Author: DarkOwl Content Team

Introducing: The Mental Health Strategies for OSINT Professionals (MHS4OSINT) Project

October 10, 2023

In recognition of World Mental Health Day, DarkOwl is excited to announce the initiation of the “Mental Health Strategies for OSINT Professionals” (MHS4OSINT) Project, aiming to provide OSINT professionals strategies to reduce the mental health impact of exposure to distressing content in their work.

Why OSINT Analyst Mental Health Matters

Most individuals report experiencing stress in the workplace – 94%, according to the American Institute of Stress. However, OSINT analysts (such as those involved in anti-human trafficking efforts or dark web research) are routinely exposed to subject matter and content that an average person does not willfully engage with when navigating online spaces. Exposure to “distressing content” may result in vicarious trauma which in turn leads to an array of negative mental health outcomes.

Vicarious, or secondary in some literature, trauma has competing definitions. For the purpose of this project, we will adopt a more general definition from Hannah Ellis at Bellingcat: “mental distress that is experienced as an outcome of interacting with graphic online media.” Vicarious trauma is thought to occur when exposed to what we will refer to as distressing content, or content that elicits negative responses from users upon exposure. The nature of distressing content is highly varied and includes (but is not limited to) war footage, gore, CSAM, extreme ideology, X-rated content, among others. Further, this content is not limited to only photos or videos; sounds, imagery, or extreme rhetoric is thought to also invoke vicarious trauma.

The toll of vicarious trauma is thought to be cumulative over time. Repeated, frequent exposure to such materials adds up, and this exposure cannot be undone; in other words, it’s not possible to “unsee” something once exposed to it. This can contribute to multiple negative mental health outcomes, such as analyst burnout. Burnout is, of course, a poor outcome for the analyst themselves, but also impacts the long-term health of OSINT as a profession and is economically impactful for employers and organizations who rely on OSINT work. Other professionals that frequently experience vicarious trauma, such as 911 operators and journalists in sensitive areas, typically have access to plentiful resources to combat the negative effects of exposure to distressing content. OSINT professionals however do not have a centralized repository of resources dedicated to combating burnout and other negative outcomes (though some excellent individual materials exist, such as the 2 previously linked Bellingcat articles). Further, advice from individual OSINT professionals on reducing burnout may be differentially effective; a strategy used by one OSINT analyst to reduce burnout may not be impactful for another, or the variances in reduction may vary depending on the nature of the distressing content. This project seeks to help address these issues in the OSINT community.

The Mental Health Strategies for OSINT Professionals Project

The Mental Health Strategies for OSINT Professionals Project (MSH4OSINT) is a crowd-sourced, data driven project aimed at collecting, validating, categorizing, and distributing mental health strategies freely for the OSINT community.

Researchers on this project aim to collect Strategies (specific actions, behaviors, or modifications of belief that will lessen the negative impacts of vicarious trauma when exposed to distressing content) from a wide variety of OSINT practitioners and validate their effectiveness using empirical evidence. Once validated, Strategies will then be categorized using qualitative research methodology and distributed to the OSINT community via DarkOwl’s website, presentations at conferences, social media, and other typical ways of reaching OSINT professionals.

These strategies will be freely accessible and accessing the strategies (as well as contributing to the project) is anonymous. Note that these strategies are not medical advice nor intended as a replacement for professional therapy or other medical interventions. It is also unlikely that all strategies, even when empirically validated, will be impactful, thus we encourage trying out strategies from numerous categories.

Project Methodology

Though decidedly not an academic project, this project endeavors to follow sound academic principles and methodology to ensure the highest likelihood of success at reducing burnout.

The first phase of the MHS4OSINT project is data collection of strategies used by OSINT professionals. This will be done via an anonymous self-administered online survey, hosted here. Data collection will be ongoing and Strategies will be evaluated as they are submitted.

Once data is collected, it will be cleaned and enter the validation step. This project will only put forth strategies that have empirical backing (though we invite contributors to include ALL strategies used). Project researchers will seek out literature to demonstrate the efficacy of a submitted strategy and include that source with the suggested Strategy. Strategies with no evidence of success at improving mental health outcomes will not be moved on to the categorization step.

Upon validation, Strategies will then be categorized using qualitative research methods. As we are in the very early stages of data collection (and the fact the data should derive the categories), permanent “categories” are yet undefined and are very likely to change. However, some possible categories we may see from the data include:

  • Environmental/Physical Strategies
    • Proximity/working space, changes in clothes/style, physical health and nutrition
  • Mental Strategies
    • Meditation, mindfulness, building resilience, “inoculation against the internet”, work/life balance, professional identity
  • Technical Strategies
    • Browser extensions that blur images, pause auto-playing videos, mute extensions
  • Moral? Social?
    • Can mission success mediate the impacts of exposure?

