Nothing is safe in Dark Web. Even any Service or operation happening in dark web isn’t safe anymore because of the underground cybercriminals who launch massive attacks on competitor sites which are specially made to disrupt their functioning which was found in the Trend Micro research.
Researchers from Trend Micro and French Communications school Eurecom set up a HoneyPot and monitored it for seven months from 2016 February to September.
The Honeypots designed by them which typically looks like the underground dark markets that included invitation-only drug markets including a forum setup with custom registration and referral program to join.
Marco Balduzzi a senior threat researcher pointed us some security flaws that were pretty exposed that mainly attract hackers to take control of the website.
|CMS #1 (OsCommerce)||CMS #2 (Shells & WordPress)||CMS #3 (Custom Vuln.)|
|Tor2web||115 (8 days)||1,930 (23 days)||0|
|TOR||0||2,146 (79 days)||689 (5 days)|
Above you can see the type of honeypot templates they had a setup based on different web applications and, more importantly, with different types of vulnerabilities.
Attackers used different methods to perform the attacks which include Scattered attacks which used the web shells, Phishing Kit & Mailers, Defacements. These doesn’t limit to automated attacks through TOR that might come under automated scans which main focus is to access the service Private Keys.
Even Manual attacks are powerful which involved post-exploitations, FTP and SSH, and attacks against the custom application which let them made traversal and even try brute force on them.
Many of these attacks took place via Tor proxies such as Tor2web, which allow ordinary browsers to access dark web content while still keeping the materials anonymous, but as a byproduct also expose hidden URLs to malicious campaigns.In total, the researchers collected 157 unique variations of web shells, six phishing
The researchers collected 157 unique variations of web shells, six phishing kits, and 22 mailers, and observed 33-page defacements, more than 1,500 path traversal attempts, and over 400 attempts to steal the private key.
To encourage and find attacks for their honeypot they made promotions in other dark web services. Since apps users Tor2web which shares info to both non as well as fake.
“More and more criminals are actively looking for new, unmonitored grounds to communicate and act in a more hidden fashion,” said Balduzzi.