suitablepastebin.com

DeepwebandCybercrimeIt'sNotAllAboutTORVincenzoCiancaglini,MarcoBalduzzi,MaxGoncharov,andRobertMcArdleForward-LookingThreatResearchTeam2ContentsAbstract.
3Introduction.
3OverviewofExistingDeepwebNetworks.
5TOR.
5I2P.
6Freenet.
7AlternativeDomainRoots.
7CybercrimeintheTORNetwork.
9TORMarketplaceOverview.
9TORPrivateOfferings.
14ComparisonwithRussianUndergroundMarketplaces.
17MonitoringtheDeepweb.
18RelatedWork.
20Conclusion.
213AbstractTheterm"deepweb"isusedtodenoteaclassofcontentontheInternetwhich,fordifferenttechnicalreasons,isnotindexedbysearchengines.
Amongthedifferentstrategiesinplacetobypasssearchenginecrawlers,themostefficientformaliciousactorsareso-called"darknets.
"DarknetsrefertoaclassofnetworksthataimtoguaranteeanonymousanduntraceableaccesstoWebcontentandanonymityforasite.
WhiledeepwebhasoftenbeenuniquelyassociatedwithTheOnionRouter(TOR),inthispaper,weintroduceseveralothernetworksthatguaranteeanonymousanduntraceableaccess—themostrenowneddarknets(i.
e.
,TOR,I2P,andFreenet)andalternativetop-leveldomains(TLDs),alsocalled"rogueTLDs.
"Weanalyzedhowmaliciousactorsusethesenetworkstoexchangegoodsandexaminedthemarketplacesavailableinthedeepweb,alongwiththegoodsoffered.
Duetoalargevarietyofgoodsavailableinthesemarketplaces,wefocusedonthosethatsparkedthemostinterestfromcybercriminalsandcomparedtheirpriceswiththesameclassofmerchandisefoundintraditionalInternetundergroundforums,mostlyRussian.
Finally,weintroducedsomeofthetechniquesthatresearcherscanusetomoreproactivelymonitortheseso-calledhiddenpartsoftheInternet.
IntroductionTheterm"deepweb"hasbeenintroducedoverthepastfewyearstodenoteInternetcontentthatsearchenginesdonotreach,particularly:Dynamicwebpages:PagesdynamicallygeneratedontheHTTPrequest.
Blockedsites:Sitesthatexplicitlyprohibitacrawlertogoandretrievetheircontentbyusing,CAPTCHAs,pragmano-cacheHTTPheaders,orROBOTS.
TXTentries,forinstance.
Unlinkedsites:Pagesnotlinkedtoanyotherpage,preventingaWebcrawlerfrompotentiallyreachingthem.
Privatesites:Pagesthatrequireregistrationandlog-in/passwordauthentication.
Non-HTML/Contextual/Scriptedcontent:Contentencodedinadifferentformat,accessedviaJavascriptorFlash,orarecontextdependent(i.
e.
,aspecificIPrangeorbrowsinghistoryentry).
Limited-accessnetworks:ContentonsitesthatarenotaccessiblefromthepublicInternetinfrastructure.
4Thelastpointhastwoidentifiedtypesoflimitationthatconstitutetwoindependentcategories,namely:SiteswithdomainnamesregisteredonanalternativeDomainNameSystem(DNS)root(i.
e.
,rogueTLDs).
ThesearesiteswhosehostnameshavebeenregisteredusingaregistrarindependentfromtheInternetCorporationforAssignedNamesandNumbers(ICANN).
1StandarddomainnamesfollowanaminghierarchycoordinatedbytheICANN,whichisresponsiblefordefiningstandardTLDs(e.
g.
,.
com,.
edu,.
gov,etc.
)andcoordinatesdomainnameassignment.
Consequently,standardDNSsaresynchronizedaccordingtothenamehierarchydefinedbytheICANNandcanresolvealldomainnamesassignedwithintheICANNspace.
Onecan,however,connecttospecificDNSserversthatmanageadditionalnamespacesnotrecognizedbytheICANN,allowingtheregistrationofdomainnamesthatdonotfollowICANNrulessuchasanonstandardTLD.
WhileresolvingthesedomainnamesrequirestheuseofspecificDNSservers,theirusecanpresentsomeadvantagesintheformofaneasierand,sometimes,untraceablewaytoregisternewdomainnames.
Darknetsandalternativeroutinginfrastructures:Siteshostedonaninfrastructurethatrequireaspecificsoftwaretoreachthecontentprovider.
ExamplesofsuchsystemsareTOR'shiddenservicesorsiteshostedontheInvisibleInternetProject(I2P)network.
Thesesitesaregenerallyidentifiedaswellbyanonstandarddomainnamethatrequiresusingthesamesoftwaretoberesolvedtoaroutableendpoint.
Itisworthnoticingthat,whileasofnowcrawlingofsuchsitesdoesnothappen,itisnotduetoatechnicallimitation.
CrawlerscouldresolveanalternativeDNSnamebyconnectingtooneofthespecificDNSserverspubliclyavailableandtheTORandI2PsoftwareactasSOCKSproxy,makingitpossibleforacrawlertoaccessthesaidcontent.
Theonlynoticeableleakageofinformationfromdarknetstoasearchenginehappensthankstogatewayservicessuchastor2web,whichoffersaclearnetdomaintodirectlyaccesscontenthostedonhiddenservices.