Once a considerable amount of data is collected, validated, and categorized, we will then distribute Strategies for the community via future blog content, social media, and conference presentations. As more data is collected, ongoing updates will be made to the Strategies and their categories, with the aim to have a large repository of Strategies that may prove effective at reducing burnout regardless of the type of distressing content OSINT professionals are exposed to.

Contribute!

If you’re an OSINT professional that would like to offer Strategies you use to reduce burnout, we would love your (anonymous) input! The entire success and impact of this project hinges on the collection of quality data from the OSINT community. Submit your strategy. We will also be at OSMOSISCon in New Orleans, Louisiana on October 15-17, 2023, detailing some of the very preliminary findings from the project.


Make sure to get the latest research and our findings. Sign up for our newsletter!

Dark Web Groups Turn Their Attention to Israel and Hamas

October 10, 2023
Disclaimer: DarkOwl is not affiliated with any of the groups mentioned in this article and do not support the actions of cybercriminals regardless of their motivations. This information is provided for informational purposes only and has not been independently verified.

Other Resources Since the Publication of This Blog:

Introduction 

The world was shocked by the invasion of Hamas insurgents into Israel along multiple entry points from the Gaza Strip on October 7, 2023. This has led to a huge number of posts, images and videos being shared of the incursion and atrocities on social media but also on the dark web and dark web adjacent sites.  

DarkOwl analysts are closely monitoring this situation and have identified a wealth of information being shared, some of it legitimate and some likely to be disinformation. We will be authoring a series of blogs showing our initial findings as well as providing new information as it is uncovered.  

Here we provide information relating to known cyber groups active on Telegram and how they have reacted to the invasion.  

Which Side to Pick? 

As events unfolded over the weekend, chatter on several Telegram channels monitored by DarkOwl turned towards Israel and Hamas and the events unfolding in the Middle East. A number of these groups have been heavily involved in the Russian Ukraine Conflict supporting one side or the other and posting leaked information, DDOS attacks and defacement among other things. 

Some groups quickly pledged their support for one side or the other. Killnet posted their intention to target the Israeli government, posting in both Russian and Hebrew, stating this was due to Israel’s support for Ukraine. An affiliate of theirs Anonymous Sudan quickly followed suit.  

Figure 1: Killnet Telegram channel
Figure 2: Anonymous Sudan Telegram channel 

The Five families, including SiegedSec and GhostSec posted on October 7 confirming their support for Palestine/Hamas. These groups have been very active on behalf of Russia in the Ukraine Russian conflict.  

Figure 3: GhostSec Telegram channel 

A hacktivist group known as Cyb3r Drag0nz who has targeted several groups and organizations from many countries posted a poll to their public channel asking them which country they should support. They quickly began activity in support of Palestine.  

Figure 4: Cyb3r Drag0nz Telegram channel 

A ransomware group known as RansomVC, was reported to be buying access to any countries affiliated with Gaza, including Iran and Palestine. Although no other information was provided it is likely this means the group is planning to attack organizations within these countries.  

Figure 5: RansomedVC Telegram channel 

The threat group ThreatSec stated it didn’t like Israel but that they also don’t like war, so they plan to attack the Gaza region as that is where many of the Hamas fighters are located. They later had to clarify this statement saying they are neither on the side of Israel or Palestine and they want to stay neutral. So, they will target both countries.  

The group Garuna Ops made a number of posts in support of Israel and stated as well as attacking Palestine they would attack any other countries that supported them.  

This is just a small number of the groups identified which were previously active in the Russia Ukraine conflict. It is worth noting there are a number of other groups on both sides which have been supportive of Hamas or Israel for some time. We will provide more information on them in subsequent blogs.  

The Cyber War Begins?

Hacktivist groups have been quick to launch attacks on both sides of the war, the type of activity conducted has varied depending on the group and presumably what skills they possess. DarkOwl has not verified the reported attacks were successful. 

Some channels as well as providing details of the attacks they have conducted or information they have obtained have also shared graphic images and videos of the conflict as well as support for their chosen side and justification for their beliefs. Here we only focus on the attacks they claim to have conducted.  

DDOS Attacks

Two separate groups claimed to have taken down the Red Alert System. This is the system used by Israel to alert its citizens of the threat of a rocket attack. The system has an app which is installed by the user. Anonymous Sudan first made the claim on October 6, providing a screenshot which showed a loading image on the app and a screenshot saying there had been no alerts in the past day. However, the screenshots do not provide a date or time.

Figure 6: Anonymous Sudan Telegram Channel 

GhostAnon was the second group to claim it had taken down the app and it was affecting different areas. Again, they did not provide any concrete evidence this was in fact the case. 

