Inside the Dark Web

Index

A
Abstract digital forensics model 199
Actionable intelligence 223
Adverts 115–116
Agora Forum 31–32
Agora Market 31–32
Akamai 247
Alexa’s interface 155
AlphaBay 27–30, 32–34, 38, 40, 44, 140, 141, 233, 235, 236, 253
Alpha release 228
Amazon 30, 103, 163, 173, 189, 230, 231
Amazon Elastic MapReduce 173
American Internal Revenue Service 212
Anonymous 49–50
Anti-forensics analysis 203
Antivirus (AV) vendors 14
Apache Flink 171
Apache Flume 171, 173, 174
Apache Hadoop 169
Apache Hive 171
Apple Market 30
Application Programming Interfaces (APIs) 15, 171
Arbor threat map 246, 247
ARPANET network 123–127, 135
Artificial intelligence (AI) technology 164, 177
Assassinations 20, 36
Atlantis black market 32
ATLAS 246
ATM malware 38
ATM PIN pad skimmers and malware 110
Australian cybercrime online report 6
Australian Cyber Security Centre (ACSC) report 10
B
Backdoor, Trojans 70–71
Bad apple attack 58–59
BadRabbit malware 104
BEC see Business email compromise (BEC)
Behavioral malware detection 89–90
Bing_LinkedIn_cache 215
Bitcoins 26, 137–138, 184, 242
- ATMs 188
- BTC-e 191–192
- fraud 42
- laundering, arrests of 41, 190, 191
- logo 185
- mixers 189, 236
- property exchanges 189–190
Blockchain technology 41
Blue Sky marketplace 32
Bot Herders 117–118
Botnets 12, 39–40, 78, 238
Browser vulnerabilities 59
BTC-e 191–192
Business email compromise (BEC) 96–97
C
Cabin Cr3w 196
Caravan marketplace 32
Cash-out strategy 78–79, 85
C&C servers see Command and Control (C&C) servers
Charlie Hebdo attack 112
Chat rooms 220
Checkpoint threat map 245
Child pornography 21–22, 38, 108–109
Cloud-based malware detection 91–92
Cloudflare 57, 58
Cloud network 15–16
Cloud Nine 41
Code injection attacks (CIA) 4
Command and Control (C&C) servers 246
Communication channels, for terrorists 35
Communication services 61
Compact network topology 15
Computer crimes 5, 96
Computer security see Cybersecurity
Confidentiality, integrity and availability (CIA) 4
Content analyzing techniques 147–148
- surfacevs. deep web 148–149
- surfacing deep web content 150–151
- traditional web crawlers mechanism 149–150
Counterfeit currency, dark net 110–111
Crime patterns
- hacking-as-a-service 238–239
- ivory/rhino horn trade 241–242
- money laundering through cryptocurrencies 235–236
- preferred cryptocurrency 242
- sale listings, increased malware for 239–240
- stolen data listings sale 240–241
- terrorism, on dark web 237–238
Crime threats 18–23
Cryptocurrencies 119, 184–186, 242,see also Bitcoins
- fraud 52
- laundering schemes 190–192
- Monero 190
- and money laundering 186–188, 235–236
Crypto market 184–186
Crysis ransomware 11
CTA see Cumulative timeline analysis (CTA)
Cuckoo Sandbox 88
Cumulative timeline analysis (CTA) 18
Customer data mining 252
Cyberattacks 95
Cyberbullying 58
Cybercrime 5–6
- categorization of 13
- cybersecurityvs., 6
Cybercrime activities 95
- business email compromise 96–97
- computer fraud 96
- data breach 97–98
- data exfiltration 111–113
- email account compromise 100
- Locky 104
- malware 100–101
- malware-as-a-service 116–118
- monetization of 113–116
- money laundering 118–119
- phishing 101–103
- ransomware 103–104
- through dark net 108–111
Cybercrime-as-a-service 207–208
Cybercriminals 13, 78, 227
Cyber extortion 106–107
Cyber patrols 251–253
Cybersecurity 4–5, 12
- vs. cybercrime 6
- experts in 194, 197, 207
- risks and pitfalls in 10
- tools for 227
Cyberspace 4, 106
- malware in 14–16
- threats in 12
Cyberterrorism 105–106
Cyberwarfare 107–108
D
Dark net 9, 131–132, 135
- cybercrime activities through 108–111
- ISIS website on 139
Darknet Heroes League 32
Dark net trade disruptions 253–255
Dark web 8
Dark web crime, implication of 9–12
Dark web threat intelligence 212
DARPA see Defense Advanced Research Projects Agency (DARPA)
Data breach 97–98
Data dumps, on dark net 111, 112, 163, 202, 240
Data exfiltration 111–113
Data gathering 206
DDoS see Distributed denial-of-service (DDoS)