21http://www.
icann.
org/2http://www.
tor2web.
org/5OverviewofExistingDeepwebNetworksTodate,threemainnetworksareusedtograntanonymityonboththeclientandserverside—TOR,I2P,andFreenet.
NotethatthelattertwohavenotyetreachedthesameadoptionthatTORhasbutpresentdesirabletechnicalfeaturesthatcouldleadthemtobecomeviablealternativesinthenearfuture(e.
g.
,shouldtheTORnetworkbecometoounreliableforusers).
3TORTheTORnetworkwasoriginallydevelopedbytheU.
S.
NavalResearchLaboratoryandfirstintroducedin2002.
Itallowsforanonymouscommunicationsbyexploitinganetworkofvolunteernodes(i.
e.
,morethan3,000todate)responsibleforroutingencryptedrequestssothatthetrafficcanbeconcealedfromnetworksurveillancetools.
4TotakeadvantageoftheTORnetwork,auserneedstoinstallsoftwarethatactsasaSOCKSproxy.
TheTORsoftwareconcealscommunicationstoaserverontheInternetbyselectinganumberofrandomrelaynodestoformacircuit.
Beforeenteringthenetwork,everyrequestisrecursivelyencryptedusingthepublickeyofeachselectednode.
Then,bybouncingfromonerelaytothenext,everylayerofencryptionisliftedoffforthenextrelay,untilanexitnodeisreachedandtheunencryptedrequestcanthentraveltoitsdestination.
Adoptingthismult-layeredencryptionmechanismhasthefollowingadvantages:AserverthatreceivesarequestcomingfromtheTORnetworkwillseeitasbeingissuedbythelastnodeintheTORcircuit(i.
e.
,theexitnode)butthereisnostraightforwardwaytotracearequestbacktoitsorigin.
Everynodewithinthecircuitonlyknowsthepreviousandnexthopforarequestbutcannotdecipherthecontentnorfindoutitsfinaldestination.
TheonlyTORnodethatcanviewtheunencryptedrequestistheexitnodebuteventhisdoesnotknowtheoriginoftherequest,onlytheprevioushopinthecircuit.
3AsalreadywitnessedintheFreedomHostingseizurecase:http://nakedsecurity.
sophos.
com/2013/08/05/freedom-hosting-arrest-and-takedown-linked-to-tor-privacy-compromise/.
4https://metrics.
torproject.
org/6InrecentversionsoftheTORprotocol,anewfunctionalityhasbeenintroducedtoallowentiresitestobehostedonTORnodes,makingthemuntraceable.
TheservicesthatrunwithintheTORnetworkareknownas"hiddenservices.
"TheapproachworksbystoringthecontactinformationtoreachahiddenserviceintheformofarendezvousnodethatwillactasanintermediaryandanencryptionkeyinaDistributedHashTable(DHT).
TheDHTactsasaformofdistributedDNS,resolvinga.
onionhostnameintothecontactinformationnecessarytoestablishaconnectiontothehiddenservice.
Inthiscase,boththeclientandtheserverIPaddressesareconcealedtoanythirdpartythatistryingtoanalyzeorblockthetraffic.
Theirreallocationsareevenconcealedfromeachother.
I2PI2Pwasdesignedasananonymouspeer-to-peer(P2P)distributedcommunicationlayerthatcanrunanytraditionalInternetservice.
Ithasbeendevelopedsince2003asanevolutionoftheFreenetnetwork,whichaimstoallowforseveralservicestorunontopbesidesHTTP.
WhileTORwasinitiallyconceivedtoenableanonymitywhenconnectingtoanInternetservice(i.
e.
,WWW)andwasonlylaterextendedtogeneralhiddenservices,I2P'sexclusivegoalistoprovideawayforuserstohostservices(e.
g.
,IRC,Web,mail,andbittorrent)inastealthyway.
TOR'smainprincipleiscreatingcircuits(i.
e.
,encryptedpathsthrougharandomsetofnodestoreacheitheranexitnodethatservesasaproxyortoarendezvouspointthatactsasanintermediarytocommunicatewithahiddenservice).
I2P,ontheotherhand,introducesvirtualtunnels.
EverynodeinanI2Pnetworkisarouter.
Itcreatesandmaintainsapoolofinboundandoutboundvirtualpaths.
Forexample,ifnodeAwantstosendamessagetonodeB,itroutesthemessagetooneofitsoutboundtunnelstogetherwiththeinformationneededtoreachoneofB'sinboundtunnels.
Theinformationaboutinboundtunnelsisstored,muchlikeinTOR,inaDHTthatservesasadecentralizednetworkdatabase.
Thisway,nocentralpointoffailureexists.
Everycommunicationisencryptedusingmultiplelayers:point-to-pointencryptionbetweensenderandreceiver,transportencryptionbetweenroutersinthenetwork,andend-to-endencryptionintunnels.
Notethat,whileTORusesanencryptionschemecalled"onionrouting,"theencryptedroutingusedinI2Pisknownas"garlicrouting.
"ThehiddensiteshostedintheI2Pnetwork,alsocalled"eepsites,"suchastorrenttrackersoranonymousemailserverscanbeidentifiedbyeitherahashvalueoradomainnamefeaturingthe.
i2pTLD.
7FreenetFreenethasbeenaroundsince2000andcanbeconsideredthepredecessorofI2P.