Figure 7: AnonGhost Official Telegram channel 

The manager of the Red Alert app refuted the claims the app was down. This is possibly corroborated by a further threat group posting images of the Red Alert Map showing where Hamas rockets were striking Israel, although the timing of the screenshot is unknown.  

Anonymous Sudan also claimed to have successfully DDOS The Jerusalem Post, the website of a newspaper based in Israel. The company did post on X (formally Twitter) that they were suffering from a major cyber-attack and the site continues be down several hours later.  

Figure 8: Anonymous Sudan Telegram channel 

The Electronic_Tigers_Unit claimed they had successfully attacked the Mossad open website via a DDOS attack. Although this is the open site and therefore unlikely to hold any sensitive information its likely aim was to cause distraction to the Israeli Intelligence services.  

Defacements 

A cyber hacktivist group knows as Cyb3r Drag0nz posted a series of images claiming it had defaced several Israeli websites. The image featured a Palestinian flag as well as the aliases of the individuals involved and their associated Telegram channel.  

Figure 9: Cyb3r Drag0nz Telegram account 

The companies that were targeted by this group ranged in industry and no reasoning was provided other than they have a .il domain. Defacements have long been used by less sophisticated users or those that want recognition for the activities they are causing. This is a known tactic of Iranian cyber actors.  

Leaked Information

Another group Cyber Av3ngers, which is supportive of Iran, activities preceded the invasion and began on October 6 when they targeted Noga Company, an electricity company claiming they were causing power outages “due to the actions of your [Israel] government.”  

They have also targeted Dorad Power station both in a DDOS attack and a claim they have obtained sensitive information, this included images of the facility which they shared on their telegram channel, it is likely this was done to assist with an attack on the facility.  

It is worth noting this group had previously claimed responsibility for attacking an Israeli public railroad in mid-September. Although this incident was denied by Israel.  

On October 9, AnonGhost-Info provided a list of IP addresses which it claimed formed part of the Israeli Iron Dome. This is the missile defense system which attempts to destroy any rockets entering Israeli airspace. Although these IP addresses have not been verified if legitimate these addresses could be used by a cyber actor to attack the Iron Dome. The IP addresses have been redacted for security purposes.  

Pro-Palestinian groups have also been targeting Israeli citizens and sympathizers. Leaks of their alleged information have been revealed with users being encouraged to target their social media accounts to provide pro-Palestinian messages.  

On October 9, Cyb3r Drag0nz also claimed to have hacked the Israeli Instagram and provided screenshots showing the information they had obtained which included images and usernames. They later released a download which they claimed included all the user data which contained more than 100,000 Israeli Instagram accounts. This information has not been verified.  

Figure 10: Cyb3r Drag0nz Telegram account 

High ranking officials have been subject to DOX attacks with the purported name and phone number of the Director General of the Israel National Cyber Directorate being released and followers being encouraged to spam his phone.  

Figure 11: AnonGhost Official Telegram channel 

Summary

Although Government sources have claimed they have not yet seen any evidence of cyber-attack, DarkOwl’s coverage of darkweb adjacent groups has shown they have been quick to involve themselves in the conflict. While the tactics which have been observed so far are not assessed to be highly sophisticated, they can be very disruptive, and it is likely more sensitive information is being shared in closed channels. It appears, just with Russia and Ukraine, cyber-attacks will be another front in this war both from hacktivist groups as well as nation states acting directly and via proxies.

DarkOwl coverage on this topic will continue. 

Examining Recent Telegram Posts from Russia’s “Z Bloggers”

October 05, 2023

Who are the “Z Bloggers” or “Z Army”

The letter “Z” has been heavily used as a pro Russian invasion propaganda motif since the early days of the invasion in 2022. The “Z” symbol is often associated with images of Russian leaders in the government or military.

Image 1: Sergey Mironov wearing a pin with “Z” symbol, Governor of Kuzzbass

The symbol is also commonly associated with Russian war journalists, soldiers, and other Kremlin supporters typically used as vehicles for misinformation campaigns  on chat platforms like Telegram. The media commonly refers to this group of individuals as the “Z bloggers”, the “Z Army”, and more generally as war influencers.

Image 2: Russian soldiers embracing the “Z” symbol on a military vehicle; Source: Moscow Times

The  Z bloggers will sometimes display the “Z” somewhere on their Telegram profile (as seen in the below screenshot for WarJournal). Often these “journalists” are embedded on the frontlines with Russian soldiers, which is how they are able to obtain near real-time conflict footage. These videos provide fuel to propaganda aimed towards increasing Russian enlistments into the Armed Forces or Wagner Group.

