Dark Web Markets...Dark Web Threats with Chuck Easttom Dark Web Realities February 7, 2017 the Derry...

Dark Web Threats with Chuck Easttom www.ChuckEasttom.com

Dark Web

Markets

HOW TO ADDRESS THE DARK WEB THREATS


About the Speaker 23 books (2 more in progress)

Over 40 industry certifications

2 Masters degrees

D.Sc. in Cybersecurity in progress

13 Computer science related patents

Over 25 years experience, over 15 years teaching/training

Helped create CompTIA Security+, Linux+, Server+. Helped revise CEH v8

Created ECES, created OSFCE

Frequent consultant/expert witness

Frequent speaker/presenter including: Defcon, Hakon India, Hakon Africa,

SecureWorld, ISC2 Security Congress, AAFS, IAFSL, etc.

Conducts security related training internationally

www.chuckeasttom.com

[email protected]


Tor Networks

TOR, https://www.torproject.org/, is an anonymous

network of proxy servers. One can use the TOR network to

send any sort of network traffic, including emails. This

makes tracing the traffic back to its source extremely

difficult.


Accessing a website VIA

TOR

Target Server. Onion site

IP address ???

Users Machine Proxy #1

Proxy #2

Proxy #3

Proxy #4

Each proxy just sends

the packet on and only

knows the last and next

hop.

The path can change

each route

The target server only

knows the last hop the

packet came from

The user only knows the

first proxy in the chain


What does this mean

Searching from my home in Texas, it appears I am

in Romania


How they work6


Search the dark web

https://hss3uro2hsxfogfq.onion.to/ is a good

general dark web search engine

https://hss3uro2hsxfogfq.onion.to/


Torchhttp://xmh57jrzrnw6insl.onion/

8

http://xmh57jrzrnw6insl.onion/


What’s for sale?

U.S. Bank Account Information Sold on Dark Web

Market Place https://verafin.com/2016/08/u-s-

bank-account-information-sold-dark-web-

marketplace/

April 6, 2017 Tax information for sale on the Dark

Web

https://www.bloomberg.com/news/articles/2017-

04-06/your-tax-refund-is-selling-cheap-on-the-

dark-web

April 24 2017 Health Care Records for sale on the

Dark Web

http://www.csoonline.com/article/3189869/data-

breach/healthcare-records-for-sale-on-dark-

web.html

https://verafin.com/2016/08/u-s-bank-account-information-sold-dark-web-marketplace/

https://www.bloomberg.com/news/articles/2017-04-06/your-tax-refund-is-selling-cheap-on-the-dark-web

http://www.csoonline.com/article/3189869/data-breach/healthcare-records-for-sale-on-dark-web.html


Search the dark web http://msydqstlz2kzerdg.onion/ is a good general

dark web search engine

http://msydqstlz2kzerdg.onion/


Dream Market Search for Chase Bank


Accounts for sale 9/18/2017


Tor Site #3


Tor Site #3 – some

products as of 10 Feb 2017


Traderroute (9/17/2017)15


Traderroute (9/17/2017)16


WallStreet (9/18/2017)17


WallStreet (9/18/2017)18


EuroGuns (9/18/2017)19


Valhalla (Finnish) (9/12/2017)20


The Blue Moon Group


Some sites have been

removed


Dark Web Realities February 7, 2017 the Derry Journal reports 6 people

hospitalized in the last 10 days from drugs purchased on

the dark web.

February 3, 2017 a man in Seattle admits to selling

heroin over the dark web.

February 4, 2017 reports emerge that some dark web

markets are paying bug bounties.

January 31, 2017, reports emerge of dark web markets

paying employees for insider information on their

organizations.

February 7, 2017, ISIS is recruiting via the dark web.

February 8, 2017, Boko Haram is fund raising via the dark

web

23


Law Enforcement

Techniques

24

Watering Holes

Deanonymizing

Fake Reviews

Monitoring


Watering Holes

Basically a site to attract the targets of choice.

Watering Holes were used in the Playpen case. The FBI

agents monitored a bulletin board hidden service

launched in August 2014, named Playpen. Playpen was

a hidden service used for in the dark web for “the

advertisement and distribution of child pornography,” it

reached in just one year over 200,000 users, with over

117,000 total posts mainly containing child pornography

content. The FBI agents were able to discover nearly

1300 IP addresses belonging to the visitors.

Servers with contraband images were used to spread a

tool for deanonymizing Tor users.

25


NIT Network Investigative Technique used to deanonymize

suspects using TOR.

“The NIT was a Flash based application that was

developed by H.D. Moore and was released as part of

Metasploit. The NIT, or more formally, Metaspolit

Decloaking Engine was designed to provide the real IP

address of web users, regardless of proxy settings.” NIT

was used in the Playpen case.

IP address through the TCP connection, operating

system, CPU architecture and session identification. The

researchers were able to determine that if a TOR

browser accessing the FBI controlled website had

proper up-to-date controls configured the NIT would

not be able to reveal the true IP address of the users.

26


Fake Reviews Panos Makopoulos and Dmietri Xefteris from the

University of Cyprus and Chrysanthos Dellarocas Boston

University, wrote a paper advocating law enforcement

using fake reviews of Dark Web drug markets to lower

traffic.

http://www.fox.temple.edu/conferences/cist/papers/S

esson%201A/CIST_2015_1A_2.pdf

27

http://www.fox.temple.edu/conferences/cist/papers/Sesson 1A/CIST_2015_1A_2.pdf


MonitoringJason Koebler of Motherboard recommended Law

Enforcement and Intel consider the following:

Mapping the hidden services directory

Looking at web connections to non standard domains.

