HUMINT: Exploring Depths of the Dark Web.

Explore the conduct of cybercriminals on Dark Web forums, including their purchases and sales of services, underlying motivations for such activities as well as deceptive practices used to exploit each other.

Clear Web, Deep Web and Dark Web: A Comparison.

Threat intelligence professionals divide the internet into three main components:

• The Clear Web encompasses all publicly searchable web content, such as media, blog posts and other pages.
• The Deep Web is a collection of websites and forums that cannot be listed on search engines like webmail, online banking, corporate intranets, walled gardens. Certain hacker forums also exist within the confines of the Deep Web which necessitate login credentials for entry.
• The Dark Web encompasses web sources that necessitate specialized software for entry. These sources maintain anonymity and restrict access, comprising of Telegram groups along with private forums designed by invitation alone. The darknet includes Tor networks, peer-to-peer connections, hacker communities among other criminal marketplaces.

Etay Maor, the Chief Security Strategist at Cato Networks, stated that there has been a change in criminal communication and operations. They have shifted from the top of the glacier to its lower parts due to heightened security measures present on higher ground.

What exactly is Tor?

Tor is an open-source network that enables anonymous communication at no cost. Although it was initially created by the United States Naval Research Laboratory, Tor has gained traction as a favored option for illicit pursuits.

If these activities are carried out on the Clear Web, it may result in law enforcement surveillance and enable tracking of the perpetrator. However, utilizing Tor ensures that communication is shielded by encryption at every node point until leaving the network.

In case a government organization tracks Tor usage, they will only be presented with details about its exit node instead of an individual’s IP address; thus making tracing back to their true identity more complex.

The architecture of Tor communication:

According to Etay Maor, digital capabilities created a perfect storm for criminal activity in the 2000s. This alignment included the emergence of the Dark Web and hidden services through Tor, culminating with cryptocurrency enabling secure transactions.

Dark Web Offers Criminal Services

In the past, several services were accessible on the dark web, but most of them have now been eradicated. Presently, delinquents are gravitating towards Telegram messenger for its excellent privacy and security features.
Examples include –
Selling drugs:

Services providing false identities:

A platform for finding vendors with a precautionary alert about possible phishing scams:

Managing Criminal Forums: Establishing Trust in an Unreliable Setting

In order to make a profit, attackers try to take advantage of security weaknesses and infiltrate systems. Similar to typical marketplaces,hackers also engage in buying or selling hacking services through online forums. Nevertheless, since these platforms are based on unlawful activities, they must establish credibility among members without compromising their illicit nature.
In general, these forums were originally designed as follows:

• The forum is moderated by the administrator.
• Facilitating payments between members is what Escrow does.
• A black-list is a mediator that resolves concerns relating to payments and the quality of service.
• Assistance in various forms provided to encourage community engagement through forum support.
• Group leads for different topics are referred to as moderators.
• Verified Vendors are trusted vendors who have been recommended, unlike fraudulent vendors.
• The group consists of verified regular forum members who were screened before joining to eliminate scammers, law enforcement agencies and other potentially hazardous or irrelevant individuals.

From Malware Infection to Corporate Data Leak on the Dark Web: Tracing the Route.

Through an illustration of malware aimed at stealing information for ransomware use, let’s explore the presentation of various attack phases in the Dark Web.

Phases before an incident:

• Threat actors execute infostealer malware campaigns on a global scale to gather data, including logs of compromised credentials and device fingerprints.

• Suppliers of Data – Malevolent individuals provide information to Dark Web marketplaces that specialize in credentials and device fingerprinting obtained from computers infected with malware.
• Logs are made available for purchase on the Dark Web market as a fresh supply. A single log can usually be bought with prices ranging from only a few dollars up to around $20.

Phases of an active incident:

• A threat actor who specializes in obtaining initial network access through purchasing logs infiltrates the network to elevate their level of privilege. In many cases, the acquired information goes beyond just credentials and includes cookie sessions, device fingerprinting, and other relevant details. This makes it possible for them to imitate the victim’s actions that can help bypass security measures like MFA hence making their attacks tougher to identify.
• A skilled threat group purchased the access, which was auctioned in a Dark Web forum.

According to Etay Maor, auctions can operate either as a competition or as “Flash,” which permits threat actors to acquire solutions instantly without any rivalry. This feature is often employed by significant threat organizations supported by nation-states or extensive criminal gangs for business investment purposes.

• The group deploys ransomware within the organization and coerces it into paying to avoid consequences, hence committing extortion.

The different domains of knowledge within the criminal environment are emphasized by this pathway. Consequently, operationalizing threat data to support a multi-faceted strategy can provide advance notification and potentially deter future occurrences.

The responsibility of HUMINT

While automated solutions are a crucial element in the fight against cyber crime, it is important to also employ human intelligence (HUMINT) for a complete understanding of this realm. Cyber crime officers from law enforcement agencies play an essential role by infiltrating forums and adopting personas as trade actors. Effective engagement requires both skill and precision – Actionable, Reliable, and Timely.

How about we take a look at the forums monitored by cyber crime officers and examine their corresponding responses.

The sale of VPN logins is being conducted by an attacker in this instance.

The officer in charge of cybercrime will attempt to connect and comprehend the identity of the VPN or client involved.

An instance of this involved a perpetrator who is vending Citrix entry to a UK-based provider offering IT infrastructure solutions and services.

To promote a sale, a cybercrime officer could pose as a potential buyer and request samples from the seller. Given that sellers may be operating with financial constraints (especially those within former-USSR countries), they will likely comply in hopes of securing future dealings.

Preventing Network Attacks

An economic system thrives on the Dark Web, where buyers, sellers, supply and demand coexist. Consequently, comprehensive defense against network assaults necessitates a multi-faceted strategy covering all stages of the attack: pre-attack prevention as well as response during an incident. Such an approach integrates automation tools alongside HUMINT – which involves interacting with online cybercriminals to gather intelligence by emulating their modus operandi.