UnlikeI2Pthough,itimplementsapureDHTintheformofanunstructuredoverlaynetwork.
Thisitmeansthateachnodeisresponsibleforasubsetoftheresourcesavailableinthenetworkandservesthemcollaborativelywhenitreceivesarequest.
Furthermore,nodesmaintainalistofneighboringnodes,usuallyknownandtrustedneighbors,toincreasesecurity.
Thisisalsoknownasthe"smallworldprinciple.
"Nodesanddataareidentifiedbyakey,usuallyrepresentedwithahashvalue.
Whenlookingforaresource,arequestwilltravelacrossallofanode'sneighborsinorderofpreference(i.
e.
,tothenodeswhosekeyisclosesttotheresourcekey).
Becauseoftheadoptedapproach,FreenetismoresuitabletoservingstaticcontentsuchasstaticsitesanddoesnotcopewellwithdynamicallygeneratedwebpagesorotherformsofInternetservices(e.
g.
,IRC,mail,etc).
ComparedwithI2PandTOR,Freenetofferslessflexibilityintermsofhostedservices,beinglimitedtoservingonlystaticcontentwithout,forexample,server-sidescripting.
Therangeofservicesthatcanbeimplementedontopissmaller.
This,however,doesnotmeanthatFreenetcannotbeasuitableplatformtohostsimplemarketplacesorexchangeinformationrelatedtomaliciousactivities.
AlternativeDomainRootsAlternativedomainroots,alsoknownas"rogueTLDs,"refertoaclassofnetworksthatuseDNSentitiesthatarenotunderthecontroloftheICANN,incontrastwithtraditional.
dot/.
net/.
orgdomains.
DomainsregisteredwithinarogueTLDrequiretheuseofdedicatednameservers.
Ontheotherhand,dependingontheinstitutionthatrunstheDNSroot,registeringadomainnamemaybelessproblematicforamaliciousactor,asinthecaseof.
bitdomains,forwhichdomainregistrationfollowsaP2Pparadigm.
Inshort,thismeansthatanynewdomainnameregistrationratherthanbeinghandledbyacentralauthorityisautonomouslypropagatedinaP2Pnetworkmadeofallthe.
bitDNSserversuntileveryserverisawareofthenewlyregistereddomain.
8WhilealternativeDNSdomainsdonotofferparticularformsofanonymityandTORdoes,theypresentsomeclearadvantagesformaliciousactors,notablyacertainprotectionagainstdomainsinkholing,betterflexibilitydomainmanagement,and,todate,thepossibilityof"escaping"searchenginecrawling.
WhileitwouldbetechnicallypossibleforasearchenginetocrawlasiteonanalternativeDNS(e.
g.
,simplyusingoneofitsDNSservers),itdoesnotnormallyhappenand,ifitdoes,theresultsarenotshowntousersthatdonothavetherightDNSserversconfigured.
Atthetimeofwriting,weidentifiedthefollowingalternativeDNSrootsasactive:Namecoin:Responsibleforthe.
bitTLD.
ItisbasedonaP2Pinfrastructureworkingonthesameprincipleasbitcoins.
AclientwillingtoaccessthedomainscaneitherrunadedicatedDNSclientorrefertooneofthegatewayDNSserversavailableonline.
Moreinformationonthe.
bitTLDwillbefeaturedinaTrendMicroresearchpaperinthecomingmonths.
5Cesidianroot:AnalternativeDNSrunbyaprivateItaliancitizenthatoffersTLDssuchas.
cw,.
ispsp,.
5w,and.
6w.
6ItwasborntosupportMr.
Tallini'spara-politicalvisionwhoisalsotheself-proclaimedgovernoroftheUnitedMicronationsMultioceanicArcipelago(UMMOA).
7Folkloristicaspectsaside,thecesidianrootcountsanetworkofmorethan30DNSserversallovertheworld,runningonIPv4andIPv6.
Namespace.
us:Thisorganizationoffers482alternativeTLDssuchas.
academy,.
big,and.
manifesto.
Ithasbeenonthemarketsince1996,whenitwasfoundedtoextendthelimitednumber(atthattime)ofavailableTLDsandofferedafasterprocessfordomainregistrationaswellasotherdomain-relatedservices.
8Havingfailedinthelate1990stohaveitsTLDsintegratedintotheDNSrootzone,itremainsanalternativeproviderofdomainnamestodate,offeringitsownDNSserversthatresolvebothitsTLDsaswellasICANNsofficialones.
95http://dot-bit.
org/Main_Page6http://cesidianroot.
net/7http://www.
foxnews.
com/tech/2012/03/02/cesidian-root-bizarre-peek-at-world-wide-weird/8http://www.
namspace.
us;http://swhois.
net/9https://namespace.
us/about.
php9OpenNIC:ThisprojectconsistsofanetworkofDNSserversrunbyhobbistsandvolunteersthataimtoofferaDNSinfrastructurethatisneutral,independentfromgovernmentsandorganizations,democratic,andfreeforeveryone.
10Anyonecanofferacomputertobeusedasatier-2DNSserverwiththesoleconditionofrespectingastrictpolicyconcerningitssecurity,performance,andanonymization.
11BesidesofferinganetworkofDNSserversforthestandardICANNDNSroot,thisDNSprovideralsooffersanalternativenamespaceof14TLDsandsupportsthefouralternativeTLDsofNewNations,anorganizationthatprovidesdomainrootsforcertainpoliticalentitiessuchasTibetanorKurdishpeople.
