Pierluigi Paganini May 08, 2016

Researchers at TrendMicro have analyzed online activities of terrorists identifying the techniques and tools used for their propaganda.

Using vulnerabilities in software, websites, and web applications as attack vectors, hosting malicious components in cloud services. Other than this if there’s any service getting launched in the future, there will be always chances of abuse.

Experts at TrendMicro in their research on cyber-crime had found the group that shares the same level of proficiency as cyber criminals in abusing legitimate services : Terrorist groups can be considered as cyber criminal as their online activities run afoul of the law. Both have different motives, A cyber-criminals are motivated by financial gain while the terrorist is focused on spreading propaganda instead of malware.

Researchers at TrendMicro has found out how cyber criminals and terrorists overlap in their abuse of technology and online platforms to benefit their cause. They explain their methodologies, the service they abuse and tools they’ve to use to streamline the abuse so that their followers can facilitate their activities much more easily.

Achieving Anonymity

Terrorists as well as cyber criminals both want to remain untraceable and anonymous online. They abuse tools and services that are developed to help those having a legitimate reason to hide like journalists, whistle-blower, and activist. Some are this tools are TOR and several encryption tools found in the deep web. Abusing the DDoS mitigation service, Cloudfare is being commonly done by terrorists. CloudFlare runs as a web service and designed to provide a mirror for website experiencing heavy traffic or under a denial of service attacks, Cloudfare is abused to hide the real hosted IP address and location of the website. This has been used widely by cyber criminals to distract or delay authorities from being able to track the location of their hosted server. Cloudflare has been used by terrorists to give propaganda web sites another level of anonymity.

The anonymizing guides used by activists and journalist were also spotted being adopted by terrorist distributing to their followers. These guides even names the National Security Agency and gives instruction on how to avoid surveillance :

They also ask their follower to deactivate their social media accounts in order for them to maintain anonymity. The motive behind staying anonymous of both Cyber criminals, as well as terrorist groups, is another example of the contrast between the two parties and their distinct goals. We can assume that the consequences of being caught are different for both of them : Cyber criminals needs to worry about jail time while terrorist would have to content with counter-terrorism efforts, which may lead to lengthy prison sentences or death.

We can assume that the consequences of being caught are different for both of them : Cyber criminals needs to worry about jail time while terrorist would have to content with counter-terrorism efforts, which may lead to lengthy prison sentences or death.

Methods of Communication.

Here are some methods of cyber criminals used by Terrorist and cyber criminals based on the Trend Micro research, The Many Face of Cybercrime

Japanese cyber-criminals use secure e-mail services such as “SAFe-email” in order to contact and exchange information with each other through secure and undetectable email.

The regional cyber-criminal underground communities were observed to be involved in the use of underground forum – not only they advertise their wares and services they also discuss new techniques and share information. They are normally accessible only using TOR.

Brazilian cyber-criminals usually use social media to get touch with each other and to share their earnings from their activities.

It has been seen that Terrorists also utilize these same methods but their purpose is different but their use of this method focuses more on communication, coordination and propaganda-sharing as opposed to cyber-crime related abuse. Services such as SIGAINT, Ruggedinbox and Mail2Tor has been seen to be widely used by terrorist.

Some of the Customized tools used by Terrorist.

Trendmicro has uncovered certain applications that are homegrown by terrorist groups in order to aid their members who are not technically proficient in preserving anonymity and securing communication. Here are six commonly used tools by the terrorist organization.

1. Mojahedeen Secrets – Considered to be first “professional” tool which were developed for encrypting emails. This was released as an alternative to PGP in 2007. It encrypts email as well as file transfers using RSA public/private encryption systems. It allows users to create their own private keys used to send emails. The application also supports messaging and a file shredder feature to delete files safely.

2. Tashfeer al-Jawwal – This was developed by Global Islamic Media Front (GIMF) and released in 2014. Tashfeer al-Jawwal is considered as one of the first encryption applications for mobile.

3. Asrar al-Dardashah – This is a plugin for instant messaging application Pidgin released in 2013 which adds encryption to the instant messaging functions as well as secures instant messaging with a single press.

4. Amn al-Mujahed : Developed by Al-Fajr Technical Committee (ATC) Amn al-Mujahed is an encryption software released in 2013. It encrypts messages for use with a messaging platforms such as email, SMS, and instant messaging.

5. Alemarah : This is a new Android Application which serves as a news distributor for terrorist related actions. Alemarah lists news, feeds, websites, and calendars that contain information relating to the ongoing terrorist operations.

6. Amaq v 1.1 : Amaq is an Android Application usually used by the terrorist organization to disseminate information. It has various versions and Amaq 2.1 uses a configuration file that allows the app’s distributor to change the URL where the app is hosted in case any of their websites is taken down this technique is also seen to be used by cybercriminals for managing malware URL.

Also, Terrorists are seen to be using DDOS tool which is capable of performing limited DDOS attack such as SYN flood.

Conclusion

There are lots of differences and similarities in techniques and method used by the online activities of both terrorists as well as cyber criminals. They are interested in keeping their anonymity online, also the way they spread information related to their agenda seems to be  different. Cyber criminals are seen to be more inclined to engage with limited contacts however on the other hand terrorist organization focus their efforts on getting their propaganda to a wider range of audience in hopes of finding potential sympathizers,

Lot’s of overlaps has been seen regarding the online presence of terrorist organizations and cyber criminals. They use same communication channels as well as technologies, making it challenging for the authorities to track them back. Gaining knowledge about channels and technologies they use is a critical step towards in getting

Gaining knowledge about channels and technologies they use is a critical step towards in getting an better idea of how these groups function and how can be help provide in order to stop their activities.

References: 

Dark Motives Online: An Analysis of Overlapping Technologies Used by Cybercriminals and Terrorist Organizations

The role of technology in modern terrorism

Written by: Imdadullah Mohammed

Author Bio: Imdad is an Information Security Consultant, He is also a Moderator for Pune Chapter of Null – The open security community in India and Also member of Garage4hackers. A true open source and Information Security enthusiast. His core area of expertise includes Vulnerability Assessment and Penetration Testing of the Web application, Mobile application and Networks, as well as Server Hardening.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – ISIS terrorists, Terrorism)