Trend Micro research found that despite their anonymity, sites and services hidden the dark web isn’t safe anymore because of the underground cyber criminals who continuously launch attacks and surveillance attempts on competitor sites which are specially made to disrupt their functioning.
A group of researchers from Trend Micro and French Communications school Eurecom coaxed cybercriminals into attacking fake Tor sites in order to study their behavior. They set up several HoneyPots consisting of an only drug marketplace; a blog advertising service for hosting in the Tor network; a closed underground forum; and a private file server that required registration and a referral to join and monitored them for seven months from 2016 February to September. They found that the sites were repeatedly subjected to both automated and manual attacks.
Marco Balduzzi a senior threat researcher at Trend Micro pointed some security flaws that were pretty exposed that mainly attract hackers to take control of the website.
CMS #1 (OsCommerce) CMS #2 (Shells & WordPress) CMS #3 (Custom Vuln.)
Tor2web 115 (8 days) 1,930 (23 days) 0 TOR 0 2,146 (79 days) 689 (5 days)
Above are the type of honeypot templates they had a setup based on different web applications and, more importantly, with different types of vulnerabilities.
"Internet crawlers automatically index information logs [that are] made unexpectedly available online by these proxies. As a consequence, attackers can benefit from Google Dorks to look for vulnerable services like known buggy web applications in both the surface and the hidden web," explained Balduzzi.
Trend Micro recorded as many as 170 attacks daily on one of its honeypots in May 2016. The automated attacks would often attempt to upload web shells, phishing kits and mailers, or try to deface sites. Many of these attacks took place via Tor proxies such as Tor2web, which allow ordinary browsers to access dark web content while still keeping the materials anonymous, but as a byproduct also expose hidden URLs to malicious campaigns. However, those emanating from the Dark Web were usually manual in nature and more cautious.
After filtering out Tor2web, however, the attacks continued – hitting around 44 per day in July. These included disruptive defacements; attempts to hijack communications going to and from the honeypot; and data theft from the FTP file server; Monitoring of IRC conversations via logins to the simulated chat platform; and manual attacks against the custom app running the forum.
While some of the automated attacks appeared accidental as web scripts unintentionally meandered into dark web territory, the manual attacks seemed quite purposeful in nature, with cybercriminals apparently going out of their way to actively seek out and investigate services operated by potentially rival organisations.
In total, the researchers collected 157 unique variations of web shells, six phishing kits and 22 mailers, and observed 33-page defacements, more than 1,500 path traversal attempts, and over 400 attempts to steal the private key. These doesn’t limit to automated attacks through TOR that might come under automated scans which main focus is to access the service private keys.
Indexing and searching are more difficult on the Dark Web, highlighting the determination of the black hats to spy on and disable the operations of their competitors, Balduzzi concluded.
