Cybercrime – the Dark Edges of the Internet

Criminal activity is a growing menace on the internet. This inevitably means more diligence is required by legitimate users in the face of an increasingly sophisticated criminal threat. Robert Sheldon describes some of the emerging threats and risks.

Cybercriminals are an inventive lot, always coming up with innovative ways to steal data and take control of backend systems. Every day their attacks become more sophisticated and better coordinated and often more invisible. They move with stealth and speed, lurking out on the dark edges of the Internet, ready to attack as soon as opportunity strikes.

Nowhere have they found better allies than in the abundance of cloud services and the mysterious void of the deep web. Whether small-time hoods or members of a global syndicate, they break into networks, disrupt operations, and steal unprecedented amounts of data, and the cloud and deep web provide the perfect cover.

Cloud abuse

Legitimate organizations across the globe have been migrating to the cloud in record numbers to take advantage of the cost savings, flexibility, and massive banks of computing power. Cybercriminals gain the same advantages, and they get something more-anonymity. By operating out of the cloud, they can avoid detection, while gaining the advantages of global computing systems from which they can control operations, mount attacks, and store stolen data.

The cloud offers criminals the platform they need to launch the type of large-scale, coordinated efforts that the Internet makes possible, providing the perfect venue for infiltrating other such venues.

A common perception around cybercrime is that most of it is being hosted and launched from countries such as Russia, China, and Brazil, but according to the Security Engineering Research Team (SERT) Quarterly Threat Intelligence Report, issued by the Solutionary security group, over 100 countries were hosting malware distribution sites as of the end of 2013, with just under half coming from the US, followed by Germany, Netherland, Russia, and China, each representing only 5% to 10% of the total sites. The top providers hosting the malware are common household names-Amazon, GoDaddy, and LeaseWeb, to name a few.

Cybercrime is big business and those running operations think in those terms. Online services provide a level of processing power that would be difficult and pricey to implement in-house, wherever that might be. It makes good sense to offload the infrastructure headaches to a provider, especially if the criminals don’t have the expertise to manage such a setup. Cloud services can also scale to meet changing business needs and are relatively easy to use. Subscribers can get their sites up and running in minutes, while avoiding detection and keeping incriminating data off of their own machines.

Cybercriminals might acquire services directly from providers such as Amazon or GoDaddy, or they might infiltrate legitimate domains and use them for their own purposes, often jumping from one domain to the next to thwart efforts to track down their operations. Many cybercriminals take advantage of the free trial periods offered by services such as Microsoft Azure, where they can then launch their fake websites in relative anonymity.

To get around the account creation requirements, criminals often use stolen credentials they acquired through phishing campaigns or bought on the open market (more on that later). They might even automate the sign-up processes to accumulate a large numbers of accounts with multiple services.

Researchers Oscar Salazar and Rob Regan with Bishop Fox Security conducted a series of experiments that demonstrated how cybercriminals might automate the sign-up process for multiple cloud services. Not only were they successful signing up on the less secure sites, but they were also able to circumvent systems designed to prevent automated account creation, such as requiring credit cards or SMS verification.

With such techniques, criminals can set up phishing sites, launch botnets and other malware, store stolen files, and carry out any number of illicit activities, all using such services as Dropbox, Heroku, Google Apps, Amazon EC2, or countless others.

Launching malware attacks from the cloud has become so commonplace that service providers large and small have become unwitting accomplices in international criminal activities. But cybercriminals, not ones to stand on their laurels, have raised the bar yet again. Last year, researchers at Trend Micro discovered that cybercriminals had been using Dropbox to carry out command-and-control (C&C) operations. No longer satisfied with merely hosting and lunching malware in the cloud, they were now managing their attacks remotely. To complicate matters, communications between the C&C software and the malware sites look like regular network traffic. Not only does this make it more difficult to track criminal activity, but it also removes all evidence from the criminals’ local systems.

The Trend Micro discovery, however, does not point to a problem with Dropbox, per se, but rather to the overall movement to the cloud for carrying out malicious activities, with criminals taking advantage of whatever services they can to simplify implementation, reduce costs, and obscure trails back to them. They might even store their stolen goods in the cloud, using services such as Evernote or Google Drive to safeguard data that they’ve already lifted from somewhere else.