Figure 1: Screenshot of WarJounal’s Telegram bio

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. These war influencers have taken advantage of this trend by selling advertisements through Telegram posts to companies looking to reach a younger target audience. According to Telegram’s website: “Sponsored messages on Telegram are displayed in large public one-to-many channels with 1000+ subscribers and are limited to 160 characters. Sponsored Messages are based solely on the topic of the public channels in which they are shown. This means that no user data is mined or analyzed to display ads, and every user viewing a particular channel on Telegram sees the same sponsored messages.”

This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif. DarkOwl analysts selected the following Telegram channels for review:

  • WarGonzo, over 1.2 million subscribers
  • WarJournal, over 41,000 subscribers
  • Grey Zone, over 600,000 subscribers

WarGonzo

WarGonzo is one of the most prolific “Z bloggers” with well over 1.2 million Telegram subscribers. This channel is reportedly run by  Russian citizen, Semoyon Pegov, an image of him with Vladimir Putin was posted on X (formerly Twitter) and Telegram in April this year.(see image 3). It is unclear how many individuals are associated with this channel but we have observed multiple “correspondence” posting information and embedded with the military. A representative for ‘WarGonzo” was interviewed by the BBC and reported that they make an estimated £1,550 per Telegram post via advertising revenue. Users are able to submit content to advertise by following the instructions and steps (in Russian) using a Telegram bot, @pegov_bot. It is unclear if there are any restrictions on what can be advertised.

Image 3: Image of Pegov standing with Vladimir Putin; Source: Twitter 04/06/2023

WarGonzo posts at least once a day and often several times a day. For example, on September 26, 2023 there were 10 posts. The content of these posts ranges from interviews from correspondents on the front lines of a conflict in Ukraine or other correspondents reporting on recent escalating events between Azerbaijan and Armenia in Nagorno-Karabakh. The Ukrainian video content is typically more violent often showing images of dead soldiers and civilians immediately following some sort of military kinetic activity (air strike or explosion) whereas in the Azerbaijani videos, the correspondents are dressed in civilian clothes and not on the front lines. This money has helped WarGonzo to expands its coverage to other conflicts such as in Armenia and Azerbaijan. The below screenshot of a WarGonzo post made on Sep 26, 2023 displays a video of a WarGonzo correspondant, named Dmitry Seleznev, reporting on the recent Azerbaijani attack that targeted ethnic Armenians in the town of Goris:

Figure 2: Image from WarGonzo’s Telegram channel
[TRANSLATED IMAGE]
⚡️Refugees are delivered by land and by helicopter⚡️Activation of WG from Goris⚡️
Refugees are arriving in Goris, the closest city to Nagorno-Karabakh. They are registered at the central house of culture, provided with food and water, given medical care to those who need it, and sent to be resettled in the regions and cities of Armenia.
Helicopters fly over the city, delivering victims after yesterday’s explosion of a fuel tank near Stepanakert.
Watch the live broadcast of our special correspondent Dmitry Seleznev from Goris.
@wargonzo
*our project exists on the funds of subscribers, a card for help
4279 3806 9842 9521

WarJournal

WarJournal, is another “Z blogger” Telegram channel,  where the content creators are  embedded with Russian soldiers on the front line, and has a large following with over 41,000 subscribers. Content published on this channel is similar conflict content to WarGonzo, utilized to motivate Russians to enlist in the army.

The following screenshot was taken from a recent post on September 26, 2023, which depicts the Russian Air Force destroying a bridge with a X-38 aircraft missile over the Oskol River. Users reacted 41 times using the “thumbs up” emoji and 14 times using the “fire” emoji. DarkOwl analysts identified the forwarding Telegram channel where this information was originally posted on the same date, РаZвед_ДоZор (t.me/razved_dozor), which is yet another war influencer apart of the “Z blogger” network.

Figure 3: Image from WarJournal’s Telegram channel
[TRANSLATED IMAGE]
The Russian Air Force used an X-38 aircraft missile to destroy (https://t.me/bortzhyrnal/139) the bridge across the Oskol River in Kupyansk and significantly hampered the ability of the Ukrainian Armed Forces to supply its troops in the Kupyansk direction.

Grey Zone

Grey Zone is another “Z blogger” account that identifies as an official channel for the Wagner Group. Open Source reporting has not identified one particular individual running this channel at this time, however, according to its Telegram bio the username, @greyzone_admin, is the channel admin.

Grey_Zone also has a large Telegram following with well over 602,000 subscribers as of September 27, 2023. The BBC also reported that this channel reportedly makes £260 per post. The content shared on this channel is consistent with other “Z bloggers;” they display near real time conflict videos, images honoring dead soldiers, and other Pro-Russian propaganda motifs that are intended to motivate Russian sympathizers to enlist with the Wagner Group.

The below screenshot is an example of this, referring to a Wagner Group “hero of Russia.”

