We’ve frequently talked about how limited-access networks such as the Dark Web is home to various cybercriminal underground hotspots. Hosted and accessed via the Tor network, these sites house underground marketplaces that sell various good and services, which include cryptocurrency laundering, hosting platforms for malware, and stolen/counterfeit identities. My colleagues have already published plenty of material in other blog posts and papers, including the recent entry titled Below the Surface: Exploring the Deep Web.

What is less covered is the attack landscape within the Dark Web. Are these sites subject to their own hacking attempts and DDoS attacks? What are the sizes and characteristics of attacks within the Dark Web? This is what we have learned: these attacks are surprisingly common within the Dark Web, and are frequently carried out manually and aimed at subverting or spying on the services run by other cybercriminals.

Together with Onur Catakoglu and Prof. Davide Balzarotti from EURECOM, we published a paper titled Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem that discussed this matter at the 32nd ACM Symposium on Applied Computing. More recently, we presented our findings at the APWG eCrime 2017 Symposium on Electronic Crime Research.

Building a Honeypot: Attracting Cybercriminals

The goal of our research was to look into the modus operandi of attackers in the Dark Web—to understand if cybercriminals operating inside Tor compromise web sites and services running as hidden services (i.e., .onion domains). In particular, we were interested in learning whether criminals tend to deliberately target and compromise systems run by other criminal organizations or individuals.

To this end, we simulated a cybercriminal installation in Tor using several honeypots. Each honeypot exposes one or more vulnerabilities that would allow an attacker to take ownership of the installation. Upon infection we automatically recorded all logs and restored the environment to a clean state.

Our honeypot consisted of:

A black market that only trades between a close circle of invited members. A blog offering customized services and solutions for the Dark Web. An underground forum that only allows registered members to log in. In addition, vouching is needed to become a member. A private file server for sensitive documents offering File Transfer Protocol (FTP) and Secure Shell (SSH) logins.

Figure 1 – Our simulated underground forum (honeypot #3)

Figure 2 – One of the exposed vulnerabilities (Local File Inclusion)

Figure 3 – Registration emails hitting our honey account

Figure 4 – Architecture of our installation. The vulnerable application / service runs in a controlled and monitored environment. On a daily basis, an automated system extracts information on possible attacks, and the environment uses is restored to a clean state using virtualization technology (snapshots).

Surface Web versus Deep Web

We operated our honeypot for six months. The chart shows the average number of daily attack attempts, as measured by the number of POST requests.

Figure 5 – Attacks per Day on Honeypots 1-3. Note the drop in number after the Tor2web filtering

Two months after deployment, we learned that the Dark Web is not as private as some would think. Tor proxies like Tor2web made Tor hidden services reachable without requiring any additional configuration from the public internet. Our honeypot was automatically made available to traditional search engines, and implicitly dangled as a target for automated exploitation scripts. As a result, our honeypot received more than 170 attacks per day in May.

These attacks from the public internet were quite successful. Our private marketplace was compromised nine times out of ten. The majority of these attacks added web shells to the server, giving the attacker the ability to run system commands on our honeypot. This allowed the addition of other files, such as web mailers, defacement pages, and phishing kits.

The techniques used by the attackers differed. Attackers from the open internet tended to use automated attack tools, while Dark Web attackers tended to carry out manual attacks as they were generally more cautious and took their time. For example, once they gained access to a system via a web shell, they would gather information about the server first by listing directories, checking the contents of databases, and retrieving configuration/system files.

Figure 6 – Example of a password-protected web-shell upload by an attacker – normally used to maintain persistence on a compromised system

Figure 7 – Example of a Mailer used by an attacker to generate Tor-anonymized phishing emails

Figure 8 – Scanner of vulnerabilities (SQL Injections) installed on our honeypot upon compromise.

These manual attackers often deleted any files they placed into our honeypot; some even went ahead and left messages for us (including “Welcome to the honeypot!”), indicating that they had identified our honeypot.

Interestingly, attackers seem to be aware that compromised hidden services in the Dark Web are gold mines as all originating attacks like DDoS or SPAM will be automatically anonymized by Tor.

Attackers attacking each other

Our key finding is that organizations operating in the Dark Web seem to be attacking each other. Our honeypot was set up to mimic underground services like VIP marketplaces and forums run by “shady” organizations and/or individuals. We noted that attackers accessing our honeypot from within the Dark Web carried out the following attacks:

Defacements aimed at subverting the business of our honeypot and aimed at promoting a competitor web site, possibly run by the attackers.

Attempts to hijack and spy on the communications originating to and from our honeypot

Theft of confidential data from our disguised FTP file server

Monitoring of IRC conversations via logins to our simulated chat platform

Manual attacks against the custom application running the underground forum

Here are some examples:

Figure 9 – Example of Tor-targeted defacement operated by a competitor

Figure 10 – Injected links promoting the competitor’s website (rendered)

Figure 11 – Injected links promoting the competitor’s website (source code)

Figure 12 – Example of attacks on private keys

Conclusions

We didn’t think that hidden services operated within Tor would be attacked by other cyber-criminals. We were proven wrong—twice, in fact.

First, we were surprised when we learned that Tor proxies were making the Dark Web not as “dark” as some people would think. As a result, we started filtering out this traffic from our honeypots.

We thought this would prevent any further attacks, but we were mistaken. The attacks continued to take place. It turned out that cybercriminals were looking for services operated by other organizations and manually conducting attacks. Given that indexing and searching is more difficult within the Dark Web, this shows the amount of effort motivated criminals are putting into finding and disabling sites controlled by their competitors.

Apparently, there is no honor among thieves.

The slides of my presentation at the APWG eCrime 2017 Symposium are below.