Monday, 22. June 2015

Digging Into the Deep Web

Mention the “Deep Web” and most people will instantly associate it with the part of the Internet used for nefarious and illegal activities. For others, it is this inaccessible side of the Web, the one that requires a lot of technical skill and know-how to reach. Although these assumptions are somewhat correct, they only cover a small portion of the Deep Web as a whole.

For over two years, Trend Micro’s Forward-Looking Threat Research Team (FTR) has done extensive exploration of the Deep Web, collecting and analyzing its contents and keeping tabs on ongoing activities. The result is Below the Surface: Exploring the Deep Web, a research paper that aims to give its readers a better understanding of what truly goes on in the Deep Web and darknets, and the effects these could have in the real world.

Two sides of the coin

Anonymity is the main feature of the Deep Web, and there are plenty of people who would want to use and abuse that. For example, people who want to shield their communications from government surveillance may want to take refuge in darknets. Whistleblowers, like Edward Snowden, can share vast amounts of insider information to journalists without leaving a paper trail. Dissidents in restrictive regimes may need anonymity in order to safely let the world know what’s happening in their country.

On the flipside, those with malicious intentions can also greatly benefit from this anonymity. For example, drug sellers wouldn’t want to set up shop in an online location where law enforcement can easily determine their IP address. The same could be said for those engaged in other illegal activities like selling contraband and stolen goods.

Digging into the Deep Web

We decided to look further down the rabbit hole to get more information about the illegal activities and services offered in the Deep Web. To get information, we employed our system, called the Deep Web Analyzer (DeWa). DeWa is responsible for collecting URLs linked to the Deep Web, including TOR- and I2P-hidden sites and Freenet resource identifiers, and trying to extract relevant information tied to them like page content, links, email addresses, HTTP headers, and so on.

So far, we’ve collected more than 38 million events that account for 576,000 URLs, 244,000 of which bear actual HTML content.

DeWa also has a feature that alerts us if hidden services get a lot of traffic or if there is a large hike in number of sites. This is especially helpful in finding new malware families of cybercriminals who use TOR-hidden services to hide the more permanent parts of their infrastructures.

Cybercrime in the Deep Web

Among our observations was the fact that light drugs (read: cannabis) were the most-exchanged goods, followed by pharmaceutical products like Ritalin and Xanax, hard drugs, and even pirated games and online accounts.

vendor-breakdown

Figure 1. Drugs are revealed to be the most popular merchandise in the Deep Web

The Deep Web is also home to Bitcoin and money-laundering services. Bitcoin offers a level of anonymity for users. As long as they don’t link their wallet code to their real identities, they are, to some extent, anonymous. Nonetheless, Bitcoin transactions are public, which means investigators can still examine them. Numerous services have sprouted in the Deep Web, offering to move Bitcoins through a network via micro transactions. Paying a handling fee will result in the customer getting the same amount of money but with the added bonus of having transactions that are harder to track or pin down.


Figure 2. An example of a Bitcoin-laundering service offered in the Deep Web

The challenge of the Deep Web

Anonymity in the Deep Web will continue to raise a lot of issues and be a point of interest for both law enforcers and Internet users who want to circumvent government surveillance and intervention. Right now, there seems to be a race between “extreme libertarians” and law enforcement agencies, with the former trying to find new ways to become even more anonymous and untraceable.

As such, security defenders like Trend Micro need to continue keeping tabs on the Deep Web as its role in the Internet and the real world grows.

For full details about this Deep Web investigation, read our paper Below the Surface: Exploring the Deep Web (which you can find by clicking the thumbnail below). The results of our other inquiries into the Deep Web may be found in the Deep Web section of the Threat Intelligence Center.



Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Digging Into the Deep Web