Deep Web

Analyzing the attack landscape of the Dark Web. There is no honor among thieves.

Security researchers at Trend Micro used Tor honeypots to conduct a six-months study of the attack landscape of the Dark Web,

Security experts at Trend Micro have conducted a six-months study of the attack landscape of the Dark Web, researchers operated a honeypot setup simulating several underground services on the Dark Web in order to analyze the way they were targeted.

The research aims to analyze how crooks target platforms run by other criminal organizations or individuals.

The honeypots used by the experts consisted of:

  1. A black market that only trades between a close circle of invited members.
  2. A blog offering customized services and solutions for the Dark Web.
  3. An underground forum that only allows registered members to log in. In addition, vouching is needed to become a member.
  4. A private file server for sensitive documents offering File Transfer Protocol (FTP) and Secure Shell (SSH) logins.

The services running on the honeypots were deliberately affected by a number of vulnerabilities to allow attackers to hack them. The researchers automatically recorded all logs after every successful attack and restored the environment to a clean state each day.

“To this end, we simulated a cybercriminal installation in Tor using several honeypots. Each honeypot exposes one or more vulnerabilities that would allow an attacker to take ownership of the installation. Upon infection we automatically recorded all logs and restored the environment to a clean state.” reads the analysis published by Trend Micro.

The following chart shows the average number of daily attack attempts, as measured by the number of POST requests, in just one month, the number of attacks spiked to 160 per day, most of them successful.

The first discovery made by the researchers is that many attacks were originated from Tor proxies like Tor2web that allows reaching hidden services from the clear web.

“Tor proxies like Tor2web made Tor hidden services reachable without requiring any additional configuration from the public internet. Our honeypot was automatically made available to traditional search engines, and implicitly dangled as a target for automated exploitation scripts,” states the report.

The analysis of the attacks revealed that most of them installed web shells on the server to gain control over it, in the majority of the cases attackers used the machine to power DDoS attacks and to run spam campaigns.

In order to analyze only attacks from within the Dark Web, researchers filtering the traffic from Tor proxies, then observed the number of attacks drastically decreased.

A second point emerged from the analysis is that while the attacks from Tor proxies were performed with automated tools, attacks from within the Dark Web were most manually conducted.

“Attackers from the open internet tended to use automated attack tools, while Dark Web attackers tended to carry out manual attacks as they were generally more cautious and took their time. For example, once they gained access to a system via a web shell, they would gather information about the server first by listing directories, checking the contents of databases, and retrieving configuration/system files.” continues the report.

“These manual attackers often deleted any files they placed into our honeypot; some even went ahead and left messages for us (including ‘Welcome to the honeypot!’), indicating that they had identified our honeypot.”

The results of the study confirm that organizations operating in the Dark Web seem to be attacking each other. Hackers from within the Dark Web carried out the following attacks:

  • Defacements aimed at subverting the business of our honeypot and aimed at promoting a competitor web site, possibly run by the attackers.
  • Attempts to hijack and spy on the communications originating to and from our honeypot
  • Theft of confidential data from our disguised FTP file server
  • Monitoring of IRC conversations via logins to our simulated chat platform
  • Manual attacks against the custom application running the underground forum

Let me close with the following statement included in the report:

“Apparently, there is no honor among thieves.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Dark Web, honeypot)

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

FBI unlocked the phone of the suspect in the assassination attempt on Donald Trump

The FBI gained access to the password-protected phone of the suspect in the assassination attempt…

3 hours ago

Ransomware groups target Veeam Backup & Replication bug

Multiple ransomware groups were spotted exploiting a vulnerability, tracked as CVE-2023-27532, in Veeam Backup &…

5 hours ago

AT&T paid a $370,000 ransom to prevent stolen data from being leaked

Wired attributes the recently disclosed AT&T data breach to a hacker living in Turkey and…

8 hours ago

HardBit ransomware version 4.0 supports new obfuscation techniques

Cybersecurity researchers detailed a new version of the HardBit ransomware that supports new obfuscation techniques…

16 hours ago

Dark Gate malware campaign uses Samba file shares

A Dark Gate malware campaign from March-April 2024 demonstrates how attackers exploit legitimate tools and…

23 hours ago

Security Affairs Malware Newsletter – Round 2

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

This website uses cookies.