA scriptable◎ Full HTTP traces
◎ Crawler based on Python's Scrapy + multiprocess + Splash access◎ Headers rewrite◎ Shared queue support◎ Har log -> HTTP redirection chain
◎ Extract links, emails, bitcoin wallets
18
![Page 19: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/19.jpg)
Data Enrichment
Embedded links classification (WRS)• Surface Web links• Classification and categorisation
Page translation• Language detection• Non-English to English
Significant wordcloud• Semantic clustering• Custom algorithm
19
![Page 20: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/20.jpg)
Significant Wordcloud
Page text
Tokenization
Filtering
Semantic distance matrix
Hierarchical clustering
Cluster label and popularity
Word cloud
Scrap text from HTML, clean up, strip spaces…
Create list of (word, frequency) pairs
Keep only substantives
How “far” are words from one another?
Group similar words
Label clusters, sum frequencies
Draw using summed frequencies
20
![Page 21: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/21.jpg)
Example: Russian Forum
21
![Page 22: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/22.jpg)
Collected Data
◎Running since 11/2013 (2 years)◎40.5 M Events◎611,000 URLs ◎20,500 domains
22
![Page 23: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/23.jpg)
“Demo time!
23
![Page 24: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/24.jpg)
Roadmap
◎ Introduction◎Deep Web Analyzer (DeWA)
○ Data collection○ Data enrichment○ Storage and indexing
◎ Illegal Trading◎Data Analysis◎Malware◎Conclusions
24
![Page 25: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/25.jpg)
Guns
25
![Page 26: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/26.jpg)
Drugs! Drugs! Drugs!
26
![Page 27: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/27.jpg)
Passports and Fake IDs
27
![Page 28: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/28.jpg)
Counterfeit Money
28
![Page 29: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/29.jpg)
Credit Cards
29
◎ Higher balance = higher price
![Page 30: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/30.jpg)
Paypal & Ebay Stolen Accounts
30
![Page 31: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/31.jpg)
Doxing
31
![Page 32: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/32.jpg)
Assassins
32
![Page 33: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/33.jpg)
Crowdfunding evil
33
![Page 34: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/34.jpg)
Roadmap
◎ Introduction◎Deep Web Analyzer (DeWA)
○ Data collection○ Data enrichment○ Storage and indexing
◎ Illegal Trading◎Data Analysis◎Malware◎Conclusions
34
![Page 35: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/35.jpg)
◎ By publicly sourced URLs
Protocols (no HTTP/S)
35
172
17
7
![Page 36: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/36.jpg)
Active Portscan
36
IRC IRCS SSH
49 31 855
#freeanons 15 [+Cnt] This channel is created to support arrested Anons and act with solidarity in Anons. No MoneyFags, No Famefags, No PowerManiacs, No LeaderFags! Another Anons was arrested in France: http://www.ladepeche.fr/article/2015/10/10/2194982-enquete-de-la-dgsi-sur-du-piratage-informatique.html
* - We are based on anarchistic control so nobody haz power certainly not power over the servers or * - domains who ever says that this or that person haz power here, are trolls and mostly agents of factions* - that haz butthurt about the concept or praxis where the CyberGuerrilla Anonymous Nexus stands for.
![Page 37: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/37.jpg)
Languages per domain
37
![Page 38: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/38.jpg)
Languages per domain (2)
38
![Page 39: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/39.jpg)
http://wyzn2fvcztadictl.onion:80/viewtopic.php?pid=16452
French forum: Weapon sale
39
![Page 40: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/40.jpg)
Pages Embedding Suspicious Links
40
![Page 41: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/41.jpg)
Email Identification
41
![Page 42: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/42.jpg)
bankofamerica@mail2tor
42
![Page 43: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/43.jpg)
Exilio forum 1/2
43
http://ogatl57cbva6tncg.onion:80/index.php?t=msg&th=833&goto=4445&#msg_4445
![Page 44: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/44.jpg)
Exilio forum 2/2
44
![Page 45: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/45.jpg)
Automated Bitcoin Identification
1200+ bitcoin wallets found in our data (not counting the obfuscated ones)
45
![Page 46: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/46.jpg)
http://tumbly5lisxnjozd.onion:80/
Bitcoin Tumblers
46
![Page 47: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/47.jpg)
http://tfsux6hiihj7qvxh.onion:80/
Bitcoin Multiplier 1/2
47
![Page 48: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/48.jpg)
Bitcoin Multiplier 2/2
48
![Page 49: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/49.jpg)
Roadmap
◎ Introduction◎Deep Web Analyzer (DeWA)
○ Data collection○ Data enrichment○ Storage and indexing
◎ Illegal Trading◎Data Analysis◎Malware◎Conclusions
49
![Page 50: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/50.jpg)
Malware: Its adoption in the Deep Web
◎ Modern malware is network-dependent ◎ @ infection-time: Exploit kits◎ @ propagation-time: 2nd stage malware◎ @ operational-time: C&C servers
◎ Goals :◎ Make botnets resilient against LEA operations, e.g.
takedowns ◎ Conceal payment pages◎ Untraceable money transfers
◎ Additional readings:◎ Brown in Defcon 18◎ Hunting Down Malware on the Deep Web (infosec institute)
50
![Page 51: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/51.jpg)
SkyNet
◎ Malware with DDoS, bitcoin mining and banking capabilities (©G-Data/Rapid7) ◎ ZeuS bot◎ Bitcoin mining tool (CGMiner)◎ GPU libraries for hash cracking
◎ TOR client per Windows◎ Use /gate.php as landing page to store the
harvested credentials◎ Path monitoring ….