Social Media monitoring

Snapshot hidden services

Marketplace profiling

http://motherboard.vice.com/read/six-ways-law-

enforcement-monitors-the-dark-web

28

http://motherboard.vice.com/read/six-ways-law-enforcement-monitors-the-dark-web


Scanning Dark Web Siteshttp://ichidanv34wrx7m7.onion/search?query=SSH

29

http://ichidanv34wrx7m7.onion/search?query=SSH


Other Tor Link Lists

linkzbg4nwodgic.onion just basic link lists

jdpskjmg5kk4urv.onion Dark Web Links

Note: some of these reference each other.

The following are search engines for the Dark Web

anon4jmy3fozlv6.onion

xmh57jzmw6insl.onion The Torch Search Engine

30


OnionDirOnionDir - http://dirnxxdraygbifgc.onion

31

http://dirnxxdraygbifgc.onion/


Other Tor Link Lists

The Hub - http://thehub7dnl5nmcz5.onion

Bugged Planet - http://6sgjmi53igmg7fm7.onion

Doxbin - http://npieqpvpjhrmdchg.onion

Torchan - http://zw3crggtadila2sg.onion

Grams - http://grams7enufi7jmdl.onion

Tor Search - http://kbhpodhnfxl3clb4.onion

Tor Find - http://ndj6p3asftxboa7j.onion

32

http://thehub7dnl5nmcz5.onion/

http://6sgjmi53igmg7fm7.onion/

http://npieqpvpjhrmdchg.onion/

http://zw3crggtadila2sg.onion/

http://grams7enufi7jmdl.onion/

http://kbhpodhnfxl3clb4.onion/

http://ndj6p3asftxboa7j.onion/


Setup a TOR identity Setup a TOR based email

http://365u4txyqfy72nul.onion/ - Anonymous E-mail

sevice

http://torbox3uiot6wchz.onion/ - [TorBox] The Tor

Mail Box

http://notestjxctkwbk6z.onion/ - NoteBin - Create

encrypted self-destructing notes

Post in some forums

http://2gxxzwnj52jutais.onion/phpbb/index.php -

Onion Forum 2.0 renewed

http://npdaaf3s3f2xrmlo.onion/ - Twitter clone

http://hbjw7wjeoltskhol.onion – social network: File

sharing, messaging and much more. Use a fake

email to register

http://2gxxzwnj52jutais.onion/phpbb/index.php

http://npdaaf3s3f2xrmlo.onion/

http://hbjw7wjeoltskhol.onion/


Dark Web Search Map

Setup parameters

Create identity

Locate and profile 6 to 12 markets you like

Search engines

At least 2 you have identified you prefer

Search markets

At least 4 or 5

Identify specific items

Verify/profile the seller


Dark Web General

Guidelines

Safe Searching

Build your identity

Profile Markets – keep dossier

Profile Sellers – keep dossier


Building the perfect

identity – Basic Identity

Get Email

Post in Forums

Interact



identity – intermediate

Steps Build your own website- make it a collection of

links to articles, search engines, etc.

Buy a few low end items. Accounts from your

client, innocuous documents, etc.

Give reviews to sellers, positive reviews



identity – Advanced Steps

Have a second (or multiple identities), sell a few

items to yourself. Give yourself good reviews (but

not too good

The perfect identity has

Forum posts

Responds to emails

Makes appropriate commentaries

Has bought and/or sold


Further Reading Global law enforcement strikes deep into 'Dark Web'

http://www.alternet.org/progressive-wire/global-law-enforcement-

strikes-deep-dark-web-0

The Ultimate Guide To The Dark Web for Law Enforcement

Professionals http://blog.mcafeeinstitute.com/the-ultimate-guide-to-

the-deep-web-for-law-enforcement-professionals/

Operation Onymous

https://www.swansea.ac.uk/media/GDPO%20SA%20Onymous.pdf

Dark Web News https://darkwebnews.com

The rise and challenge of the Dark Web markets

https://www.swansea.ac.uk/media/The%20Rise%20and%20Challenge

%20of%20Dark%20Net%20Drug%20Markets.pdf

Dark Web- The Smart Persons Guide

http://www.techrepublic.com/article/dark-web-the-smart-persons-

guide/

http://www.alternet.org/progressive-wire/global-law-enforcement-strikes-deep-dark-web-0

http://blog.mcafeeinstitute.com/the-ultimate-guide-to-the-deep-web-for-law-enforcement-professionals/

https://www.swansea.ac.uk/media/GDPO SA Onymous.pdf

https://darkwebnews.com/

https://www.swansea.ac.uk/media/The Rise and Challenge of Dark Net Drug Markets.pdf

http://www.techrepublic.com/article/dark-web-the-smart-persons-guide/


Further Reading Evans and Grothoof of the University presented "Deanonymizing Tor"

at Defcon 16.https://www.defcon.org/images/defcon-16/dc16-

presentations/defcon-16-evans-grothoff.pdf

Motherboard published an article in 2015 Tor Attack Could Unmask

New Hidden Sites in Under Two Weeks

https://motherboard.vice.com/en_us/article/tor-attack-could-

unmask-new-hidden-sites-in-under-two-weeks

The Inside Story of Tor, the Best Internet Anonymity Tool the

Government Ever Built

https://www.bloomberg.com/news/articles/2014-01-23/tor-

anonymity-software-vs-dot-the-national-security-agency

https://motherboard.vice.com/en_us/article/tor-attack-could-unmask-new-hidden-sites-in-under-two-weeks

https://www.bloomberg.com/news/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency

Dark Web Markets...Dark Web Threats with Chuck Easttom Dark Web Realities February 7, 2017 the Derry...

Documents

Transcript of Dark Web Markets...Dark Web Threats with Chuck Easttom Dark Web Realities February 7, 2017 the Derry...