Author: DarkOwl Content Team

Ransomware API

Written by DarkOwl Content Team on . Posted in Products and Use Cases.

Ransomware is not only a problem for those directly affected. Awareness of events among your own or your customers’ supplier ecosystems can help you stay aware of potential vectoring threats. The DarkOwl Ransomware API is designed to answer the essential question: Has an organization I monitor been extorted or compromised in a cybersecurity incident?

Want to learn more? Contact us.

Industrial Control Systems & Operational Technology Threats on the Darknet

Written by DarkOwl Content Team on . Posted in Whitepapers.

September 13, 2022

Industrial control systems (ICS) and their adjacent operational technologies (OT) governs most everything societies rely on in the modern age. Manufacturing facilities, water treatment plants, mass transportation, electrical grids, gas, and oil refineries… all include some degree of ICS/OT incorporated in their industrial processes. Research from DarkOwl analysts identifies an alarming number of threats on the darknet and deep web that could effectively target and compromise Critical Infrastructure.

Have a question about something you read? Want to learn more about darknet data? Contact us!

Importance of Darknet Data in CyberSecurity Programs for Small and Medium Businesses

Written by DarkOwl Content Team on . Posted in Blog, Webinars.

September 07, 2022
Or, watch on YouTube

DarkOwl CEO Mark Turnage and Symbol Security Co-Founder and President Craig Sandman discuss the darknet, key elements of cyber surveillance utilizing darknet intelligence, their partnership, and why darknet data is an essential part of Cybersecurity programs in the SMB market.

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Mark: Let me talk a little bit about DarkOwl. We’re a company that’s about five years old based in Denver, Colorado. We specialize in collecting, aggregating, indexing, and supplying data from the darknet. And we’re very specialized and focused just on the darknet. There are other companies, there are other threat intelligence companies that provide other types of data. But our specific expertise is simply in the darknet. We’re very proud of the fact that we have more female employees in the business than most tech companies do, I think we’re just under 30% right now. In the past, we’ve been as high as 40%, and we’re very proud of that fact.

But to the point of darknet we have built over the 4 or 5 years of the company’s existence, we built what we believe is the largest darknet database in the world. And let’s just talk a bit about what I call definitional ambiguities. What is the darknet? What is the deep web? The surface web is what everybody sees as the top of that iceberg on the right. That’s where we spend all our time. It’s accessible by Google. You can get information and that’s where the vast majority of the world spends most of its time on the web. The deep web are authenticated websites. So, for example, your bank account information – Mark Turnage cannot get to your bank account information from my browser. I might be able to get to your bank’s sign in page, but I can’t get to your information because I lack the authentication and the credentials to get there. Ironically, that’s where the bulk of all the data that is held on the internet is actually stored.

Where we specialize is in the darknet. These are anonymized networks that reside below the level of the surface sites, surface web and the deep web. And they generally require specialized browsers to get access to. And it generally requires some type of specialized knowledge, although not in all cases. If you look at this slide, what we’re talking about is at the bottom of that slide, Tor i2p, Zeronet, other new darknets that have been created, these are darknets where DarkOwl is on a daily basis collecting data and supplying that data to our partners and now including Symbol. And that data is full of information that is relevant to measuring the risk of organizations and understanding the risk and addressing that risk.

We also do collect data and supply it from certain high risk surface websites, pay sites, and some discussion boards, as well as some deep websites, some underground criminal forums and so on. All of that we describe as the darknet database. And again, we’re collecting it so that organizations can understand what data of theirs is in the darknet, what exposure they have in the darknet.

Kathy: Mark, real quick – a couple of questions have come in on that last slide that you just shared. The first one is “How big is the darknet?”

Mark: That is a really good question and nobody particularly knows the answer. When we started collecting data from the darknet, the darknet was Tor, the Tor network. There are now probably half a dozen darknets that exist and we collect data, as this slide shows from it, and Zeronet. We’re moving into other darknets as well. But there is no easy way to measure the darknet. And the simple reason for that is that the darknet is generally distributed around the world. The Tor network is a network of between 15,000 and 20,000 servers around the world that serve that. There’s no easy way to measure it. But to give you a sense, DarkOwl collects data from somewhere between 25,000 and 30,000 darknet sites a day. That’s before you get to the high-risk surface websites and the deep websites. So that’s a lot of data. These darknets are growing and usage on these darknets is growing great.

Kathy: And there’s also a question as to “How do you know when a company is being targeted on the dark web?”

Mark: Well, generally indicators of the fact that a company is being targeted in the darknet show up. Either the company is mentioned by name or their IP range, it shows up in a targeting website, let’s say a hacker forum where somebody says, here are some IP ranges where I’ve discovered certain vulnerabilities, or I’m selling access to this company’s server network. Or you will see things like credentials and passwords for sale for individual companies that allow hackers or ransomware actors or other actors to drive straight into the network and be inside the network. So there are lots of indicators of risk of companies that show up in the darknet. Using our database and using Symbols database, you can search for those indicators of risk that may exist with respect to your individual organization.

Mark: I’m going to finish on this slide I mentioned earlier. We’ve built what we think is the world’s largest database of darknet content. This gives you a sense of some of the locations that we collect from Telegram, ITP, Tour, zero net, pay sites, and so on. And it will give you a sense of just what we’ve indexed in the last 24 hours. The slide shows 8.4 million documents have been indexed into our database in the last 24 hours. If you look along the bottom, it will give you a sense of what we have collected over the years of our existence. We have somewhere north of 8 billion email addresses in our database. We have somewhere north of a billion IP addresses, 9 million credit cards, 236,000,000 crypto addresses. That gives you a scale and sense of the scale of what exists in the darknet and exists by virtue of having access to our platform.

We provide that data a number of different ways and are delighted to partner with Symbol and now I’m going to turn it over to Craig.

Craig: Great. Thanks, Mark. Appreciate it. Great job. Mark did a great overview of darknet, deep web and the surface web. Certainly it’s a squirrel space and a big space. So let me tell you a little bit about Symbol Security and we’ll kind of pull into this how we managed to get together with DarkOwl and deliver some of these darknet cyber surveillance services to the SMB market.