DEA see Drug Enforcement Administration (DEA)
Deep web 8, 9, 128, 130–131
- information retrieval process 143–144
- levels of 7
- surfacing 143
Deep web sites analysis
- content type 154
- log analysis 155–158
- overlap analysis 152–153
- popularity of 155
- search engines 151–152
- size of 153–154
Defense Advanced Research Projects Agency (DARPA) 108, 248
Denial-of-service (DoS) attacks 69, 99–100, 106, 107, 133, 206, 237
DFRWS see Digital Forensics Framework (DFRWS)
Digital forensic models 197–201
Digital Forensics Framework (DFRWS) 198–199
Distributed denial-of-service (DDoS) 12, 33, 39–40, 71, 72, 99, 100, 207, 208, 237, 238, 246
Domain Name System (DNS) 40, 126, 127
DoS attacks see Denial-of-service (DoS) attacks
Dread Pirate Roberts 26, 192, 193, 196
Dream market 28–29, 234
Driving licenses 37
Drug Enforcement Administration (DEA) 192
Drugs 34
- in dark net 108
- transactions of 21
Dyn 99
Dynamic/behavioral malware analysis 86–88
DynDNS 39–40
E
Eavesdropping 54–55
E-commerce services 61
Email account compromise 100
Email-based malware 15
Emails 133–134
Email service 61–62
Email worms 69–70
Enterprise networks 14
Enterprise resource planning (ERP) software 212
ERP software see Enterprise resource planning (ERP) software
EternalBlue 117
Evidence
- acquisition 195–196
- assessment 194–195
- examination 196–197
Evolution, of dark web 228
- continuity 232–235
- security, privacy and usability 228–230
- trust-based markets 231–232
- user interface design, improvements in 230–231
Exit node block 57–58
Exit scam 42
Exploit kits
- on dark net 111
- surfaced on Russian markets 113
Exploit malware 71
Exploit writers 116–117
Extortion 113–114
F
Facebook 22, 64, 135
Fake documents, on dark net 110
Fake identity 37
Fake websites 111
Federal Bureau of Investigation (FBI) 22, 32, 34, 183, 193, 212, 228, 233, 249
Fight Club 31
File storage services 62
Financial data 210–211
Financially motivated attacks 15
Financial malware schemes 77, 79, 82
Financial services 62
Fingerprinting malware detection 88–89
FireEye threat map 246
Firefox browsers 230
Forensic investigation
- evidence collection 192
- scope for 193–197
- toolkits 201–203
Forensics 182–184
Forensic toolkit (FTK) 201–203
Fortinet 244–245
FoxAcid 59–60
Fraud, on dark net 36–37
Freedom Hosting 59
Free Haven 62
Freenet 136, 228, 230
G
Galactic network 122–123
Global network 126
Google Dorks 217–220, 222
Google hacking 130, 222
- commands for 218, 219
- to find open source intelligence 219–220
Government level, of cybercrime 13
Graph-matching technique 86
Greek mythology 232
H
Hacking 35
- Google hacking 130, 218–220, 222
- of government websites 105
- groups of 49
- tools and services 25
Hacking-as-a-service 209, 238–239
Hadoop 172, 175
Hadoop Distributed File System (HDFS) 170, 173, 174
Hansa 28, 140, 142, 233, 253
HavenCo 136
HDFS see Hadoop Distributed File System (HDFS)
HDP see Hortonworks Data Platform (HDP)
Heuristics-based malware detection 89, 90
Hidden services
- mapping of 252
- monitoring of 252–253
High Quality Euro Bills (HQEB) 34
Hive QL 170, 171
Hortonworks Data Platform (HDP) 173
Human trafficking 19–20, 108–109
Hybrid Analysis 88
Hydra 232
Hypertext Transfer Protocol (HTTP) 122
I
Illegal Wildlife Trade 38
Individual level, of cybercrime 13
Information technology (IT) 3
Insecure interface 15
Instagram 64
Instant messaging (IM)
- platforms 61
- worms 69
Integrated digital investigation process 200–201
Intellectual property 210–211
Internal Revenue Service (IRS) 102
International Telecommunications Union (ITU) 4
Internet 3, 121, 122
- deep web information retrieval process 143–144
- emails 133–134
- hidden web evolution 135–143
- hosting 134–135
- internet relay chat 132–133
- origins of 122–126
- Usenet 133, 134
- World Wide Web 128–132
Internet of Things (IoT) 40, 100
Internet relay chat (IRC) 132–133
Interpol 5, 38, 241
Invisible/hidden web 7
IoT see Internet of Things (IoT)
IRC see Internet relay chat (IRC)
