Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/23/2015
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Child Exploitation & Assassins For Hire On The Deep Web

'Census report' of the unindexed parts of the Internet unearths everything from Bitcoin-laundering services to assassins for hire.

On the Deep Web, users can anonymously buy U.S. citizenship, accept ransomware payments, have their Bitcoins laundered, and even hire and pay assassins, according to a report from the Trend Micro Forward-Looking Threat Research Team.

Trend Micro global threat communications manager Christopher Budd describes it as a "census report" of the Deep Web, based upon data gathered over the past two years by the company's Deep Web Analyzer. The tool essentially acts like a webcrawler, collecting URLs linked to TOR- and I2P-hidden sites, Freenet resource identifiers, and domains with nonstandard TLDs, and extracting content, links, email addresses, and HTTP headers from them.

Simply put, the "Surface Web" is the part of the Web that is indexed and reachable with search engines, and the "Deep Web" is the part of the Internet that is unindexed. The "Dark Web" is a subset of the Deep Web that can only be accessed with specialized equipment, where connections are made between trusted peers -- including TOR, Freenet, or the Invisible Internet Project.

The Deep Web, says Budd, is like the speakeasies of the 1920s. "You could find what you wanted, but you had to know where to go looking," he says. 

"The Dark Web is kind of Mos Eisley," he says, referring to the land in Star Wars that Obi-Wan Kenobi described by saying 'You will never find a more wretched hive of scum and villainy.'

One of the most gruesome things the researchers came across on the Dark Web: assassins. One assassin group calling itself C'thulhu advertises for a variety of services, including rape, "underage rape," maiming, bombing, crippling, and murder. The group even included a base price sheet ranging from $3,000 for "simple beating" of a "low-rank" target to $300,000 for murdering a high-ranking or political target and making it look like an accident.

More common than murder, though, were cybercrime and child exploitation. Trend Micro identified 8,707 pages they dubbed "suspicious," examined the "Surface Web" sites that those sites linked to, and found that most fell into three main categories: 33.7 percent were disease vector (drive-by download) sites, 31.7 percent were proxy avoidance sites (to help attackers duck around firewalls, for example), and a striking 26 percent were child exploitation sites.

"We haven't really seen a lot of people talking a lot about Deep Web/Dark Web and child exploitation," Budd says. "And I think that is a much more tangible problem" than assassins, for example.

The researchers also found cybercriminals using anonymization tools in novel ways. Attackers are beginning to use TOR for hosting their command-and-control infrastructure, bundling the TOR client with their installation package. The Vawtrak banking Trojan has used it for this purpose.

TorrentLocker, a CryptoLocker variant, uses TOR to host payment sites and accepts payment in Bitcoins. 

This is striking to Budd, because while TOR used to be "the province of experts building their own tools," the fact that ransomware operators are actually getting regular, unsophisticated users onto the Tor network to make payments means that the tools are getting more usable and that the ransomware operators are doing a better job with their documentation and support.

"I think it stands to reason," he says, "we'll see the Deep Web and Dark Web be further integrated into malware operations."

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/26/2015 | 1:22:26 PM
Re: Ease of Use
@Dr. T  It's a shame, that great privacy technologies get a bad name because they're being used by criminals. Hopefully enough good guys use encryption to help it resist the same stigma.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:44:36 PM
Re: Ease of Use
I hear you. Using TOR does not mean you break the law. That is not different that doing PGP for your email communication with your friends. It becomes a problem if we use TOR for illegal and unethical purposes.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:42:03 PM
Re: Ease of Use
I agree, ate the same time once you set the TOR up it is not going to be difficult for non-technical people using it I would say.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:40:05 PM
Re: Difficult
I agree. When we start using TOR for unethical and illegal purposes, that will cost us shutting down  the service all together. There are reason whew need to encrypt our communication, it does not have to be about doing something wrong.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/25/2015 | 12:36:07 PM
Deep and Dark web
Obviously people use web anonymously and they want to feel safe while they are trying to hide something from rest. Internet has lots of benefits but it comes with these types of cost such as being a vehicle to do unethical and illegal stuff, which is unfortunate part of it.
Kevin Runners
50%
50%
Kevin Runners,
User Rank: Apprentice
6/25/2015 | 8:41:00 AM
Re: Ease of Use
The terrifying fact is that it's sooo simple to access the Deep Web using Tor... You don't have the feelign to break the law when you go on.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
6/24/2015 | 7:41:42 AM
Ease of Use
For me, that last nugget is the most interesting. TOR and methods similar use to be something that was outside the comprehension of the non-techie. But as stated, if ransomware victims are using it to make payments then its introducing more and more people to the deep web. However, I would have to think that the payment functionality introduced is much more simple than some of the other intricacies involved with TOR, etc.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
6/24/2015 | 7:03:50 AM
Difficult
The deep web is a difficult thing to quantify existing. It needs to, as it has plenty of uses outside of horrific crimes (legally and morally), but it's hard not to argue for better ways of finding those behind the terrible sites out there. 

The only problem is that weakening Tor would have a big knock on effect on innocents that use it as a way to communicate safely when being watched by tyranical regimes, so it's difficult to know what to do. 
AlexS763
50%
50%
AlexS763,
User Rank: Apprentice
6/23/2015 | 8:09:28 PM
SARA:
THANKS.

ALEX RADEMAKER

MONTEVIDEO

URUGUAY

 

SOUTH AMERICA
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.
CVE-2019-16974
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\contacts\contact_times.php uses an unsanitized "id" variable coming from the URL, which is reflected in HTML, leading to XSS.