12CybercrimeintheTORNetworkThissectiondescribesthemaliciouscommercialactivitiesidentifiedinthedeepweb,particularlymarketplacesandgoodscybercriminalsexchange.
Despitethefactthatalloftheaforementionedsystemshavethepotentialtosupportillegaltradesofeverysort,todate,theonlynetworkthatseemstohavegainedsometractionforundergroundmarketplacesisTOR.
ThereasonbehindthismaybelinkedtothefactthatTORisproportionallymorematureandmoredevelopedthanthecompetitionandhasbeenendorsedbyorganizationssuchastheElectronicFrontierFoundationasthefirstchoiceamonganti-censorshiptools,puttingitunderthespotlightrecently.
TORMarketplaceOverviewTheTORnetworkfeaturestwomajormarketplaces,alongwithtwoothers,whicharenolongeractivebutworthmentioning.
Italsohasplentyofsmallsitesthatofferindividualservices.
Eachmarketplacefeaturesafullyoperativee-commercesolutionwithdifferentsections,shoppingcarts,checkoutmanagement,andpaymentandescrowservices.
Theyallsupportcrypto-currenciessuchasbitcoinsandlitecoins.
10http://www.
opennicproject.
org/11http://www.
opennicproject.
org/opennic-policies/dns-operation-policy/12http://www.
new-nations.
net/10SilkRoadisprobablythemostnotoriousofall,havingbeenextensivelyfeaturedbythepressoverthelastcoupleofyears.
13Itcatalogsgoodsintodifferentsections(seeFigure1)andprovidessellerratingsandguidesforbuyersonhowtosecurelypurchaseitems.
Itis,sofar,theonlymarketplacethathasbeenextensivelyanalyzedbyresearchers.
Infact,arecentpaperfromtheCarnegie-MellonUniversityshowsthatin2012,ithadanestimatedincomeofUS$22millionanditsnumberofusersdoubledinundersixmonths.
14Asitturnedout,however,thiswasmassivelylowerthantheactualnumber.
Figure1:SilkRoadmainpage13https://silkroadvb5piz3r.
onion;http://www.
theatlantic.
com/technology/archive/2011/06/libertarian-dream-a-site-where-you-buy-drugs-with-digital-dollars/239776/;http://www.
gq-magazine.
co.
uk/comment/articles/2013-02/07/silk-road-online-drugs-guns-black-market/viewall;http://www.
forbes.
com/sites/andygreenberg/2012/08/06/black-market-drug-site-silk-road-booming-22-million-in-annual-mostly-illegal-sales/14http://arxiv.
org/pdf/1207.
7139v1.
pdf11AsofOctober2,2013,SilkRoadisnolongeractive.
RossWilliamUlbrichtwhostandsaccusedofbeing"DreadPirateRoberts,"theownerandmainadministratorofthemarketplace,wasarrestedbytheFederalBureauofInvestigation(FBI)atapubliclibraryinSanFranciscoonTuesday,October1.
ThecomplaintfiledagainstMr.
Ulbrichtgivesseveralmoredetailsaboutthemarketplace'soperationsandaccuseshimofnarcoticstraffickingaswellascomputerhackingandmoneylaunderingconspiracy.
15Mr.
Ulbrichtisalsobeingaccusedofsolicitingthemurder-for-hireofanotherSilkRoaduserwhowasthreateningtoreleasetheidentitiesofthousandsofthesite'susers.
TheFBIsaidthatitalsoseizedapproximatelyUS$3.
6millionworthofBitcoins.
AsallBitcointransactionsarepublic,wecansimplyobservethistransactionintheBitcoinblockchain.
16Bitcoinisahighlyvolatilecurrencyand,assuch,itsvaluedroppedinlightofthistakedownbutitwillmostlikelyswiftlyrecover.
AccordingtotheFBI,inthetwo-and-a-halfyearsofitsexistence,thesitegeneratedsalesamountingtoover9.
5millionBitcoinsandcollectedcommissionsonthosesalesofover600,000Bitcoins.
Atthetimethecomplaintwasfiled,thisequatedtoapproximatelyUS$1.
2billioninsalesandUS$80millionincommission.
15http://www.
scribd.
com/doc/172768269/Ulbricht-Criminal-Complaint16http://blockchain.
info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX12Figure2:SilkRoadmainpageafterthetakedownAtlantishad,untilrecently,emergedasafiercecompetitorofSilkRoad,offeringthesamefeaturesbutwithamoreconvenientsellercommissionandsupportformultiplecurrencies.
17ThisforumwasshutdownaswellonSeptember20,2012.
18Accordingtoamessagepostedonthegroup'sFacebookpage,thisshutdownwasduetosecurityreasonsoutsideofitscontrol:"Wehavesometerriblenews.
Regrettably,ithascometimeforAtlantistocloseitsdoors.
Duetosecurityreasonsoutsideofourcontrol,wehavenochoicebuttoceaseoperationoftheAtlantisMarketmarketplace.
Believeuswhenwesaywewouldn'tbedoingthisifitweren't100%necessary.
Duetotheurgency,weareallowingalluserstowithdrawalalltheircoinsforoneweekbeforethesiteandforumareshutdownpermanently.
Pleaseremoveallofyourcoins,thesewillnotberecoverableafteroneweekfromnow.