IRS see Internal Revenue Service (IRS)
Islamic State of Iraq (ISIS) 22, 43
IT security see Cybersecurity
ITU see International Telecommunications Union (ITU)
Ivory horn trade 241–242
J
Jaql 171
JavaScript code 228, 229
K
Kali Linux 214
Kaspersky threat map 243–244
Key Hitches 12
Know Your Customer (KYC) laws 188
L
LinkedIn 64
Locky malware 11, 104
Log analysis 155–158, 161–162
- analyzing files 173–175
- policy guidelines for 164–166
- tools 169–172
Login details, theft of 116
L33TER 31
M
Machine learning 177
Mac Operating System (Mac OS) 229
Malicious activities, in dark web 14–16
Maltego 214
Malware 11, 67–68
- analysis of 85–86
  - dynamic/behavioral 86–88
  - static 86, 87
- classification of
  - Trojans 70–75
  - viruses 68–69
  - worms 69–70
- criminal business model of 77
  - cash-out strategy 78–79
  - infrastructure and target selection 78
  - source code setup and infection 77
  - value chains 79–85
- cybercrime activities 100–101
- in cyberspace 14–16
- defense against 18
- detection techniques
  - behavioral 89–90
  - cloud-based 91–92
  - heuristics-based 89, 90
  - signature-based/fingerprinting 88–89
- dynamic analysis 17–18
- purpose of 75–76
- for sale 38–39
- static analysis 16–17
- taxonomy of 14
Malware-as-a-service 116–118
Malwarebytes 228
Malware writers 118
Man-in-the-middle attack, on untargeted victims 79–81
MAPI see Messaging Application Programming Interface (MAPI)
MapReduce 170, 171, 175
Marketplace profiling 253
Memex 248–249, 252
Messaging Application Programming Interface (MAPI) 70
Mirai botnet 238
Mobile malware attacks 15
Monero 190, 242
Monetization, of cybercrime activities 113–116
Money laundering 118–119
- cryptocurrencies and 186–188
- through cryptocurrencies 235–236
Money muling elaboration 83
MS Outlook services 70
MushBud 31
N
Name Node 174
National Security Agency (NSA) 35, 64–65, 139, 183
National Vulnerability Database 210
NATO see North Atlantic Treaty Organization (NATO)
Natural language processing (NLP) 176
NCP see Network Control Protocol (NCP)
Netflow analysis 155–157
Network Control Protocol (NCP) 124, 125
Network investigative technique (NIT) 249
Net worm 70
News archives 62–63
NIT see Network investigative technique (NIT)
NLP see Natural language processing (NLP)
Non-prior knowledge-based methods 143–144
Normal routing method 51
Norse threat map 244
North Atlantic Treaty Organization (NATO) 106
NotPetya ransomware 104
NSA see National Security Agency (NSA)
O
Onion routing 51–52
Open source intelligence 205–206
- dark web threat intelligence 212–213
- data gathering
  - chat rooms 220
  - from dark web 222–224
  - direct conversations 221
  - market listings 221–222
- gathering focus 209–212
- Google Dorks 217–220
- Maltego 214
- Recon-Ng 214–215
- security intelligence 206–207
  - companies 208–209
  - cybercrime-as-a-service 207–208
  - rising Return on Investment 208
- Shodan 216–218
- theHarvester 215–216
Open Systems Interconnection (OSI) model 48
Operating systems 69
Operation Onymous 254, 255
“Operation Torpedo” 249
Outlaw Market 33
Overlap analysis 152–153
P
PayPal 27, 102, 103, 115, 212
Peer-to-peer network 62
Personally identifiable information (PII) 211
PETYA ransomware 11
Phishing 101–103, 111, 114–115, 211
Pig Latin 170–171
PII see Personally identifiable information (PII)
Pirate Bay 62
Pornography industry 20
P2P worm 70
Prior knowledge-based methods 143–144
Property level, of cybercrime 13
Proxy server 51
Public Key Cryptography 52
Public web 8
Purse.io 189, 190
Q
Q-32 computer 123, 124
R
RAMP see Russian Anonymous Marketplace (RAMP)
Ransomware 10–11, 103–104
RATs see Remote Access Trojans (RATs)
RealDeal Market 33
Recon-Ng 214–215
Relay network 56
Remote access tool value chain 81–83
Remote Access Trojans (RATs) 15
Republican National Committee (RNC) 97
Return on Investment (ROI) 208
Rhino horn trade 241–242
RNC see Republican National Committee (RNC)
Rogue nodes 228
Rootkit virus 69, 71
Russian Anonymous Marketplace (RAMP) 33–34