Symbol Security is a provider of predominantly security awareness training services. As you probably know, security awareness training is something that’s been hot in terms of a way to address and mitigate the attacks of cybercrime and it’s also in regulated environments. And we’re talking now close to 800-850 regulations, laws and other statutes that require businesses show evidence of security awareness training. So it’s becoming a nonstarter for businesses, even if you didn’t feel like it was a good use of your time or argued the fact that it made your company safer or not. Independent of that, it’s a requirement in so many regulations, it’s becoming a nonstarter.

One of the things we do a little bit differently than most companies is we deliver a managed program. So a lot of the security training services and the implementation falls down in just that, in the implementation of it. So they may buy the software, but do they actually properly implement or even get to implement the service? We know how things go in the small to mid-size business. Everybody’s 150% subscribed in terms of their time and it’s difficult to execute on everything you have to do. So things fall to the bottom of the list. One of the things that typically will fall to the bottom of the list is security awareness training. We look at security awareness training and security awareness as targeting human risk. So how do we identify human risk and how do we mitigate human risk? Through education. We do more than just training videos and phishing stimulations. We look at email and domain threats. So email threats would be breach alerts and things like that. Is your email address compromised in any way? Domain threats look at the potential of doppleganger and lookalike domains being manipulated and used potentially against you, just helping give access and visibility to your thread envelope.

From a training perspective, we have really great trainings, very good simulations, and we make things quite easy because we’re typically focusing on the SMB market and through SMB distribution points like managed service providers and managed security service providers. And we’ve added cyber threat surveillance now to this platform into the bundle. And I’ll talk about why in a moment, but it plays into the extension of threat awareness for the individual and for the small business that’s how and why we’ve tied it in.

And we’ll talk now about what cyber threat surveillance is to us and to the SMB market space. So essentially, as Mark indicated, there’s a lot of different things that you can pick up on the darknet and on the deep web that are very valuable in terms of being proactive in your cyber awareness strategy. So reactive would be we’ve seen a breach alert for a particular email address. Now we go in and change username and password so it can’t be further manipulated, but the breach has already happened. We’re reacting in that case and there’s other instances where we’re simply reacting to things that have already happened.

We’re flipping a script here and allowing for darknet visibility and deep web visibility to provide proactive awareness. So when might things begin to look strange or suspicious that we need to act on, rather than we already know there’s a problem? We’ve probably already been hacked or attempted to have been hacked, and now we’re going to mitigate post that event. The concept of brand protection falls in there if there’s potential issues in and around your brand or people are slandering your brand or lining up your brand for an attack or any kind of negative event. VIP email monitoring we talk about a lot as well. So if you have individuals that are perhaps tightly associated with your brand, obviously any kind of reputational damage, there could be a cyber issue or a damaging issue for your organization. And then monitoring chat rooms. And just as part of the entirety of the deep and dark web chat room, visibility is included in there, as well as looking over products and domains. So those are also places where organizations want to protect their assets. What we’ve done here is taken a service and a feed that is typically consumed by government entities, large agencies and Fortune 100 companies, and we boiled it down to a simplified package so that the SMB can consume it.

That’s what was missing before. Right. We have incredible service provider in DarkOwl and some really great layers around that the entities in the market use in order to consume this data. But when it gets to the SMB, it’s too complicated and or too expensive for most budgets. So that’s really what we need when we say SMB packaged. And as part of that, we’ve broken it down into really keyword and email monitoring and we’ve integrated it into our cyber awareness reporting for the small to medium business.

Kathy: “Don’t threat actors only come after large companies? And what is the top cybercrime for small businesses of under 50 employees?”

Craig: First question, definitely a misnomer in that cybercrime happens most often with large businesses. It’s equally prevalent in small businesses. Obviously, big businesses might offer a bigger return from a cybercrime business perspective. But at the same time, the small businesses are generally less able to defend themselves and so they become quick hits. And if cybercriminals can get a 10,000, 20,000, 50,000 dollar return on investment for a crime, they’ll do it. And so there’s case after case after case of small businesses getting swindled out of 10,000, 50,000, $100,000 at a time through direct targeted cybercriminal attempts.

The second question was what is the top cybercrime that small businesses under 50 employees face. Cybercrime can be broken into many different buckets, probably not too surprising. The execution is typically ransomware that finds its way into all business sizes. How it gets in there is sometimes varied. So we focus a lot on fishing training and sort of mimicking phishing attacks. We can teach users to at least recognize and for that entry point for ransomware. But obviously ransomware can be delivered a number of different ways. That is the most prevalent situation. We do see wire fraud work its way into small businesses as well. That might be some kind of action sometimes from a phishing email that says something along the lines of, hey, please wire funds from this account to that account, where the secondary account isn’t something that’s owned by the small business. But certainly locking up files and then extortion from a ransomware perspective is, I’d say, the most common across probably most business segments.

Mark: Let me add something to Craig’s good answer to your first question of our SMBs targeted. To the same degree that large companies are targeted, we have found that oftentimes SMBs are targeted in favor instead of larger companies. Larger companies have a lot of money they can spend on hardening their defenses. SMBs oftentimes are softer targets for hackers and for malicious actors. So we have found that in some cases they go deliberately after SMBs versus going after larger actors. But that’s exactly right, Craig. I mean, I think the types of attacks that you’re seeing amongst your client base, it mirrors exactly what we see as well.

Craig: Absolutely.

Craig: And so from a cyber threat surveillance perspective, we’re not going to get into a demo today, just kind of short on time, but I wanted to give you at least a screenshot so I can talk through how this operationalizes itself into our platform.