Anythingremaininginyouraccountswillbedonatedtoadrug-relatedcharityofourchoosing.
"17https://atlantisrky4es5q.
onion/18https://www.
facebook.
com/AtlantisMarket/posts/42194593124452913WedonotexactlyknowwhyAtlantiswastakenofflinebutwhatisclearisthatthesedeepwebmarketplacesarecomingunderincreasedpressurefromauthorities.
Withthesetwoheavyweightsgone,moreattentionwillfocusonthelikesofBlackMarketReloaded(seeFigure3),whichfeaturesagoodsdistributionlessfocusedondrugs(i.
e.
,butnonethelessveryprominent)andmorecenteredondigitalgoodsandservices;andSheepMarketplace(seeFigure4),which,despiteofferingamuchlowernumberandvarietyofgoods,istheonlyonethathasapreviewsiteshowingthegoodsforsalebutnotallowinganytransaction,accessiblefromoutsidetheTORnetworkandindexedbysearchengines.
19Figure3:BlackMarketReloadedmainpage19https://5onwnspjvuk7cwvk.
onion;https://sheep5u64fi457aw.
onion;http://sheepmarketplace.
com14Figure4:SheepMarketplacemainpageTORPrivateOfferingsBesidestheaforementionedmajormarketplaces,weidentifiedtwocategoriesofsitesthatallowanonymoustrading.
Thefirstcategoryhasundergroundmessageboards(e.
g.
,UndergroundMarketBoards2.
0)wherepeoplecanpostandreadgenericclassifiedsregardinganysortofgoodorservice.
20Theresthaveprivatelymaintainedsitesthatofferspecifictypesofgoods.
Someoftheseconsistofamerepresentationpagewithpricesandcontactinformationforanonymousordersandinquirieswhileothersprovideafullorderandpaymentmanagementsystemtoautomateorders.
Whiletherangeofgoodsofferedinthesesitesisfairlyvastandspansprettymuchovereveryformofitemsuitableforillegalactivities(e.
g.
,drugs,guns,hiredassassins,etc.
),wewillonlyfocusonthoserelatedtocybercrimesincetheresthavebeenalreadycoveredinpreviousresearch.
20http://nb5df7xeas3zl3sf.
onion/15Table1summarizessomeofthegoodsfoundonthesesiteswiththeirprices.
Forcreditcard-relatedprices,unlessotherwisespecified,thereportedpricesareperunitforafullyfunctionalcardprovidedwithallthedatarequiredtodotransactions(e.
g.
,creditcardholdername,expirationdate,authorizationcode,etc.
).
21Table1:PricesofDifferentTypesofGoodsSitenameAddressTypeofgoodCostNormalizedCost(US$)CloneCardhttp://kpmp444tubeirwan.
onion/board/int/src/1368387371226.
jpgEU/UScreditcards1BTCUS$126MisterVhttp://wd5pbd4odd7jmm46.
onion/EUcreditcards40–80US$54–100CC-PlanetFullzhttp://tr36btffdmdmavbi.
onionEU/UScreditcardsUA$40US$54CC4ALLhttp://qhkt6cqo2dfs2llt.
onion/EU/UScreditcards25–35US$33–47Clonedcreditcardshttp://mxdcyv6gjs3tvt5u.
onion/products.
htmlEU/UScreditcards40US$54NSDCCStorehttp://4vq45ioqq5cx7u32.
onionEU/UScreditcardsUS$10US$10CardersPlanethttp://wihwaoykcdzabadd.
onion/EU/UScreditcardsUS$60–150US$60–150HakPalhttp://pcdyurvcdiz66qjo.
onion/PayPalaccounts1BTCforUS$1,000US$126forUS$1,000Onionidentityhttp://abbujjh5vqtq77wg.
onion/FakeIDs/passports1,000–1,150(ID)2,500–4,000(passport)US$1,352–1,555(ID)US$3,380–5,400(passport)U.
S.
citizenshiphttp://ayjkg6ombrsahbx2.
onion/silkroad/homeU.
S.
citizenshipUS$10,000US$10,000U.
S.
fakedriver'slicenseshttp://en35tuzqmn4lofbk.
onion/FakeU.
S.
driver'slicenseUS$200US$200U.
K.
passportshttp://vfqnd6mieccqyiit.
onion/U.
K.
passports2,500US$4,000Guttembergprintshttp://kpmp444tubeirwan.
onion/board/int/src/1366833727802.
jpgCounterfeitmoney1/2ofthemonetaryvalue1/2ofthemonetaryvalueHigh-qualityEuroreplicashttp://y3fpieiezy2sin4a.
onion/CounterfeitEurobanknotes500for2,500CEUR1,000for3,000CEUR1,900for6,000CEURUS$676for2,500CEURUS$1,352for3,000CEURUS$2,570for6,000CEUR21PriceswerenormalizedinU.
S.
dollarsatOctober3,2013exchangerates:1=US$1.
3522;1=US$1.
6077;1BTC=US$126.
CEUR=counterfeitEuro,CUSD=counterfeitU.
S.
dollar.
16Table1:PricesofDifferentTypesofGoodsSitenameAddressTypeofgoodCostNormalizedCost(US$)CounterfeitU.
S.
dollarshttp://qkj4drtgvpm7eecl.
onion/CounterfeitU.