With the ability create accounts on multiple cloud services and leverage the free offerings, cybercriminals have almost unlimited resources for running C&C operations, launching multiple cyberattacks, and storing large quantities stolen data, all from the opposite side of the globe

Welcome to the dark side

For most of us, the web is where we go to shop, pay bills, conduct research, and post those endless videos of our cats. By tapping into Google or Bing or DuckDuckGo, we can journey into the unlimited reaches of cyberspace with nothing in the way to stop us. Or so it would seem. As it turns out, the universe available through our favorite search engines represents only a small fraction of the web. The majority of cyberspace falls under the realm of the deep web, the gobs and gobs of content not accessible through the traditional search engine indexes. The deep web represents all that information Google can’t get at, amounts hundreds of times greater than what we’ve grown accustomed to.

But the deep web contains more than just boatloads of un-indexed information. Hidden in its shadowy folds you’ll find the dark web, a part of the deep web that goes through extraordinary measures to stay hidden from view. The dark web provides an anonymous platform to facilitate communication that is ostensible safe from prying ears. The big time search engines cannot find the dark web, nor can the casual Internet user. It is made up of private networks that use unconventional communication protocols, with only trusted peers allowed to participate. Through the dark web, users can share information for both good and for really, really evil.

Estimates vary as to how much of the web is actually visible to the naked search engine, but the amount is likely no more than 5%. Whatever the exact figure, the deep web is enormously large, which gives the dark web plenty of latitude to grow and move around, while remaining in relative obscurity.

The dark web lets users access the Internet with complete anonymity. Volunteers around the world maintain a network of servers that route traffic, while preventing IP addresses from being tracked. The servers hide user information and resist attempts at monitoring. Through the dark web, individuals can communicate online without being connected to their offline identities.

One of the most well-known and used networks on the dark web is Tor, which originated with The Online Routing (TOR) project spearheaded by the US Naval Research Laboratory in 2002. Tor encrypts data packets numerous times and directs them through multiple network nodes, referred to as the onion routers. Each router peels away a layer of encryption to uncover routing instructions and then sends the packet on its to the next node. In this way, intermediary nodes cannot discover the data source or destination nor view the packet’s contents.

Users can access the Tor network through a special browser that allows them to traverse the web anonymously. The Tor network lets them connect to hidden sites, send messages, and post files to private repositories. Every connection a user makes via Tor is encrypted, anonymized, and routed several times around the world.

A resource such as Tor can benefit a wide range of users who need ways to access and share information anonymously:

  • Political dissidents living under authoritarian regimes
  • Whistleblowers reporting on illicit corporate or government activity
  • Journalists covering controversial or illegal operations
  • Law enforcement and intelligence personnel working undercover in criminal or terrorist organizations

The dark web can provide a safe environment to anyone who needs to communicate vital information without risking personal safety. The dark web can, in fact, save lives.

Unfortunately, Tor and the dark web also provide a safe haven for those with more nefarious intentions, ranging from terrorists to anarchists to global criminals. The dark web facilitates drug deals, human trafficking, child pornography, arms deals, financial fraud, human experimentation, and just about any other illegal and underhanded activity that can be imagined. Together with the abundance of cloud services, the dark web offers criminals a platform unlike any they’ve ever known.

To get a sense of how deep the dark web goes, a group of Bitglass security researchers added a watermark to an Excel spreadsheet that contained fake employee credentials, such as names, social security numbers, and other personal information. The researchers uploaded the spreadsheet to a Dropbox public share as well as to anonymous file sharing sites within the dark web. Because of the watermark, the file reported back to the researchers the current IP address every time it was viewed. Within 12 days, the file had been accessed over 1,000 times in 22 countries around the globe.

The cyber underground

Between 2011 and 2013, the Silk Road underground marketplace generated an estimated $1.2 billion selling drugs online. The site’s notoriety and subsequent arrests garnered enough press to bring the dark web and Tor network out of the shadows and into living rooms of everyday folks. The FBI reportedly took down the Silk Road operations by exploiting a software glitch in the site’s login page that revealed the server’s IP address. Had that glitch not been discovered, the site might still be in business.

But Silk Road is not the only underground cyber marketplace to come along. The dark web is full of such sites peddling everything from clothes to credit cards to automatic weapons, done with true Amazon flare-with descriptions, prices, and pictures of their wares. Individuals and criminal organizations alike can offer anything they deem worth selling, as long as there are people out there willing to buy. There are even escrow services available to protect participating parties. For a percentage of the purchase price, the service will hold the payments until the transactions are deemed complete.