Essentially, we provide we provide daily updates on darknet findings that are pertinent to your organization. And we’ve really structured the input so that it’s simple. We’re looking for keywords and potentially VIP emails we can also as mark alluded to. We can enter things like credit card information or IP addresses as well. From an advertise level, we really focus on keywords, which would be a business name, a product name, a brand name, an affiliate name, and then we are also looking at what we call VIP email protection as well. But again, we can pivot to incorporate some of those other items as well. We integrate the results directly into reporting and a dashboard. So as you saw on the last screen, briefly we’ll intake the findings. If your keyword or your VIP email is found, we’re going to give you plenty of surrounding context. It may be thousands of characters of additional data around the keyword that we found. You’ll get full context of not only the fact that this VIP email or keyword, maybe your brand name, your company name was found on the darknet, but you’ll see the entirety of the discussion around it in addition to the location that it occurred on. You’ll also get email alerts when these things happen. So administrators are going to get notified.

There’s a nice portal to allow you to track and categorize these incidents. You can categorize them as urgent, you can categorize them as resolved or just leave them in a pending state. Also of interest too is we provide some sentiment tracking as well. So based on what we see, we’re going to give an analysis of sentiment or negativity around a particular finding. So if it may be benign, there’s plenty of benign information on the dark web that’s really not pertinent, not meaningful, certainly not hurtful. You’ll see those results, but we’ll prioritize and we’ll flag as urgent results that hit a high negativity level. So we kind of take care of some of the analysis for you, although response remediation planning around what to do if you do find something is really up to you as an organization or perhaps a security provider that you’re partnered with.

Average price – so we will talk about price here for our service falls 4,000 to 15,000 dollars per year. It’s obviously a large range, but it really just depends on how much you want us to monitor for you. So I wanted to give that too because the average price point, entry level price point for the service is generally three to four times the high end that I’ve referenced there. And so in those cases, the access to this data typically outstretches an SMB budget. We fit it squarely in a range where SMBs can afford this service and most times we’re addressing clients that also have other needs around security awareness, training, password management services. We’re able to bundle those elements together and give them a nice SMB cybersecurity suite. As I mentioned, we will sell these services through managed security service providers as well. So we have a portfolio of managed service providers that will deliver many more services bundled together. Additionally, we can deliver these as a single suite and more of a point solution to organizations as well. All right, any other questions that we want to get to before we close it out here?

Kathy: Yes, we have had a couple more come in. “Can you please give an example for a small business where information from the dark web could help protect the brand reputation?”

Craig: Yeah, I can. Mark, I’m sure you probably can as well. But one of the things that comes to mind is a couple of things really I address this earlier in the conversation when I start talking about executives that are really tied to the brand of the company. And in some cases, if either those executives are being targeted or perhaps they are involved in some nefarious activity and that gets picked up, it’s not going to be a good ending. But at least an organization has time to prepare and plan and take action before an event has occurred. And that might be public relations type planning or perhaps getting out in front of any potential negative activity. Additionally, if there is some really slanderous and hateful discussions about a particular organization, that would be a cause of concern and you can use your imagination on what those things might be, these will get picked up if they’re happening on the dark web and on the darknet. So those are two situations that are certainly ones that the surveillance will help identify, which if you had typical reactive cybersecurity services, you’re not going to see those things until an event is inbound or incoming. Mark, I don’t know if you have anything to add to that.

Mark: That’s an exceptionally good answer. I would just add that in addition to VIP information slanderous activity, I would start by saying there is almost no mention of your organization in the darknet that couldn’t potentially affect your brand. So if you’re breached in a ransomware attack, if you’re being targeted in addition to the slanderous statements that are being made, ultimately that’s going to affect your brand negatively. Everybody knows about what happened to large companies that have been breached and their brand being tarnished as a result. The same is true for SMBs. And so all of the categories that Symbol monitors on behalf of its clients, all of them have some capacity or some capability to damage the brand.

Kathy: “So Symbol covers what is on the darknet, but what about other cyber risks?”

Craig: Yeah, that’s a great question. I mentioned some of our partner organizations. Obviously, the landscape of cyber risk is significant. These services that we provide, provide great coverage across the things that we’re specialists in, which should be training and some visibility around potential cyber threats that cross the dark web and potentially into domain names and breached email addresses and things like that. Of course there’s many more things to cover and we highly recommend, especially in the SMB space, security consultants, virtual CISOs. If you don’t have a CISO on board or maybe can’t afford one, those kind of fractional consultants are great and we have a number of really good managed security service providers that can provide a large breadth of cybersecurity type services from a single organization. Best of breed. Best practices and things of that nature. So we can certainly sit as a point of reference for helping you find those things and for the pieces that we cover today, we’re happy to deliver those directly as well. But yeah, there’s a lot more to it for sure.

Thank you so much for joining us today.

About Symbol Security:
Symbol Security’s SaaS platform helps customers reduce their cyber risk, and adhere to industry compliance requirements. Through authentic simulated phishing exercises, interactive training content, and awareness of risk data across domain registries, and the dark web, Symbol helps companies identify and act on potential points of cyber risk. Symbol can be operated by company administrators with ease or leveraged by Managed Security Service Providers as part of their security offerings. Visit their website: https://symbolsecurity.com/

To get in touch with Symbol Security email [email protected]
 
About DarkOwl
DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near realtime, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data. 

To get in touch with DarkOwl, contact us here.

DarkOwl Glossary of Darknet Terms

Written by DarkOwl Content Team on . Posted in Whitepapers.

DarkOwl’s Glossary of Darknet Terms is a continually evolving resource that defines the common vernacular, slang terms, and acronyms that our analysts find in places like underground forums, instant
messaging platforms (such as Telegram), as well as in information security research pertaining to the darknet.

Questions? Contact us.

Darknet Data: Use Cases for Law Enforcement and Intelligence Agencies

Written by DarkOwl Content Team on . Posted in Blog.

September 01, 2022

In this blog, DarkOwl analysts outline top use cases for intelligence agencies, law enforcement, and government, where darknet data often plays a critical role. These examples of DarkOwl’s software-as-a-service (SaaS) darknet data platform help identify and describe how key data sources in the criminal underground can be leveraged to facilitate analysis and reporting required across intelligence agencies entities’ security departments.

Cyber Investigations

DarkOwl’s darknet data can significantly augment cybercriminal investigations by providing key additive informational components – often in conjunction with other OSINT like social media activity. Data from the darknet often creates a more comprehensive picture of the case itself, the criminal’s behavior, and psychological intentions. The resulting darknet intelligence (or DARKINT) fills in critical intelligence gaps that solidify evidence such that indictments and subsequent legal action may be executed.