Figure 4: Image from Grey Zone’s Telegram channel
[TRANSLATED IMAGE]
“We are always ready to talk man to man. Moreover, we have known each other since the first and second wars in Chechnya” – commander of the “Wagner Group” Hero of Russia Dmitry Utkin.

The style of this image is reminiscent to the imagery used in Jihadist martyrdom posts from groups affiliated with ISIS or Al Qaeda. The image below illustrates a martyrdom post created by an Indian Al Qaeda affiliate called the Ansar Ghazwat-ul-Hind (AGH) in June 2019:

Figure 5: Image of an AGH martyr, Long War Journal

Conclusion

DarkOwl analysts assert it is highly likely that Russia will continue to expand the reach of its propaganda campaigns through chat platforms like Telegram. Since the outbreak of the Russian invasion of Ukraine, the use of Telegram has been integral to the spread of Russian misinformation by a cohort of supporters that have become known as the “Z bloggers” or “Z army”. The recent BBC article highlighted how influential accounts like WarGonzo and Grey_Zone are able to make hundreds to thousands of dollars a day from Telegram posts. WarGonzo now has the budget to report on conflicts in nearby countries such as the current ethnically charged violence towards Armenians in Goris.


Don’t miss any DarkOwl research > sign me up for emails!

Cybersecurity Awareness Month: Upcoming Content

October 03, 2023

In light of Cybersecurity Awareness month, DarkOwl is committed to sharing research, trends and industry news from our analysts.

Be the first to know as we release new research by entering your email below!

Upcoming Content This Month

BLOG

Z Bloggers

A recent BBC article reported the sudden increase of Telegram members in various “Z blogger” channels is correlated with a “surge in Telegram’s advertising market” like WarGonzo and Grey_Zone. This blog will take a look at recent posts from 3 different “Z blogger” channels in an effort to better understand how this content has recently been utilized as a propaganda motif.

BLOG

Mental Health Strategies for OSINT Investigators

Some types of OSINT research expose analysts to explicit, obscene, extreme, or otherwise uncomfortable content. In honor of World Mental Health Day, the DarkOwl team will be conducting research looking to:

  • Explain the risks that are inherent to some types of OSINT research, primarily taking a mental health perspective.
  • Disseminate the results of some independent research I am conducting, where I can provide to attendees strategies other OSINT researchers use to mitigate the risks to mental health from exposure to extreme content.
  • Facilitate a conversation with attendees who are comfortable sharing what strategies they employ to mitigate risks to their mental health from this exposure.
EVENT

DarkOwl @ ISS Latin America in Panama City, Panama

DarkOwl Senior Intelligence Analyst, Steph Shample will be presenting “Use of Darknet for National Intelligence and Law Enforcement Purposes.” This session details the intelligence available on deep/dark web (DDW) platforms, as well as adjacent platforms such as Telegram and Discord, which can be enriched and used by law enforcement and government officials to reduce criminal activity and simultaneously protect national security. Types of intelligence include: tracing financial transactions to illuminate drug, weapon, human trafficking, and other supply chains that contribute to malicious activity, whether fiat or cryptocurrency transactions; hybrid incidents events that threaten both cyberspace and physical safety; and the kinds of equipment, kits, and material sold by criminal actors that contribute to digital attacks against critical infrastructure and key resources (CIKR), threatening the safety of everyday services.

Attending ISS Latin America? Make sure stop by Table Top #6 and schedule a time meet with a DarkOwl team member here.

BLOG

Q3 Product Updates

Stay tuned for our quarterly update blog highlighting new product features and collection stats updates. Always something exciting coming from our Product and Collections teams!

BLOG

Leak Sites Increase

In May, our analysts noticed and published a piece on the increase in leak sites. Stay tuned for an update this month on this topic and what the team is now noticing.

EVENT

DarkOwl @ OsmosisCon in New Orleans, LA

DarkOwl’s Damian Hoffman, Product Engineer and Data Analyst, will be leading a discussion on Mental Health Strategies for OSINT Investigators.

Pre-conference, Damian will also be conducting a demo titled “Finding Actionable Intelligence in Dark Web Data for OSINT Investigations.” The goal of this session is to further educate the intelligence community on how threat actors on the darknet pose a threat to national security and showcase Vision UI, the industry leading platform for analysts to simply, safely, and comprehensively search the largest commercially available source of darknet data.

Attending this conference? Stop by Booth #22 and schedule time to meet with us here.

EVENT

DarkOwl @ GITEX in Dubai

Going to be at GITEX, the world’s largest tech show, exploring the latest innovations, products and services within AI, Cybersecurity, Mobility and Sustainable Tech, in Dubai? Make sure to schedule time to meet DarkOwl FZE CEO, David Alley.

BLOG

Internalized Domain Name Homoglyphs: Can You Spot the Difference? 