Rust code 229
S
Sale listings, increased malware for 239–240
SAMSAM ransomware 11
Sandbox detection 203
Scareware 12
Script kiddies 239
Search engines 63–64, 203, 222
Sex trade 108–109
Sex trafficking 19–20
Shadow Brokers 240
Sheep Marketplace 33
Shodan 216–218, 222
Signature-based malware detection 88–89
Silk Road 26, 27, 36, 139, 234, 235, 250, 253
Simple Mail Transfer Protocol (SMTP) 70, 122
SMS attacks 116
SMTP see Simple Mail Transfer Protocol (SMTP)
Social media 13, 64
Social network (SN) attacks 12
Social sites, monitoring of 252
SQL–MapReduce functions 175
SSL see Transport Layer Security (TLS) Protocol
State-of-the-art mitigating techniques 247–248
- cyber patrols 251–253
- dark net trade disruptions 253–255
- informants 249–250
- Memex 248–249
- network investigative technique 249
- postal interception 250–251
- undercover operations and tracking 250
Static malware analysis 86, 87
Stoned 100, 30
Stuxnet 105, 107, 210
Surface web 3, 9, 128–130
- vs. deep web 148–149
Surfacing deep web content 150–151
SurfWatch 208
T
Telegram platform 43
Teradata Aster 174
Terrorism 42–43, 237–238
Text analytics 175–177
theHarvester 215–216
The Onion Router (Tor) network 8, 47–49, 142, 157, 228–230, 234, 248
- bad apple attack 58–59
- browser 60
  - interface 230, 231
  - vulnerabilities 59
- deep web and 60–61
- eavesdropping 54–55
- exit node block 57–58
- FoxAcid 59–60
- hidden services 61–64
- protect user privacy 48
- traffic analysis 55–57
- usage 49–50
- users of 64–65
- website fingerprinting 54
- working pattern of 51–53
Threat landscape
- black markets
  - Agora Market and Forum 31–32
  - AlphaBay 27–28
  - Atlantis 32
  - Dream Market 28–29
  - drugs 30
  - Fight Club 31
  - Hansa 28
  - Outlaw Market 33
  - QualityKing 30–31
  - Russian Anonymous Marketplace 33–34
  - Silk Road 26
  - weapons 35
- criminal activities 25–26
Threat mapping 242–243
- Akamai 247
- Arbor Networks 246, 247
- Checkpoint 245
- Kaspersky 243–244
- Norse 244
- Trend Micro 246
TLS Protocol see Transport Layer Security (TLS) Protocol
Tor hidden service protocol 60
Tor network see The Onion Router (Tor) network
Tor project 51, 229
Tor relay 48, 52, 53
Traditional web crawlers mechanism 149–150
Traffic analysis 55–57
Transmission Control Protocol/Internet Protocol (TCP/IP) 125, 126
Transport Layer Security (TLS) Protocol 48, 49
Trend Micro 246
Trojan-Banker 72
Trojan-Clicker 72
Trojan Horses 11
Trojans 70–76
- ArcBomb 71–72
- downloader 72–73
- Dropper, FakeAV and IM platforms 73
- malicious tools 75
- proxy 73–74
- ransoms and SMSs 74
- spy 75
Trust-based markets 231–232
Trusted environments 223
Twitter 64
TX-2 computer 123
U
Ubiquiti Networks 96, 97
UK guns and ammo 34
Ulbricht, Ross 27, 36, 139, 140, 193–196, 215, 250
Unique Resource Locators (URLs) 60, 126, 135, 149, 150
Unstructured data
- analysis of 163, 170
- extracting information from 175–177
Up-to-date antivirus programs 88
USA/EU Fake Documents Store 34
USB adaptors 39
Usenet 133, 134
User interface (UI) 59
User interface design, improvements in 230–231
User profiling 229
US law enforcement agencies 22
V
Value chains, of malware business 79–81
Vigilante hacker 140, 141
Virtualization 15–16
Virtual machine (VM) 15, 203
Viruses 68–69
VMRay 88
W
WannaCry ransomware 11, 88, 104, 203, 209, 240
WeaponsGuy 183, 253
Weapons, on dark net 109–110
- cybercriminal activities 109
- illegal goods and services 35
Web content analysis 161–163
- benefits of 163–165
- responsibility for maintenance of 168
- risk assessment 166–167
- risk mitigation 167–168
Web hosts 134–135
Website fingerprinting 54
Websites
- Internal Revenue Service 115
- ISIS, on dark net 139
Whistle-blowing sites 63
WikiLeaks 41, 49, 63, 98, 228
World Wide Web (WWW) 3, 7, 122, 126–127, 148
- dark net 131–132
- deep web 130–131
- surface web characteristics 129–130
- visible and deep 128
Worms 11, 69–70
Y
Yahoo 97, 129, 208, 221–222
YARN 173
YouTube 22
Z
Zombies 12, 13, 237–238