Using DarkOwl in conjunction with other open sources and utilities, an investigator can easily identify and a track threat actor’s digital fingerprints and subsequent virtual breadcrumbs, such as social media accounts, usernames, aliases, avatars, email addresses, PGP keys, and cryptocurrency wallet identifiers.

The snapshot example below details how DarkOwl identified and tracked a Portuguese-speaking threat actor involved in mobile device malware development. The lower third of the graphic, consisting of evidence collected from the darknet and DarkOwl Vision – confirmed the suspect’s activities across various underground communities in the darknet and a leaked IP address provided a potential physical location of João Pessoa, Brazil.

Figure 1: Source DarkOwl Analyst, July 2020

Situational Awareness

Russia’s late February military invasion of Ukraine and on-going offensive operation was preceded by numerous opportunities for geopolitical situational awareness prior to the invasion, and subsequent monitoring of the conditions is available with a surge of new Telegram channels documenting live events ‘on-the-ground’ and conversations between users that have unique perspectives of the conflict.

DarkOwl detected members of popular deep web hacking forums sharing and discussing the leak of large databases containing sensitive Ukrainian citizen data weeks prior to the actual kinetic military activity. Further analysis revealed state-sponsored threat actors from Russia had performed extensive covert cyber campaigns against Ukraine prior to any official military operation, troop or vehicle movement across the border.

Figures 2 and 3: Source DarkOwl Vision
Figure 4: Source DarkOwl Vision
[TRANSLATION OF FIGURE] note: the following contains some explicit language
2022-06-13T19:03:11 user_5290424434 IvanVik32 Ivan wrote: So tear your ass off the soft chair and show me how to fight, and fuck like You know a lot of people.
2022-06-13T19:03:11 user_108696280 minihetman Eugene wrote: What the fuck do you want? Russian dogs have been oculating the Tatar guy’s homeland. What kind of attitude did you expect to downs with automatic machines?
2022-06-13T19:03:14 user_5447249506 Maxim Shaporev wrote: I’ll say it again. I propose to shoot all 2,500 thousand soldiers of the Armed Forces of Ukraine and the Azov battalion who left the Azvostali. Shoot them right on the square in Donetsk.
2022-06-13T19:03:16 user_5121165572 Aristarkh Govnozhuyev wrote: Maybe now is the time to strike at decision-making centers? Gentlemen of the military – how long can this lawlessness be tolerated? Let’s already hit the bank, the rada, the narco-clown palace.
2022-06-13T19:03:17 user_1959717279 DomBaryay Barya Domansky wrote: Zelensky speaks beautifully, so they put him in the presidential post, pouring everything that the United States considers true
2022-06-13T19:03:17 user_5159148675 14415 wrote: The latest reports are just reading how the Donbass is being hammered. Yes, fuck already in Kiev so that everyone shits there
2022-06-13T19:03:18 user_5187443018 My Lord wrote: Well, it’s understandable, but if he’s been yelling for 8 years that he will cut Russians. Well, I’m a Russian. To destroy him, for his words. And I will do it, let it be sure. Their rotten mouth is to blame for everything.
2022-06-13T19:03:21 user_5214651354 Kprr wrote: Just topal asking
2022-06-13T19:03:22 user_1557547863 Miff Junior wrote: Wipe the creatures of the ukrokhokhlyatsky off the face of the earth

Counterterrorism

While the darknet is less active with concerted terrorist related recruitment, propaganda distribution, and activity from groups like ISIS, there are an increasing volume of lesser-known terrorist cells using the darknet and adjacent platforms like Telegram to communicate and coordinate their attacks. DarkOwl supports collecting content in over 52 languages and raw data is indexed in the original language of the author as in-platform translation services might corrupt nuances of the original language. The Vision app user interface and API endpoints support in-language search queries and non-English characters.

For example, DarkOwl uncovered documents related to an anti-Israel terrorist group located in Palestine discussing how they and members of Hamas were planning to target military personnel from the Israeli Defense Force (ISF) for digital blackmail and extortion. The group also listed an email address for direct contact and a Bitcoin address for donations to support the group’s cause. (Source: DarkOwl Vision)

Similarly, DarkOwl has also detected online discussions regarding terrorist activity from international groups of concern and their public statements about their involvement in attacks against specific geopolitical targets. 

Figure 5: Source DarkOwl Vision

Counternarcotics

DarkOwl’s aggregated darknet data and near-decades long historical darknet archives are instrumental in supporting law enforcement drug-related investigations. DarkOwl has identified numerous darknet drug vendors selling illicit drugs, such as opioids, fentanyl, and cocaine, in bulk volumes for resellers on decentralized marketplaces and darknet vendor shops.

We have also identified a recent trend where many of the drug vendors advertise on discussion forums and marketplaces bulletin boards how to contact them on alternative platforms to complete their transactions, e.g. WickR, Whatsapp, and Telegram, for increased security and identity protection.

Figure 6: Source DarkOwl Vision

Targeting

DarkOwl’s near-decades long collection of historical darknet archives enables investigators to successfully uncover the identity of suspects involved in various segments of illicit crime. This includes human-trafficking, child exploitation, drug dealing, weapons proliferation, etc.

DarkOwl analysts regularly observe criminals identified by name by other darknet users and security researchers out of revenge or to disrupt the person’s online activities on popular deep web sites like doxbin[.]org. For example, shortly after the invasion of Ukraine, over two dozen members of the Russia-aligned ransomware group Conti/Ryuk – and its closely associated Trickbot malware development partners – were all doxxed.

Figures 7 and 8: Source DarkOwl Vision

Cyber Espionage

Data captured by DarkOwl Vision database is often used to detect existing cyber espionage activity and be potentially leveraged by nation states and intelligence agencies for future cyber espionage campaigns.