Homoglyphs are characters from one language set that look like other characters of a different language set. Threat actors use different character sets to cause confusion and register domain names similar to legitimate domains, but with one or more characters from another language, for phishing and credential harvesting campaigns. In this blog, DarkOwl analysts will outline several examples, all including an example screenshot of the fake website.

BLOG

Fraud is inarguably a global problem that is not going away any time soon. The DarkOwl team has published several pieces around fraud and scams, including a blog on their differences. Our October piece will dive into recent trends of fraud specifically.

BLOG

Spooky Findings on the Darknet

The darknet can be a scary place. For Halloween, we will highlight some spooky findings from our analyst team. This is one you will not want to miss!

WEBINAR

As the digital landscape continues to evolve, so do the threats that target it. Staying ahead of cyber adversaries requires a deep understanding of the latest trends and innovations in the cybersecurity space. In this 30-minute session, on Tuesday, October 31 at 12pm ET, Socialgist CRO, Justin Wyman and DarkOwl Co-Founder and CEO, Mark Turnage, will explore a variety of critical topics shaping the cybersecurity landscape:

  • Key VC Raises in Cybersecurity: Capturing Industry Attention
  • Understanding the Major Players: Who’s Raising the Stakes
  • Harnessing Security Solutions: How Organizations Protect Their Assets
  • Addressing the Talent Gap: Scaling with Data Aggregators and Services
  • Pioneering the Use of AI: How do LLMs and AI Come into Play

Save my Spot! (Can’t attending live but want the recording? Register and we will be sure to send it to you)


Curious to see how darknet data can improve your cybersecurity situational awareness? Contact us.

Threat Intelligence RoundUp: September

October 02, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. MGM cyberattack claimed by ALPHV/BlackCat ransom gang – Cybernews

ALPHV/Blackcat ransomware group claimed responsibility for the MGM cybersecurity incident this week. Down slot machines, nonfunctioning key cards, and more services were interrupted at MGM resorts and hotels nationwide. News articles broke Wednesday, 13 September, that ALPHV/Blackcat ransomware gang was responsible. However, DarkOWL analysts went to the ALPHV onion page, and no new data was listed yet. MGM data from 2013 were the only results. On 14 September, new rumors emerged that “Scattered Spider” was also involved in the incident. Scattered Spider is an English-speaking cybercrime group which teamed up with ALPHV in early 2023. Additionally, Scattered Spider hit Caesars Entertainment on 7 September. Caesars paid tens of millions to remain operational and did not experience an outage. Read full article.

2. Hackers backdoor telecom providers with new HTTPSnoop malware – Bleeping Computer

Threat actor group “ShroudedSnooper” has installed HTTPSnoop and PipeSnoop malware throughout Middle Eastern telecom providers. HTTPSnoop imitates legitimate URL patterns and blends into legitimate traffic, making detection very difficult; it also targets public servers. PipeSnoop takes advantage of deeper compromise within networks. No attribution has been discovered regarding the country of origin or intention of ShroudedSnooper. Article here.

3. Payment Card-Skimming Campaign Now Targeting Websites in North America – Dark Reading

Attacks starting in May 2023 (or earlier), by a Chinese-speaking threat actor, has exploited vulnerabilities in Web applications in the Asia/Pacific region. This month, they have expanded their targets into Latin and North America. The attacks involve skimming credit card numbers off ecommerce sites and point-of-sale service providers. Read more.

4. GhostSec Leaks Source Code of Alleged Iranian Surveillance Tool – Dark Reading

Hacktivist group GhostSec revealed the source code from Iran’s FANAP group, a technology conglomerate that has ties to the financial, government, and technology sectors in Iran. The source code reveals facial recognition, GPS and tracking systems, car license plate recognition, and other efforts in the surveillance space. DarkOWL analysts have procured the available files from Telegram. GhostSec established two Telegram channels to share with the media covering this event, as well as the files, stating the second channel was a backup in case the first was shut down. Learn more.

5. Vietnamese Cybercriminals Targeting Facebook Business Accounts with Malvertising – The Hacker News

Cybercriminals are using LinkedIn to find accounts tied to the digital marketing space, and compromising those accounts to use in social engineering incidents. Digital marketing accounts often have high numbers of followers and connections, and these numbers are easier to use to expand credential theft operations and reuse that information in malicious operations. After compromising LinkedIn accounts, the Vietnamese cyber group is using Duckport malware to perform information stealing ops, and then moving to other social media platforms such as Facebook, continuing to steal account credentials and in some instances, cookies, to reuse in the operations. Read full article.

6. Finnish Authorities Dismantle Notorious PIILOPUOTI Dark Web Drug Marketplace – The Hacker News

Law enforcement in Finland, including Finnish customs, announced the takedown of illegal dark web narcotic marketplace, Polopuoti on September 20. The drugs came from abroad into Finland, and this was a joint operation that also involved parties from Germany, Romania, and Lithuania. The marketplace had been active since May of 2022. Read full article.