Within a month after the FBI took down the first Silk Road, a new version emerged-Silk Road 2.0. That one didn’t last very long, however, and the site’s alleged operator soon found himself charged with conspiracy to commit drug trafficking, money laundering, computer hacking, and an assortment of other crimes.

The Silk Road 2.0 takedown was actually part of an international law enforcement effort known as Operation Onymous, which involved 16 European countries and the US. The operation resulted in the seizure of $1 million in Bitcoin and â¬180,000 in cash, gold, silver, and drugs. Law enforcement officials also shut down over 400 Tor domains linked to weapon sales, child pornography, stolen credit cards, and contract killing. Users who tried to access any of the sites received the message: “This hidden site has been seized.”

As successful as Operation Onymous had been, underground cyber marketplaces continue to go strong, with plenty of individuals still swapping physical products and proprietary data, and everything in between. At one type of marketplace, for instance, users can place bets on when an individual will die. Although these sites are ostensibly about nothing more than gambling, they can provide ample incentive for would-be assassins to place their bets and then take their best shots.

Those looking for a more direct approach can find sites that provide actual assassination services. Then, of course, there are the sites that sell weapons, ammunition, drugs, chemicals, money laundering services, rob-to-order servers, personal data, and much much more.


We have software-as-a-service, platform-as-a-service, database-as-a-service, and countless other as-a-services, so it’s no surprise that we now have cybercrime-as-a-service, or CaaS, for the acronym starved. CaaS makes it possible for individuals and gangs to purchase the products or services they need to start a life in cybercrime.

The CaaS industry provides a wide range of offerings. Would-be cybercriminals can purchase simple packages that contain stolen credit or debit card data, malware customized for their specific needs, all-inclusive crimeware starter kits, or hired services that will hack into servers or launch malware on the client’s behalf. The CaaS marketplace even offers forums to share information on such topics as hacking and malware.

According to the 2014 Internet Organised Crime Threat Assessment (iOCTA) report, the CaaS business model is making it possible for those without technical skills to acquire the expertise they need to move into the cyber arena. CaaS can help anyone become a cybercriminal, giving individuals and crime organizations more tools than ever to carry out illegal activities without ever getting close to the crime scene. A crime group can attack large numbers of victims globally and never have to set foot in the targeted countries. CaaS providers have at their disposal the countless cloud platforms around the globe from which to run their operations and sell their services.

In his paper Vawtrak-International Crimeware-as-a-Service, James Wyke, a senior threat researcher at Sophos, describes how the popular Vawtrak botnet can be used to access account information through bank websites. An online service provider in the dark web can configure Vawtrak according to a customer’s requests and from there launch an attack based on those specifications. The provider can determine the types of machines to infect, which targets to hit, and what types of data to steal, and then sell that data back to the customer. Even the staunchest financial analyst would have a hard time arguing against such a business model.

Trend Micro has published a series of reports that focus on cybercrime in Russia, China, and Brazil. The reports demonstrate how barriers to getting into the cybercrime business are steadily shrinking. CaaS providers are dropping prices and offering more services with richer features. Along with these services comes an assortment of forums and how-to videos for learning about the ins and outs of carrying out cybercrime. Would-be hackers can also sign up for courses on carrying out cybercrime, such as the bank fraud courses offered by the Brazilian underground.

What’s an enterprise to do?

The cloud and dark web open the Internet up to cybercrime in ways never before possible. For most enterprises, their only hope of coming through unscathed is to become more diligent then ever. They must apply security patches religiously, protect their networks at every access point, scan for viruses and monitor their systems, and take every conceivable step to protect themselves. They should also evaluate how they’re using cloud services, the types of devices their employees are bringing into the workplace, who has access to what information, and how data is currently being protected. Anything less than a full defense in depth strategy is too little. Even a momentary lapse in security best practices can result in untold damage.

For enterprises that actually offer cloud and Internet services, the SERT threat report has a number of recommendations. For example, these companies can perform periodic sweeps of their hosted domains to determine whether any sites are listed on known malware distribution lists. The organizations can also perform additional security confirmation checks during the registration process and limit the ability to automate domain registration. In addition, providers can keep their systems patched, implement active vulnerability scanning, and take other measures to protect their systems.

Unless your organization is completely cut off from the Internet, you are at risk. Forces are gathering around the cloud and dark web that cannot be dismissed, and those forces will likely grow stronger and acquire more sophisticated technologies. The advent of CaaS only promises to make the situation worse. In the age of the Internet, no individual or organization is free from the threat of compromised systems and stolen data-and the consequences that these invasions bring.