In the fallout of the global cyberwar between Ukraine and Russia, hundreds of corporations and government organizations in Russia were targeted and/or compromised by an international army of cyber hacktivists supporting Ukraine . Data leaks from ‘ministerial’ organizations of Russia, e.g. Ministry of Finance, Ministry of Foreign Affairs, etc.; academic and research institutions, such as, the Joint Institute of Nuclear Research (JINR) and the Russian Federal Institute of Science, were among the groups targeted. Also included was data from critical infrastructure suppliers of energy, water, and transportation, which can be utilized for future cyber espionage purposes. Key individuals from those organizations and their personal data have also been released providing opportunities for targeted social engineering attacks to recruit and/or exploit for political and technical intelligence espionage and critical diplomatic initiatives.

Figure 9: Source DarkOwl Vision

The graphic below contains some of the names of Russian organizations that appeared in leaks released on the darknet from hacktivists supporting Ukraine in the war. You can find the full infographic here.

Figures 10: Source DarkOwl Vision

Domestic Extremism

In recent years the United States has experienced an unprecedented rise in domestic extremism, with members of alt-right paramilitary groups like the Oath Keepers and Proud Boys indicting leading the insurrection against the US Capitol in attempt to keep President Trump in office. Many of these groups congregate and collaborate in darknet forums, chatrooms, and Telegram channels. It is well known that deep web’s imageboards like 8kun are a sanctuary for right-wing conspiracy groups like Qanon to congregate and flourish.

DarkOwl’s darknet data platform allows investigators to monitor for activities from these groups and assist investigations by correlating a suspect’s engagement on social media and anonymous networks. Users of imageboards regularly discuss emotionally charged and controversial topics like assault weapon bans and “replacement theory.”

Figures 11 and 12: Source DarkOwl Vision
Figure 13: Source DarkOwl Vision

Critical Infrastructure Protection

DarkOwl’s darknet data can be utilized for monitoring mentions of the development of malware to target critical infrastructure. This includes tracking the activity of threat actors who specialize in attacks against industrial control systems (ICS). It also can be used to monitor for mentions of specific critical infrastructure targets that threat actors, terrorist groups, and nation-state sponsored actors are intent on conducting cyberattacks against.

DarkOwl detected an offensive cyber group known as the “Jerusalem Electronic Army” (JEA) targeting agricultural water and heating systems in the northern area of “Negev” or the “Gaza Envelope” near Lakish using ICS/Supervisory Control and Data Acquisition (SCADA)-based attacks to poison the region’s water supply.

Another Telegram channel that advertises support for attacks against Israel – and associated with Team Majhidoon (فريق_مجاهدون) and Team AES (فريق_A-E-S) declared campaigns to penetrate Israel’s solar energy systems in Tel al-Rabiya were successful.

Figure 14: Source DarkOwl Vision
Figure 15: Source DarkOwl Analyst, JEA Telegram Channel
[IMAGE TRANSLATION]
Place:
Lakish, which is the occupied area of the northern Negev or “the Gaza Envelope”
Target:
Agricultural water and heating systems
The Details:
The high command has published and revealed the degree to which we have penetrated the water and agricultural system. The water temperature increased as did the amount of sodium acid, which can pollute and poison the water and can destroy all
agriculture.

DarkOwl uses machine learning to collect automatically, continuously, and anonymously, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching.

Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself.

To learn more about darknet use cases and how to apply them to your business, contact us.

Understanding Risk to Corporations and Individuals

Written by DarkOwl Content Team on . Posted in Blog.

August 30, 2022

NEW: Download this report as a PDF.

Risk is a word regularly used across information security circles and CISO agendas. Companies are aggressively attempting to identify and mitigate any cybersecurity risk that could lead to potentially extensive financial and reputation damage, especially from a high-profile cybersecurity attack or data breach. Meanwhile, individual persons also struggle to know how concerned they should be in mitigating their own personal risk to when, not if, their sensitive personal information appears on the deep web and darknet.  

In this blog, DarkOwl analysts revisit and review the domain of risk, taking a closer look at the threats corporations and individuals face and how risk is calculated and mitigated. Underground digital communities within hidden and anonymous networks are an integral role in identifying the threats at play, and DarkOwl works alongside its partners to help provide the critical monitoring of potential markers of risk using its darknet search platform

Darknet 101

The darknet is a layer of the internet that was designed specifically for anonymity. It is more difficult to access than the surface web, and is accessible with only via special tools and software – specifically browsers and other protocols.

You cannot access the darknet by simply typing a dark web address into your web browser. There are also darknet-adjacent networks, such as instant messaging platforms like Telegram, the deep web, some high-risk surface websites. 

What is Risk and What is the Darknet’s Role in Risk Calculations?

Risk is traditionally thought of as a multiplier of likelihood and severity, or consequence of outcome; however, in cybersecurity the definition is expanded for consideration of intention or threat.

For example, in a personal risk scenario, one’s leaked credentials (e.g. usernames, e-mail addresses and passwords) might appear in commercial data breach leaks, which poses one degree of risk, but the minute those same credentials appear in conjunction with direct malicious intent to cause financial or direct harm, their personal risk increases dramatically.     

Quick definitions: 

darknet: Also referred to as the “dark web.” A layer of the internet that cannot be accessed by traditional browsers, but requires anonymous proxy networks or infrastructure for access. Tor is the most common.   

deep web: Online content that is not indexed by search engines, such as authentication required protected and paste sites and can be best described as any content with a surface web site that requires authentication.  

high-risk surface web: consists of areas of the surface web (or “regular” internet) that have a high degree of overlap with the darknet community. This includes some chan-type imageboards, paste sites, and other select forums.  

For a full list of darknet terms, check out our Glossary

DarkOwl has observed similar specific targeting frequently in the darknet. The same would be true for the intention of an attack against a corporation or government organization, but this is understandably much harder to quantify.    

The U.S. Department of Homeland Security (DHS) defines risk as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences” such that: likelihood is defined as “the chance of something happening, whether defined, measured or estimated objectively or subjectively, or in terms of general descriptors (such as rare, unlikely, likely, almost certain), frequencies, or probabilities” and consequence is given as “the effect of an event, incident, or occurrence, including human consequence, economic consequence, mission consequence, psychological consequence.”  