S.
banknotesUS$600for2,500CUSDUS$2,000for5,000CUSDUS$600for2,500CUSDUS$2,000for5,000CUSDRent-a-Hackerhttp://2ogmrlfzdthnwkez.
onion/Hackingservices200–500US$270–676TORWebdeveloperhttp://qizriixqwmeq4p5b.
onion/Webdevelopment1BTCperhourUS$126perhourColumns4(cost)and5(normalizedcostinUS$)showthepriceswhentheserviceswerefoundwiththeiroriginalvaluesonthesite.
WenormalizedthepricesinU.
S.
dollaramountstoprovidecomparablefigures.
Overall,wenoticedthefollowingpriceranges:CreditcardscanbepurchasedfromUS$10(NSDCCStore)toUS$150(CardersPlanet).
PayPalaccountsgoforUS$126(1BTC)foraUS$1,000account(HackPal).
FakedocumentscancostfromUS$200forafakeU.
S.
driver'slicense(USAFakeDL)toUS$5,400forafakeU.
S.
passport(OnionIdentity),nottomentionUS$10,000forU.
S.
citizenship(USACitizenship).
RatesforcounterfeitmoneydependontheamountpurchasedandcangofromUS$0.
24percounterfeitdollar(US$600tobuy2,500fakedollarsonCounterfeitUSD)uptohalfthevalueoffakemoneydesired(Guttemberprints).
WealsofoundservicesforsalefromUS$126perhourforaWebdeveloper(TORWebdeveloper)toUS$676forvarioushackingservices(e.
g.
,botnets,socialengineering,accountcredentialstealing,etc.
)(Rent-a-Hacker).
17ComparisonwithRussianUndergroundMarketplacesThissectioncomparesthepricesreportedabovewiththoseforthesamegoodssoldinRussianundergroundforums.
22ComparedwithsiteshostedontheTORnetwork,RussianundergroundforumsarereachableovertheInternet(i.
e.
,noneedfordarknetsoftwarenorarogueTLDDNSserver)buttheirmembershipcanbelimitedtotrustedindividuals.
Ouranalysisrevealedthatfordigitalgoods(e.
g.
,creditcardnumbers,PayPalaccounts,developmentservices,andmalware),undergroundforumsseemtoofferabiggernumberofgoodsandtransactions.
23Thiscanbeexplainedbythebiggernumberofpotentialuserssinceaccessdoesnotrequiretheuseofadditionaldarknetsoftwarebutalsobythelowerlevelofanonymitythesystemoffers.
TheincreasedanonymityaffordedbytheTORnetwork,whileusefulforsellerstoavoidgettingcaught,issomewhatdetrimentalbecauseitpreventsanactorofacommercialtransactiontobuildandmaintainareputationovertime.
Beinghiddenbehindananonymousnicknamehasthedrawbackofnotbeingabletocertifyone'sreputation,whichisessentialwhendealingwithsensiblegoods.
Asapracticalexample,TORdomainnamessuffertheissueofscamsites(i.
e.
,sitesthatentirelyreplicateamarketplace),anissuemadeworseintheTORnetworkbylackofcontrolindomainnameregistrationandthe"scrambled"natureof.
oniondomainnames.
Table2showssamplepricesfoundinundergroundforumsforthesamedigitalgoodsofferedintheTORnetwork(showninTable1).
ComparingthemwiththegoodstradedinTORsites,itcanbesaidthat:CreditcardscostfromUS$2(entry4)toUS$120(entry2),showinganaveragepricemuchlowerthanthatfoundinTORsites(US$68.
8inTORsitesversusUS$23.
7inundergroundforums).
MorestolenaccountsandaccountinformationaresoldinRussianundergroundforumsthaninTORsitesalthoughtheirpricesseemcomparable(US$126foraUS$1,000accountinTORsitesversusUS$100foraUS$1,000–2,000accountinundergroundforums).
Othergoodssuchasfakedocumentsandcounterfeitmoneyseemtobelackingintheundergroundforumscenarioor,atleast,weremuchhardertofindcomparedwiththeTORspaceduringourinvestigation.
22http://www.
trendmicro.
com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-russian-underground-101.
pdf23Alsoverified,ontheotherhand,bythelackofmalwareofferingsseenindeepwebsites.
18Table2:SampleRussianUndergroundOfferingsandPricesAddressTypeofGoodCosthttp://forum.
prologic.
su/index.
phpshowtopic=7468U.
S.
creditcardsUS$2.
5http://xek.
name/showthread.
phpt=10519U.
S.
creditcardsEUcreditcardsUS$25–40US$70–120http://r00t.
in/showthread.
phpt=18510'U.
S.
creditcardsEUcreditcardsUS$2–3US$10http://brute.
name/threads/8643/U.
S.
creditcardsEUcreditcardsUS$2–3US$8–9http://carding.
cc/showthread.
phpt=6030CreditcardscansUS$14http://exploit.
in/forum/index.
phpshowtopic=38917'PayPalaccountsUS$2–15http://carding.
cc/showthread.
phpt=2548PayPalaccountsUS$10forUS$0–200accountUS$20forUS$20–200accountUS$50forUS$200–1,000accountUS$100forUS$1,000–2,000accountUS$150forUS$3,000–4,000accounthttp://brute.
name/threads/8643/PayPalaccountsUS$200forUS$2,000accountUS$500forUS$8,000accountUS$1,000forUS$15,000accounthttp://www.
xaker.
name/forvb/showthread.
phpt=21284RussianpassportsUS$250MonitoringtheDeepwebThedeepweb,ingeneral,andtheTORnetwork,inparticular,offerasecureplatformforcybercriminalstosupportavastamountofillegalactivities—fromanonymousmarketplacestosecuremeansofcommunicationtoanuntraceableanddifficulttoshutdowninfrastructuretodeploymalwareandbotnets.