7. FBI, CISA Issue Joint Warning on ‘Snatch’ Ransomware-as-a-Service – Dark Reading

Snatch ransomware employs a method to force Windows computers to go into safe mode and reboot before encrypting. The Snatch group is targeting CI/KR, including IT and agricultural firms, and the defense industrial base. They also purchase stolen data from other ransomware variants. Snatch has a very active extortion blog and has significantly ramped up activity in the past 12 months. Snatch also takes advantage of RDP, using the credentials from other ransomware campaigns to gain access and then move around the network. Learn more.


Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Dark Web Investigations: Uncovering the Hidden Web

DarkOwl is the darknet expert and our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence. This infographic outlines several aspects of DarkOwl’s dark web investigations.

View full infographic.


Learn more about DarkOwl’s Darknet Services options.

What is Bullet Proof Hosting?

September 21, 2023

Cybersecurity might has well have its own language. There are so many acronyms, terms, sayings that cybersecurity professionals and threat actors both use that unless you are deeply knowledgeable, have experience in the security field or have a keen interest, one may not know. Understanding what these acronyms and terms mean is the first step to developing a thorough understanding of cybersecurity and in turn better protecting yourself, clients, and employees.

In this blog series, we aim to explain and simplify some of the most commonly used terms.

Bullet proof hosts (BPH) are web hosting providers that are less regulated with the services they allow compared to traditional Internet Service providers (ISPs), hardly restricting any kind of content.  BPH services are frequently used by online casinos and actors who intentionally spam or run other illicit online activities. They generally take all the material and practices that legitimate hosting services prevent (fraud, abuse, pornography, gambling, and hate speech, to name a few) and permit it. Just as legitimate businesses rely on ISPs, criminal and malicious threat actors (including state-sponsored advanced persistent threat [APT] groups) rely on the resilience of bullet proof hosting to conduct their operations.

While traditional ISPs aim to combat cybercriminals and online fraud and abuse, BPH actually empower and aid the criminal ecosystems, offering resilient infrastructure and avoidance of law enforcement operations. Even when there are takedown requests, abuse reports, or law enforcement actions, such as subpoenas, BPH ignore them. BPH will create shell companies or simply move IP ranges to keep questionable activity up and running. In some cases, BPH will even tip subpoena activity or takedown requests to the actors using their infrastructure, which gives them time to react, move their operations and prevent losing financial assets. For these reasons, BPH are crucial to the continuation of the cybercriminal ecosystem. 

The geographical component is essential to the success of a BPH operation. Bullet proof hosts usually establish themselves in areas which have vague or lenient cyber laws and policies towards these practices. Furthermore, they ensure to operate in areas which have no extradition to the Five-Eye countries: The United States, Canada, Australia, New Zealand, and The United Kingdom. Locations that commonly allow for and host BPH include: China, Romania, Bulgaria, Estonia, Panama, and the Seychelles, among others. In China, spamming is a completely sanctioned activity, whereas in the US, the FTC established tight guidelines to differentiate between “spamming” and authorized business activities, such as sending cold emails for business purposes. BPH also rely on the pseudonymity of cryptocurrency payments to operate. In this way, they almost facilitate a “don’t ask, don’t tell” mentality for the criminal underground, allowing actors to carry out nefarious operations while turning a blind eye or pleading ignorance.

Another term for BPH is DCMA-ignored hosting. The Digital Millennium Copyright Act is geared to protect copyright holders from theft of their material and aid in combating copyright infringement online. It only applies to specific ISPs who meet certain regulations. Most BPH do not meet these standards and regulations. The most effective way to combat the material hosted by BPH is to blacklist their entire IP block. 

In August of 2023, researchers in the cyber threat field broke the news that Cloudzy, a New York company actually run out of Tehran, Iran, was providing infrastructure to both nation state and criminal cyber actors. Researchers estimated that 40 – 60% of Cloudzy activity was malicious. Like other BPH, Cloudzy takes payment in cryptocurrency and claims to protect the privacy of its users. Cloudzy also ignored takedown requests and abuse reports. However, Cloudzy goes above and beyond a normal BPH profile, hiding its company ties to known governments and criminal conglomerates worldwide and masquerading as a legitimate provider. In addition to known nation state actors tied to using Cloudzy infrastructure, ransomware affiliates and initial access brokers were observed using Cloudzy services in their operations.   