The DHS risk assessment model is more simply defined as a function of three variables: threat, vulnerability, and consequences with full recognition. In organizational risk calculations, threat includes anything that can cause harm to the organization and that could expand to include threats from natural disaster (wildfire, hurricanes, and earthquakes) or even a significant hardware / backup failure that triggers a disruption in services or production and not necessarily exclusive to cybersecurity attacks by external malicious entities.

Definition of Risk

There are numerous interpretations, philosophies, and variations on this formula and luckily organizations are given extreme flexibility in conducting internal risk assessments by applying risk models of varying degrees of detail and complexity of threat identification and vulnerabilities – of which cybersecurity has become increasingly critical.  

Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. When we look at the darknet’s role in risk and threat vectors, especially when considering the risk to a company’s brand or stakeholders, malicious threat actors who conduct operations in the underground (e.g. cybercriminal organizations, nation state actors and proxies, and cyber opportunists) proactively hunt for and attempt to exploit sensitive data for personal financial gain by whatever means possible, often manipulating unpatched vulnerabilities and crafting new exploits in the wild.  

DarkOwl analysts also regularly witness critical corporate and personal information actively shared across various underground digital communities in the darknet and deep web and have categorized the types of vulnerable data at risk accordingly, delineating corporate and individual personal risk, with careful consideration that these two are intricately interrelated due to the fact humans are one of many risks corporate organizations must consider when calculating their cybersecurity risk. The region where corporate and individual risk overlap is of most critical consideration as well as the extent and volume of readily available information for threat actors to launch their attacks.  

Likewise, the more accumulated data a threat actor has access to for an individual or a corporation increases the risk accordingly.

Corporate Risk and Individual Risk Comparison
Figure 1: Visualizing the Threat to Corporations and Individuals 

Corporate Risk and The Darknet

The possibility of a cybersecurity attack against a corporation feeds a number of different corporate risk calculations: the loss of customer data presents a significant risk to a company’s brand, reputation and stakeholders; there’s moderate risk for loss of sales due to counterfeit goods offered on the darknet and direct reputational attacks on discussion forums and social media; there is direct risk via the executives and key leadership of an organization for business e-mail compromise (BEC) phishing attacks or financial extortion through physical threat to executive’s family; and, there is risk to attack via third (and fourth) party vendors and suppliers.  

The consequences of an attack against a corporation can include:  

  1. Unauthorized access to a corporate network 
  1. Misuse of information by an authorized user 
  1. Loss of access to corporate data (via deletion or encryption)  
  1. Disruption of service or productivity 
  1. Reputational loss and damage to brand or corporate image 

The Risk of Unintentional Data Compromise

While large commercial data leaks receive press coverage, with phrases like “millions of records of user data exposed” there is an unknown number of organizations that have likely secretly dealt with a critical cybersecurity incident without ever disclosing the breach to their customers or users due to the consequences of reduced consumer confidence.  

Extortion-as-a-service is an increasingly successful sector of the underground criminal ecosystem and involves stealing sensitive personal or corporate information and then leveraging unauthorized access to this information to force the victim to pay, essentially blackmailing the victim, in exchange for quasi protection of their data. Threat actors utilize hacking forums and discussion boards across the deep web and darknet to explore potential vulnerabilities, sometimes expressing interest in specific industries, companies, and individuals, then finally sharing or selling the sensitive information they have stolen – resulting in significant reputational and/or financial loss for the victim organization. 

Counterfeiting Risk is Brand Risk

The darknet is home to a lesser-known segment of corporate brand risk with offers of counterfeit goods on darknet markets. The sale of counterfeit physical goods is a persistent and viable market in the underground economy. DarkOwl’s SaaS product suite can be utilized to protect corporate brand reputation and value through automated monitoring and alerting for various forms of brand mentions. In this blog, we discuss this extensively. 

Executives and Key Leaderships are Critical Targets  

Some criminals utilize traditional open-source intelligence (OSINT) techniques to uncover the names, e-mail addresses and family relationships of an organization’s executives and key leadership to conduct pointed phishing campaigns via e-mail, SMS or traditional in-person and telephone-based social engineering to gain malicious access to a corporate victim’s network.  

Vendors and Other Third Parties Increase Risk

Nation-state actors and cybercriminals are increasingly sophisticated and opportunistic seeking to exploit third and fourth party suppliers and vendors to cause harm against the victim organization. Third parties include any unit an organization works with including but not limited to vendors, such as suppliers and manufacturers, partners, affiliates, distributors, resellers, and agents. Third parties may have access to information such as: corporate sensitive data, financial data, contract terms and pricing, strategic planning data, intellectual property, credential data, personally identifiable information (PII) of customers and employees and protected health information (PHI) and can unknowingly contribute to a threat actor gaining unauthorized access to a corporate network.

While it is not always overtly clear who or what organization a threat actor may be intending as their next target, monitoring the darknet and deep web for mentions of a company’s name, along with names of its executives and key leadership, and network information such as domains, e-mail and IP addresses can be a helpful marker for quantifying the potential threat or intent of harm against an organization. DarkOwl’s Score API are one of many potential quantifiable metrics a corporation can use to measure and understand a company’s business risk. Scores can also be utilized for self-risk assessments, as well as brand monitoring and vendor risk management.

Individual Risk and the Darknet

DarkOwl has observed several criminals specialize in trade of other critical PII such as national identification numbers, mailing and billing addresses, dates of birth, social media profiles, and even more concerning financial data like bank account numbers and credit and debit card numbers along with their card verification values (CVVs), expiration dates and security personal pin codes.

Individuals are at Risk of Social Engineering

Personal individual risk increases with the extent of the information exposed, where and how it has been distributed. Cybercriminals are increasingly creative in their techniques to gain access to this illicit information with astute social engineering and mass phishing campaigns. Criminals actively seek to obtain an individual’s sensitive personal information necessary for a financial institution’s security verification process such as one’s mother’s maiden name, historical personal residence and billing addresses and answers to key security questions, sometimes obtained through links to phishing website or “fake” copies of popular commercial websites with username and password login form fields, sent through “SMS bomb” or spam e-mail phishing attacks. A popular technique —  both discussed openly with methods traded in underground forums —  is sending out fake mobile phone notifications. Spammers text delivery notices via SMS with a link to a phishing URL (often a shortened URL, e.g. “bit.ly”) for companies like DHL or UPS that are designed to harvest the victim’s mobile IP address, IMEI number, mobile phone model and software version along with sensitive personal information input by the victim in search for the non-existent package.

