Analytics

6/23/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Child Exploitation & Assassins For Hire On The Deep Web

'Census report' of the unindexed parts of the Internet unearths everything from Bitcoin-laundering services to assassins for hire.

On the Deep Web, users can anonymously buy U.S. citizenship, accept ransomware payments, have their Bitcoins laundered, and even hire and pay assassins, according to a report from the Trend Micro Forward-Looking Threat Research Team.

Trend Micro global threat communications manager Christopher Budd describes it as a "census report" of the Deep Web, based upon data gathered over the past two years by the company's Deep Web Analyzer. The tool essentially acts like a webcrawler, collecting URLs linked to TOR- and I2P-hidden sites, Freenet resource identifiers, and domains with nonstandard TLDs, and extracting content, links, email addresses, and HTTP headers from them.

Simply put, the "Surface Web" is the part of the Web that is indexed and reachable with search engines, and the "Deep Web" is the part of the Internet that is unindexed. The "Dark Web" is a subset of the Deep Web that can only be accessed with specialized equipment, where connections are made between trusted peers -- including TOR, Freenet, or the Invisible Internet Project.

The Deep Web, says Budd, is like the speakeasies of the 1920s. "You could find what you wanted, but you had to know where to go looking," he says. 

"The Dark Web is kind of Mos Eisley," he says, referring to the land in Star Wars that Obi-Wan Kenobi described by saying 'You will never find a more wretched hive of scum and villainy.'

One of the most gruesome things the researchers came across on the Dark Web: assassins. One assassin group calling itself C'thulhu advertises for a variety of services, including rape, "underage rape," maiming, bombing, crippling, and murder. The group even included a base price sheet ranging from $3,000 for "simple beating" of a "low-rank" target to $300,000 for murdering a high-ranking or political target and making it look like an accident.

More common than murder, though, were cybercrime and child exploitation. Trend Micro identified 8,707 pages they dubbed "suspicious," examined the "Surface Web" sites that those sites linked to, and found that most fell into three main categories: 33.7 percent were disease vector (drive-by download) sites, 31.7 percent were proxy avoidance sites (to help attackers duck around firewalls, for example), and a striking 26 percent were child exploitation sites.

"We haven't really seen a lot of people talking a lot about Deep Web/Dark Web and child exploitation," Budd says. "And I think that is a much more tangible problem" than assassins, for example.

The researchers also found cybercriminals using anonymization tools in novel ways. Attackers are beginning to use TOR for hosting their command-and-control infrastructure, bundling the TOR client with their installation package. The Vawtrak banking Trojan has used it for this purpose.

TorrentLocker, a CryptoLocker variant, uses TOR to host payment sites and accepts payment in Bitcoins. 

This is striking to Budd, because while TOR used to be "the province of experts building their own tools," the fact that ransomware operators are actually getting regular, unsophisticated users onto the Tor network to make payments means that the tools are getting more usable and that the ransomware operators are doing a better job with their documentation and support.

"I think it stands to reason," he says, "we'll see the Deep Web and Dark Web be further integrated into malware operations."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/26/2015 | 1:22:26 PM
Re: Ease of Use
@Dr. T  It's a shame, that great privacy technologies get a bad name because they're being used by criminals. Hopefully enough good guys use encryption to help it resist the same stigma.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:44:36 PM
Re: Ease of Use
I hear you. Using TOR does not mean you break the law. That is not different that doing PGP for your email communication with your friends. It becomes a problem if we use TOR for illegal and unethical purposes.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:42:03 PM
Re: Ease of Use
I agree, ate the same time once you set the TOR up it is not going to be difficult for non-technical people using it I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:40:05 PM
Re: Difficult
I agree. When we start using TOR for unethical and illegal purposes, that will cost us shutting down  the service all together. There are reason whew need to encrypt our communication, it does not have to be about doing something wrong.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:36:07 PM
Deep and Dark web
Obviously people use web anonymously and they want to feel safe while they are trying to hide something from rest. Internet has lots of benefits but it comes with these types of cost such as being a vehicle to do unethical and illegal stuff, which is unfortunate part of it.
Kevin Runners
50%
50%
Kevin Runners,
User Rank: Apprentice
6/25/2015 | 8:41:00 AM
Re: Ease of Use
The terrifying fact is that it's sooo simple to access the Deep Web using Tor... You don't have the feelign to break the law when you go on.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/24/2015 | 7:41:42 AM
Ease of Use
For me, that last nugget is the most interesting. TOR and methods similar use to be something that was outside the comprehension of the non-techie. But as stated, if ransomware victims are using it to make payments then its introducing more and more people to the deep web. However, I would have to think that the payment functionality introduced is much more simple than some of the other intricacies involved with TOR, etc.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/24/2015 | 7:03:50 AM
Difficult
The deep web is a difficult thing to quantify existing. It needs to, as it has plenty of uses outside of horrific crimes (legally and morally), but it's hard not to argue for better ways of finding those behind the terrible sites out there. 

The only problem is that weakening Tor would have a big knock on effect on innocents that use it as a way to communicate safely when being watched by tyranical regimes, so it's difficult to know what to do. 
AlexS763
50%
50%
AlexS763,
User Rank: Apprentice
6/23/2015 | 8:09:28 PM
SARA:
THANKS.

ALEX RADEMAKER

MONTEVIDEO

URUGUAY

 

SOUTH AMERICA
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6487
PUBLISHED: 2019-01-18
TP-Link WDR Series devices through firmware v3 (such as TL-WDR5620 V3.0) are affected by command injection (after login) leading to remote code execution, because shell metacharacters can be included in the weather get_weather_observe citycode field.
CVE-2018-20735
PUBLISHED: 2019-01-17
** DISPUTED ** An issue was discovered in BMC PATROL Agent through 11.3.01. It was found that the PatrolCli application can allow for lateral movement and escalation of privilege inside a Windows Active Directory environment. It was found that by default the PatrolCli / PATROL Agent application only...
CVE-2019-0624
PUBLISHED: 2019-01-17
A spoofing vulnerability exists when a Skype for Business 2015 server does not properly sanitize a specially crafted request, aka "Skype for Business 2015 Spoofing Vulnerability." This affects Skype.
CVE-2019-0646
PUBLISHED: 2019-01-17
A Cross-site Scripting (XSS) vulnerability exists when Team Foundation Server does not properly sanitize user provided input, aka "Team Foundation Server Cross-site Scripting Vulnerability." This affects Team.
CVE-2019-0647
PUBLISHED: 2019-01-17
An information disclosure vulnerability exists when Team Foundation Server does not properly handle variables marked as secret, aka "Team Foundation Server Information Disclosure Vulnerability." This affects Team.