24Assuch,itbecomesmoreandmoreimportantforthesecurityindustrytobeabletotrackandmonitortheactivitiesthattakeplaceindarknets,focusingtodayonTORnetworksbutpossiblyextendinginthefuturetoothertechnologies(i.
e.
,I2P,aboveall).
Duetoitsdesign,however,monitoringthedarknetprovestobechallenging.
Totackleit,ourfutureworkshouldfocusonthefollowingareas,severalofwhichhavealreadybeenimplementedinourdeepwebmonitoringsystems:24http://blog.
trendmicro.
com/trendlabs-security-intelligence/the-mysterious-mevade-malware/19Mappingthehiddenservicesdirectory:BothTORandI2Puseadomaindatabasebuiltuponadistributedsystemknownasa"DHT.
"ADHTworksbyhavingnodesinthesystemcollaborativelytakingresponsibilityforstoringandmaintainingasubsetofthedatabase,whichisintheformofakey-valuestore.
Thankstothisdistributednatureofthehiddenservicesdomainresolution,itispossibletodeploynodesintheDHTtomonitorrequestscomingfromagivendomain.
25Bydoingthis,onecanhaveapartialviewoverthedomainsdatabaseandinspectongoingrequests.
Eventhoughthisdoesnotallowonetotracewhoistryingtoaccessagivenservice,itdoesofferagoodstatisticalestimateofwhatnewdomainsaregainingpopularity.
Inaddition,runningmoresuchnodeswillgiveoneabetterstatisticalviewoftheoverallrequestsonthenetwork.
Customerdatamonitoring:AsecuritycompanycouldalsobenefitfromanalyzingcustomerWebdatatolookforconnectionstononstandarddomains.
Whilethis,dependingonthelevelofloggingatthecustomerside,maynotprovethatfruitfulintrackingdownconnectionstodarknets,itmayprovidegoodinsightsonactivitiesonsiteshostedwithrogueTLDdomains.
Itisimportanttonotethatthiscanbecarriedoutwithoutmonitoringcustomersthemselves,thedestinationsoftheWebrequests(i.
e.
,thedarknetdomains)shouldbeofmostinterest,notwhoisconnectingtothem.
Socialsitemonitoring:SiteslikePastebinareoftenusedtoexchangecontactinformationandaddressesfornewhiddenservicesand,therefore,needtobekeptunderconstantobservationtospotmessageexchangescontainingnewdeepwebdomains.
26Hiddenservicemonitoring:Mosthiddenservicestodatetendtobehighlyvolatileandgoofflineveryoften,maybetocomebackonlinelaterunderanewdomainname.
Itisessential,therefore,togetasnapshotofeverynewsiteassoonasitisspotted,forlateranalysisortomonitoritsonlineactivity.
Whencrawlinghiddenservicesundertheassumptionofongoingmaliciousactivities,oneshouldbearinmindthat,whilecrawlingtheclearInternetisusuallyanoperationinvolvingtheretrievalofeveryresourcerelatedtoasite;inthedeepweb,thisisnotrecommendedduetothechanceofautomaticallydownloadingillegalmaterialssuchaschildexploitationmaterials,thesimplepossessionofwhichisconsideredillegalinmostcountriesworldwide.
Semanticanalysis:Oncethedataforahiddenserviceisretrieved,buildingasemanticdatabasecontainingimportantinformationaboutahiddensitecanhelptrackfutureillegalactivitiesonthesiteandassociatethemwithmaliciousactors.
25http://donncha.
is/2013/05/trawling-tor-hidden-services/26http://www.
pastebin.
com/20Marketplaceprofiling:Finally,anotherusefulactivitytofocusonisprofilingthetransactionsmadeondeepwebmarketplacestogatherinformationabouttheirsellers,users,andthekindsofgoodsexchanged,buildingupindividualprofilesovertime.
RelatedWorkTORandthedeepweb,ingeneral,hasbeenknownbytheindustryandtheITcommunityforseveralyearsnow.
Oneofthefirstworksthatdescribesthedeepwebis"DeepContent.
"27Inthiswork,dated2001,BergmantriestoquantifythehiddenInternetbypresentingthe60known,largestdeepwebsites.
Thesecontainabout750TBofdata,roughlyfortytimesthesizeoftheknownsurfaceWeb,andappearinabroadarrayofdomainsfromsciencetolawtoimagesandcommerce.
Theauthorsestimatethetotalnumberofrecordsordocumentswithinthisgrouptobeabout85billion.
Giventheremarkablesizeofthedeepweb,Googleitselfhastriedtosurfitscontent,forexample,byproposingasystemtoqueryforHTMLpagesandincorporatetheresultsintoasearchengineindex.
28OtherswhoattemptedtocrawlthedeepwebwereHe,etal.
andKosmix.
29Kosmix,inparticular,usedanewapproachtoinformationdiscoveryonthewebthatsignificantlydifferedfromaconventionalWebsearch,called"federatedsearch.