The Risk of Password Reuse and Credential Stuffing

Credential stuffing is a widespread technique utilized by cybercriminals to test if historically exposed e-mail addresses and password combinations are valid logins across multiple commercial websites. Opportunistic cyber criminals automate the testing of large ‘combo lists’ containing compromised e-mail addresses and passwords against commercial websites and once a successful authentication occurs readily steals the PII and financial information, often saved, on the e-commerce shopping platform’s user profile.

Circling back to the overlap between individual and corporate risk, credential stuffing using malicious software and botnets affects not only the individuals but also the commercial organizations whose user accounts are surreptitiously accessed, as many immediately assume access was achieved due to vulnerabilities with the commercial service provider’s technical configuration instead of a simple credential stuffing technique conducted en masse. The uncertainty potentially erodes consumer and stakeholder confidence warranting that commercial agencies consider credential stuffing in their internal security frameworks and corporate risk assessments as well.

The Risk of Identity Theft and Financial Fraud

While a personal e-mail address or password leak is easily mitigated by using complex passwords and password managers, the greatest threat to an individual is financial fraud and/or personal identity theft. When credit card numbers are leaked in association with this type of account information, it can easily be leveraged to create new illicit accounts or to commit bank fraud. This risk his heightened even further when associated billing formation is included, such as a mailing address or the credit card’s CVV number.

Individual Risk Calculations

Ultimately, what does the fact any of your personally identifiable information is on the darknet really mean? Your level of concern is directly correlated to your individual risk and calculating individual risk using information exposed on the darknet is measured by not only the location of and volume of credentials and PII exposed, but also a factor of time – that is, how long the information has been available and the likelihood of exploitation by a malicious actor. Of course, this likelihood of occurrence increases immediately once there is direct intent and targeting of the person either individually or in conjunction with a campaign against a corporation, regardless of what types or volume of personal data is already accessible.

  • E-mail address and password leaks: Individual risk increases slightly with the website where the credentials have been used, i.e. banking application or health portal. Individuals can mitigate risk by using unique, complex passwords and password managers.
  • Personal financial data like credit and debit cards: Individual risk is higher if the card is still in use. Most banks have fraud prevention and do not hold the cardholder responsible for illegal purchases with stolen credit and debit card data.
  • Identity verification information: Individual risk increases with the more sensitive data accessible to a threat actor. For example, if a bank account number along with the full name of the account holder, their physical residential addresses, and other key identity verification information such as their mother’s maiden name, the name of their first dog, and secondary school mascot is obtained, then a threat actor has enough information to impersonate them and take control of the account. Compromise can be mitigated by visiting the bank in person with a form of identification (passport or driver’s license), closing down the compromised account, and opening a new one.

Only an individual can ascertain the degree of personal cybersecurity risk they are comfortable with, given the types of information they have shared publicly and the value they place on their personal information, their individual brand, and digital reputation. In a hyper-connected society that is increasingly reliant on networked digital information systems to function, everyone’s exposure and subsequent risk is increasing to some extent. For some individuals, this risk is gradual and others exponential.

It’s Risky Business Regardless

Threats posed to individuals and corporations from the darknet where sensitive corporate or personal information is leaked by cybercriminals is diverse. Criminals employ increasingly sophisticated social engineering and technical attack vectors to pilfer information that could lead to full identity theft for an individual or corporate extortion with multi-billion ransom demands. 

While the science of cyber risk calculations is still relatively nascent, the factors and data points outlined above can offer those in charge of assessing and underwriting risk contextual information as it pertains to the deep and dark web. By better understanding how threats manifest in these underground communities, individuals and corporations will be able to more accurately identify indicators of compromise and assess the security posture of their digital footprint. The deep web, anonymous networks, and various chat platforms will continue to be home for trading these commodities of data and DarkOwl will continue to assist its clients and partners to help provide the most comprehensive darknet database necessary for critical monitoring of potential markers of cybersecurity risk to corporations and individuals.

Download this report as a PDF

To understand the role darknet data plays in your corporation’s risk posture, contact us.

Highlighting DarkOwl’s Unwavering Commitment to Non-Profit Causes

Written by DarkOwl Content Team on . Posted in Blog.

August 17, 2022

In honor of National Non-Profit Day, we are excited to highlight a couple of our non-commercial organizational partners that we are extremely proud to support: the National Child Protection Task Force and the International Justice Mission. In preparation of this blog, the content team sat down with key members of the NCPTF organization and ICM to get a glimpse into the work that they do on a day-to-day basis and how DarkOwl contributes. In order to maintain their operational security, we have intentionally not disclosed the names of any of the investigators or specialists we spoke with from either organization.

Reports from Federal Agencies indicate that the volume of children being trafficked and exploited in the United States is a national crisis. According to the FBI’s National Crime Information Center (NCIC), in 2021, there were 337,195 NCIC entries for missing children. A mechanism for child cyber exploitation that, ran by the National Center for Missing & Exploited Children (NCMEC), received 29,397,681 million reports in 2021, up from 21.7 million reports in 2020 – a near 9% growth. Using their web portal, DarkOwl regularly sends NCMEC the URLs for domains containing child sexual abuse material (CSAM) content discovered during collection. We have discovered thousands of domains across Tor and Zeronet active with proliferating such material.

The National Child Protection Task Force, or NCPTF, is comprised of a network of law enforcement and technology professionals that provide law enforcement agencies a rapid-response team and investigative support, resources of which are often underfunded or completely unavailable to law enforcement agencies, to support cases of human trafficking, child exploitation, and missing persons. Their team of child and exploitation case specialists is supported by experts ranging from former intelligence officials and military officers, volunteer open-source intelligence (OSINT) researchers, and others.