51
![Page 52: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/52.jpg)
SkyNet: Dynamic TOR-based C&Cs
52
![Page 53: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/53.jpg)
Dyre Banking Trojan
◎ BHO that MiTMs online-banking pages at browser-level
◎ Back-connects from victim to attacker (kind-of reverse-shell approach)
◎ DGA generation of C&C domains on Clearnet ◎ Use I2P as backup option (:80/443)
◎ nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p (already known to SecureWorks on 17 December 2014)
◎ oguws7cr5xvl5jlrhyxjktcdi2d7k5cqeulu4mdl75xxfwmhgnsq.b32.i2p◎ 4nhgyzrn2p2gejk57wveao5kxa7b3nhtc4saoonjpsy65mapycaua.b32.i2p
53
![Page 54: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/54.jpg)
Dyre’s Infection Evolution
54
![Page 55: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/55.jpg)
Vawtrack Banking Trojan
55
◎ Spreads via phishing emails◎ C&C servers (IPs) are retrieved by downloading
the ‘favicon.ico’ icon-file from websites hosted on the TOR network
◎ IPs are steganographically hidden
![Page 56: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/56.jpg)
Vawtrack Banking Trojan (cont.)
◎ Runs ‘openresty/1.7.2.1’ as web-server◎ Return code on ‘favicon.ico’ is 403 Forbidden
◎ `ws=‘openresty\1.7.2.1’ && ∃(‘favicon.ico’) && retcode=403` returns a list of 23:
56
![Page 57: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/57.jpg)
Vawtrack Banking Trojan (cont.)
57
![Page 58: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/58.jpg)
Ransomware in the Deep Web◎ Ransomware seem to love the Deep Web ◎ It provides a hidden and robust “framework” for cashouts
and illicit money transfers
58
![Page 59: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/59.jpg)
59
TorrentLocker
◎ A variant of cryptolocker
◎ Payment page hosted in the Deep Web
◎ Cashout via Bitcoins
![Page 60: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/60.jpg)
TorrentLocker (cont.)
◎ Malware generates univocal IDs◎ wzaxcyqroduouk5n.onion/axdf84v.php/ user_code=qz1n2i&user_pass=9019◎ wzaxcyqroduouk5n.onion/o2xd3x.php/user_code=8llak0&user_pass=6775
◎ Tracking on specific query string’s parameters◎ path=’/[a-z0-9]{6}.php/user_code=[a-z0-9]{6}&user_pass=[0-9]{4}’
60
![Page 61: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/61.jpg)
Breakdown by victims and country
61
![Page 62: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/62.jpg)
NionSpy
◎ Steals confidential information like keystrokes, passwords and private documents
◎ Records video and audio, suitable for espionage programs
◎ Detection Feature:◎ Popularity in the number of values associated
to parameters (in the query string)
62
![Page 63: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/63.jpg)
Automated Detection
63
![Page 64: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/64.jpg)
NionSpy: GET’s query string analysis
◎ xu experienced a quick surge in popularity: 1700+ values
◎ si.php?xu=%e0%ee%a8%e5%f2%e9%e5%e4%f2[...]◎ URL-encoded binary blob representing the
leaked data
◎ si.php?xd={“f155”:“MACHINE_IP”, “f4336”:“MACHINE_NAME”,“f7035”:“5.9.1.1”,“f1121”:“windows”,“f2015”:“1”}
◎ Reports a new infection
64
![Page 65: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/65.jpg)
NionSpy: New victims and leakages
◎ Blue (xd): # of new victims / day◎ Green (xu): amount of leaked information
(bytes)
65
![Page 66: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/66.jpg)
Black Hat Sound Bytes
◎ We built a system for data collection and analysis in the Deep Web.
◎ We used it to quickly identify cybercriminal activities, such as trading of illegal goods, underground marketplaces, scams and malware infrastructures.
◎ We run it operationally and automatically to detect new threats.
66
![Page 67: Cybercrime in the Deep Web (BHEU 2015)](https://reader034.fdocuments.in/reader034/viewer/2022051707/58ed86b41a28ab467d8b4691/html5/thumbnails/67.jpg)
Thanks! Q&A time...Marco Balduzzi -- @embyte
Vincenzo Ciancaglini -- @ziovic
67