"Finally,in"TrawlingforTORHiddenServices:Detection,Measurement,Deanonymization,"theauthorsexposedflawsbothinthedesignandimplementationofTOR'shiddenservicestomeasurethepopularityofarbitraryhiddenservices.
30Theirapproachallowsformeasuringthedeepwebbyde-anonymizingpartofitssupposedanonymoustraffic.
Morerecently,securityresearchersarefocusingtheirinterestondeepwebaswellbytryingtouncovermalicioususeofthehiddenInternet.
Pierluigi,etal.
describesArtemis,aprojectaimedatcollectingopen-sourceintelligence(OSINT)fromthedeepweb.
31Theauthorsexertedsignificantefforttoinvestigatehowcybercriminalsusethedeepwebforillicitactivities.
32Forthesakeofcompleteness,thesameauthorspresentedthedeepwebinamoregeneralformin"DivingintheDeepWeb.
"3327http://grids.
ucs.
indiana.
edu/courses/xinformatics/searchindik/deepwebwhitepaper.
pdf28http://dl.
acm.
org/citation.
cfmid=145416329http://www.
inf.
ufsc.
br/~ronaldo/deepWeb/querying/Chang-dwsurvey-cacm07.
pdf;http://citeseerx.
ist.
psu.
edu/viewdoc/downloaddoi=10.
1.
1.
151.
9143&rep=rep1&type=pdf;http://citeseerx.
ist.
psu.
edu/viewdoc/downloaddoi=10.
1.
1.
152.
8111&rep=rep1&type=pdf30http://www.
ieee-security.
org/TC/SP2013/papers/4977a080.
pdf31http://resources.
infosecinstitute.
com/project-artemis-osint-activities-on-deep-web/32http://blog.
trendmicro.
com/trendlabs-security-intelligence/the-mysterious-mevade-malware/33http://resources.
infosecinstitute.
com/diving-in-the-deep-web/21ConclusionThedeepweb,particularlydarknetssuchasTOR,representsaviablewayformaliciousactorstoexchangegoods,legallyorillegally,inananonymousfashion.
Inthispaper,weconductedananalysisofdifferentnetworksthatguaranteeanonymousanduntraceableaccesstodeepwebcontent.
Ourfindingssuggestthat,atpresent,themainnetworkthatshowscommercialactivitiesforcybercriminalsisTOR.
Whilethedeepwebhasproventobeveryfunctionalforhostingbotnets'command-and-control(C&C)serversandtradingmerchandisesuchasdrugsandweapons,traditionalcybercrimegoods(i.
e.
,malwareandexploitkits)werelesspopular.
Sellerssufferfromlackofreputationcausedbyincreasedanonymity.
Somehow,beinguntraceablepresentsdrawbacksforasellerwhocannoteasilyestablishatrustrelationshipwithcustomersunlessthemarketplaceallowsforit.
However,thelackofobservableactivitiesinunconventionaldeepwebnetworksdoesnotnecessarilymeananactuallackofsuch.
Infact,inagreementwiththeprincipleinspiringthedeepweb,theactivitiesaresimplymoredifficulttospotandobserve.
Notethatsinceadrivingfactorformarketplacesiscriticalmass,itisquiteunlikelyforthemtolongforsuchahighlevelofstealthunlesstheconsequence,shouldtheybediscovered,issufficientlysevere(e.
g.
,childexploitationimagery).
Insuchcases,sitesmayonlycomeonlineatspecifictimes,haveabriefwindowoftrading,thendisappearagain,makingthemmoredifficulttoinvestigate.
Recentrevelationsaboutwide-scalenation-statemonitoringoftheInternetandrecentsuccessfularrestsofcybercriminalsbehindsiteshostedinthedeepwebarestartingtoproduceotherchanges.
Itwouldnotbesurprisingtoseethecriminalunderbellybecomingmorefragmentedintoalternativedarknetsorprivatenetworks,furthercomplicatingthejobofinvestigators.
Forexample,therecentshutdownoftheSilkRoadmarketplaceisabigblowfortheundergroundtradeofillegalitems.
However,thedeepwebhasthepotentialtohostanincreasinglyhighnumberofmaliciousservicesandactivitiesand,unfortunately,itwillnotbelongbeforenewlargemarketplacesemerge.
Assuch,securityresearchershavetoremainvigilantandfindnewwaystospotupcomingmaliciousservicestodealwithnewphenomenathemomenttheyappear.
ThisissomethingthatTrendMicroisproactivelyengaginginaspartofitsglobalmissiontomaketheworldsafefortheexchangeofdigitalinformation.
TrendMicroIncorporated,agloballeaderinsecuritysoftware,strivestomaketheworldsafeforexchangingdigitalinformation.
Ourinnovativesolutionsforconsumers,businessesandgovernmentsprovidelayeredcontentsecuritytoprotectinformationonmobiledevices,endpoints,gateways,serversandthecloud.
Allofoursolutionsarepoweredbycloud-basedglobalthreatintelligence,theTrendMicroSmartProtectionNetwork,andaresupportedbyover1,200threatexpertsaroundtheglobe.
Formoreinformation,visitwww.
trendmicro.
com.
2013byTrendMicro,Incorporated.
Allrightsreserved.
TrendMicroandtheTrendMicrot-balllogoaretrademarksorregisteredtrademarksofTrendMicro,Incorporated.
Allotherproductorcompanynamesmaybetrademarksorregisteredtrademarksoftheirowners.