While OSINT is our primary method of getting after what we need to from an investigation standpoint, we also have experts, including current and former law enforcement, that provide support from a technology standpoint, with regard to legal processes,” said NCPTF’s Head of Intelligence. They went on to explain that NCPTF investigators rely on tools like DarkOwl to not only close cases by identifying perpetrators, but to also see those criminals put behind bars.

“It takes a very specialized tool or a very skilled researcher to do dark web investigations,” continued the NCPTF team. “We never want to put our people or their systems at risk during these investigations and rely on tools like DarkOwl to safely procure information for us that we can leverage.”

The International Justice Mission, or IJM, is charged with the mission to protect people in poverty from violence by rescuing victims, bringing criminals to justice, restoring survivors to safety and strength, and helping local law enforcement build a safe future that lasts. Like NCPTF, IJM’s investigations also involve tracking human trafficking and missing persons cases and technology incorporated into their Global Fusion Center, an analytics hub based out of IJM’s global office, helps them monitor red flags, track a predator’s virtual footprint and prevent abuse before it begins. Recent international refugee crises out of Afghanistan and Ukraine have resulted in an inordinate surge in human trafficking around the globe.

For members of the IJM, DarkOwl Vision is one way to keep their researchers safe. It allows their team to search the darknet without going on to browsers such as Tor directly and enables them to have access to historical content that can help break open a case, “we have fully integrated the platform into our workflows and it greatly enhances our ability to safely and effectively identify potential lead information,” stated a Criminal Intelligence Specialist from IJM’s Global Fusion Center.

NCPTF investigators recalled an case where the suspect had a known online alias or username. They needed to find out more info about this user, and some other OSINT services that they were using failed to produce any leads. After running that same username through the DarkOwl Vision database, investigators were able to uncover a new username belonging to the person of interest that was older than the one they were aware of. NCPTF revealed, “As us forensic cyber investigators know, threat actors get more advanced over time. So, by identifying the old username, it opened the investigation up for us – which no other tool was able to do.”

This real-life example shows the power of historical data that no other darknet tool on the commercial market has as wide of coverage on.

DarkOwl is proud to partner with NCPTF and IJM and many other non-profit organizations focused on making the world a better place. Hearing these stories and how our work behind the scenes is making a difference, makes the day-to-day tasks so much more worth it. We look forward to continuing this partnership and extend a thank you to all our other NGO partners and all NGOs today that are making a difference. Happy National Non-Profit Day!

More on NCPTF

The National Child Protection Task Force, a registered 501(c)(3), was founded to provide detectives, analysts and officers access to investigative expertise and resources that are unavailable or under-funded in most law enforcement organizations. The members of our Task Force volunteer their time to any agency — small or large, international, or local — on important, time-sensitive cases focusing on human trafficking, child exploitation and missing persons cases.

To learn more or donate, please visit www.ncptf.org

More on IJM

The International Justice Mission (IJM) is a non-partisan, non-governmental, 501(c)(3) organization. They operate with governmental approval and acknowledgment and depend on the partnership of local government and NGO partners. International Justice Mission is a global organization that protects people in poverty from violence. IJM partners with local authorities in 24 program offices in 14 countries to combat trafficking and slavery, violence against women and children, and police abuse of power.

To learn more or donate, please visit www.ijm.org

Pegasus Intelligence Partners with Darknet Data Provider DarkOwl to Enhance Cyber Intelligence Solutions for Government and Military Clients

Written by DarkOwl Content Team on . Posted in Press Releases, Products and Use Cases.

August 15, 2022

DarkOwl is proud to announce their new partnership with Pegasus Intelligence, a cutting-edge security solutions company delivering signals intelligence and cyber intelligence solutions to government and military clients in challenging environments.

With a focus on serving the defense and space manufacturing industries, Pegasus Intelligence FZCO is a broker of technology products and services that were developed with their most critical end-users in mind. Their Product Management orientation is the vehicle that bridges customer requirements to product manufacturers, ensuring well-articulated system lifecycle and sustainment plans. The Pegasus Intelligence team can address highly nuanced concerns exposed through system tests to macro issues of program management and force modernization.

Pegasus Intelligence believes the future of warfare is likely to focus less on firepower and more on the power of information and the way it connects a military’s forces through the concepts of command, control, communications, computers, cyber, intelligence, surveillance, and reconnaissance (C5ISR). More than ever, the advantage will lie with whichever side can collect the most vital information, accurately and quickly analyze it, and then rapidly and securely disseminate the information and associated instructions to forces.

DarkOwl CEO, Mark Turnage, shares the same sentiment that there has been an unprecedented amount of data leaked into the darknet as a result of the ongoing cyberwar; “Since February of this year, the net size of our database has increased by 20% in six months because so much data has been spilled out into the darknet as a result of the current cyberwar.  The darknet is a chaotic and often unruly environment and it just became even more chaotic and risky. We are excited to initiate our partnership with Pegasus Intelligence and add our database to their cyber intelligence for government and military clients.”

Andrew Grunstein, Pegasus Intelligence CEO states: “We are very pleased to be growing our mutual cooperation with the outstanding DarkOwl team delivering unparalleled capabilities to clients across the Gulf.”

To learn more about DarkOwl, please visit www.darkowl.com. To learn more about Pegasus Intelligence, please visit pegasusintelligence.com.

About Pegaus Intelligence

Founded in 2008 with is headquarters in Abu Dhabi, Pegasus Intelligence specializes on delivering cutting-edge security solutions, delivering signals intelligence and cyber intelligence solutions to government and military clients in challenging environments. Our team of Intelligence professionals have the experience to deliver the right capability to achieve your objectives.

About DarkOwl

DarkOwl uses machine learning to automatically, continuously, and anonymously collect, index and rank darknet, deep web, and high-risk surface net data that allows for simplicity in searching. Our platform collects and stores data in near real-time, allowing darknet sites that frequently change location and availability, be queried in a safe and secure manner without having to access the darknet itself. DarkOwl offers a variety of options to access their data.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.