Analytics

6/23/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Child Exploitation & Assassins For Hire On The Deep Web

'Census report' of the unindexed parts of the Internet unearths everything from Bitcoin-laundering services to assassins for hire.

On the Deep Web, users can anonymously buy U.S. citizenship, accept ransomware payments, have their Bitcoins laundered, and even hire and pay assassins, according to a report from the Trend Micro Forward-Looking Threat Research Team.

Trend Micro global threat communications manager Christopher Budd describes it as a "census report" of the Deep Web, based upon data gathered over the past two years by the company's Deep Web Analyzer. The tool essentially acts like a webcrawler, collecting URLs linked to TOR- and I2P-hidden sites, Freenet resource identifiers, and domains with nonstandard TLDs, and extracting content, links, email addresses, and HTTP headers from them.

Simply put, the "Surface Web" is the part of the Web that is indexed and reachable with search engines, and the "Deep Web" is the part of the Internet that is unindexed. The "Dark Web" is a subset of the Deep Web that can only be accessed with specialized equipment, where connections are made between trusted peers -- including TOR, Freenet, or the Invisible Internet Project.

The Deep Web, says Budd, is like the speakeasies of the 1920s. "You could find what you wanted, but you had to know where to go looking," he says. 

"The Dark Web is kind of Mos Eisley," he says, referring to the land in Star Wars that Obi-Wan Kenobi described by saying 'You will never find a more wretched hive of scum and villainy.'

One of the most gruesome things the researchers came across on the Dark Web: assassins. One assassin group calling itself C'thulhu advertises for a variety of services, including rape, "underage rape," maiming, bombing, crippling, and murder. The group even included a base price sheet ranging from $3,000 for "simple beating" of a "low-rank" target to $300,000 for murdering a high-ranking or political target and making it look like an accident.

More common than murder, though, were cybercrime and child exploitation. Trend Micro identified 8,707 pages they dubbed "suspicious," examined the "Surface Web" sites that those sites linked to, and found that most fell into three main categories: 33.7 percent were disease vector (drive-by download) sites, 31.7 percent were proxy avoidance sites (to help attackers duck around firewalls, for example), and a striking 26 percent were child exploitation sites.

"We haven't really seen a lot of people talking a lot about Deep Web/Dark Web and child exploitation," Budd says. "And I think that is a much more tangible problem" than assassins, for example.

The researchers also found cybercriminals using anonymization tools in novel ways. Attackers are beginning to use TOR for hosting their command-and-control infrastructure, bundling the TOR client with their installation package. The Vawtrak banking Trojan has used it for this purpose.

TorrentLocker, a CryptoLocker variant, uses TOR to host payment sites and accepts payment in Bitcoins. 

This is striking to Budd, because while TOR used to be "the province of experts building their own tools," the fact that ransomware operators are actually getting regular, unsophisticated users onto the Tor network to make payments means that the tools are getting more usable and that the ransomware operators are doing a better job with their documentation and support.

"I think it stands to reason," he says, "we'll see the Deep Web and Dark Web be further integrated into malware operations."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/26/2015 | 1:22:26 PM
Re: Ease of Use
@Dr. T  It's a shame, that great privacy technologies get a bad name because they're being used by criminals. Hopefully enough good guys use encryption to help it resist the same stigma.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:44:36 PM
Re: Ease of Use
I hear you. Using TOR does not mean you break the law. That is not different that doing PGP for your email communication with your friends. It becomes a problem if we use TOR for illegal and unethical purposes.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:42:03 PM
Re: Ease of Use
I agree, ate the same time once you set the TOR up it is not going to be difficult for non-technical people using it I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:40:05 PM
Re: Difficult
I agree. When we start using TOR for unethical and illegal purposes, that will cost us shutting down  the service all together. There are reason whew need to encrypt our communication, it does not have to be about doing something wrong.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:36:07 PM
Deep and Dark web
Obviously people use web anonymously and they want to feel safe while they are trying to hide something from rest. Internet has lots of benefits but it comes with these types of cost such as being a vehicle to do unethical and illegal stuff, which is unfortunate part of it.
Kevin Runners
50%
50%
Kevin Runners,
User Rank: Apprentice
6/25/2015 | 8:41:00 AM
Re: Ease of Use
The terrifying fact is that it's sooo simple to access the Deep Web using Tor... You don't have the feelign to break the law when you go on.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/24/2015 | 7:41:42 AM
Ease of Use
For me, that last nugget is the most interesting. TOR and methods similar use to be something that was outside the comprehension of the non-techie. But as stated, if ransomware victims are using it to make payments then its introducing more and more people to the deep web. However, I would have to think that the payment functionality introduced is much more simple than some of the other intricacies involved with TOR, etc.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/24/2015 | 7:03:50 AM
Difficult
The deep web is a difficult thing to quantify existing. It needs to, as it has plenty of uses outside of horrific crimes (legally and morally), but it's hard not to argue for better ways of finding those behind the terrible sites out there. 

The only problem is that weakening Tor would have a big knock on effect on innocents that use it as a way to communicate safely when being watched by tyranical regimes, so it's difficult to know what to do. 
AlexS763
50%
50%
AlexS763,
User Rank: Apprentice
6/23/2015 | 8:09:28 PM
SARA:
THANKS.

ALEX RADEMAKER

MONTEVIDEO

URUGUAY

 

SOUTH AMERICA
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Reading Schneier's Friday Squid Blog again?
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6149
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version 2.2.2.0 that could allow a malicious user with local access to execute code with administrative privileges.
CVE-2018-15509
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
CVE-2018-20806
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
CVE-2019-5616
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
CVE-2018-17882
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.