Examples in DarkOwl Vision

After the Cloudzy research broke, DarkOwl analysts observed some of the latest trends for BPH in 2023. It is a competitive market where the actors using these services expect full time support, dedicated servers, and protection from online threats such as DDoS attacks, while also expecting protection from law enforcement. They want cheap and reliable service as well. Promises like live time are critical because of efforts to remove BPH from operation. It takes time for criminals to set up what they want to use the BPH for – if they are immediately taken down, that is lost revenue and opportunity for the cybercriminals. Several screenshots from DarkOwl Vision below:

Figure 1: Threat actor “darknite23” advertises BPH services with a guaranteed live time; Source: DarkOwl Vision
Figure 2: An actor solicits BPH services in a Telegram channel; Source: DarkOwl Vision

Actors on discord discuss the merits of having either a virtual private server (VPS) or dedicated BPH, and name CrazyRDP and Privatealps as bonafide BPH. A VPS can be easily moved or relocated in the instance of abuse or if they are targeted by law enforcement: 

Figure 3: Actors on a chat platform server discuss some of the believed better BPH service providers; Source: DarkOwl Vision
Figure 4: Actors discuss BPH costs and services to use in their various operations; Source: DarkOwl Vision
Figure 5: Users discuss merits of a BPH on Exploit, one of the top criminal markets; Source: DarkOwl Vision

Conclusion

Bullet proof hosting providers are known to facilitate the cybercriminal underground, their actors, front companies, and all types of illicit activities. In an ever-connected world where humans are looking to express themselves, promote their causes, cling to freedom of expression, or even make extra money, balancing online freedom and preventing invasions of privacy is crucial. However, freedom of expression cannot be lumped in with inciting violence, promoting continuing online hate, terrorism, and violent campaigns, in addition to attempting to compromise and extort businesses, critical infrastructure bodies, and government entities. Bullet proof hosts facilitate and enable some of the worst actors in the space. They must be studied and observed in order to prevent them from gaining more momentum and enabling additional compromising activities online. 


Questions or comments? Put me in touch!

Chatting with DarkOwl Analysts: Who Are They and What Do They Do?

September 19, 2023

The darknet is a haven for illicit activities many of which can pose a direct threat to organizations and individuals with stolen data being made available for purchase, access to illicit goods, and hacking activities. In addition, forums are used to discuss all manner of topics from extremism to CSAM to hacking practices and education.

Accessing and analyzing data from the darknet is challenging, even for the most experienced of analysts. DarkOwl is the darknet expert, with access to the largest database of darknet content. Our customizable service options allow customers to leverage our in-house expertise to save time, keep their employees safe, and fulfill the need for actionable threat intelligence.

Interview with the DarkOwl Darknet Analyst Team

DarkOwl’s Director of Marketing, Dustin Smith, sat down with Erin, Director of Intelligence, Senior Threat Analyst, Steph Shample, and Darknet Intelligence Analyst, Richard Hancock, to understand a little more about their backgrounds, why they love cyber, projects they’re working on, and some tips and tricks for new analysts.

Editors Note: Some content has been edited for length and clarity.


Why did you get into cyber security and the darknet space in particular? 

Erin: I kind of fell into it. I worked for the government and I was put onto cyber work, so that’s kind of how I started in cybersecurity. And I really enjoyed it. There’s a lot of fascinating characters and interesting people to investigate in that area. It’s very much been, in the 15 years or so that I’ve been doing it, a growth space with more information and more techniques and things happening all the time. So there’s always new stuff going on. And then the dark web has always been something that people are utilizing and using as a means of communicating. It’s always been fascinating in terms of its darkness, I guess, for want of a better phrase. 

Rich: For my entrance into cyber security, I also kind of fell into it. It’s interesting because a lot of people who have a background in government contracting, working directly for the government and counterterrorism and linguistics, like myself, transitioned into cyber threat hunting. And I think that reflects a level of how foreign policy and national security interests are evolving as well. But actually, my first entrance into open source intelligence investigations was actually through a recruiting job where I had to get really good at finding people’s contact information online. That’s where I developed a lot of my Google dorking, Boolean skills is in the recruiting world. I didn’t study computer science or anything science related in college, I studied Arabic and international studies and something I tell a lot of younger people that are trying to get into cybersecurity is just because you didn’t study something technical, doesn’t mean you can’t work in cybersecurity. 

Steph: So we all kind of fell into it because I was also government. What’s interesting is that I have almost the exact same start as Rich, in that I was doing counterterrorism work. You take those investigation skills for online patterns of terrorists and kind of trying to get into closed networks and you have to take that to the cyber world as well. But same situation – I had no computer science, I was  studying humanities in college. And then it was the linguistic aspect that… the needs were like, hey, Iranian cyber actors are coming online, African terrorists are using French forums… Can you translate this? Do you know what’s going on? So I think getting into it was accidental, but staying in it was definitely intentional because there is never a dull day.  

There’s never a dull moment. You have to learn something new. It’s not a matter of, “oh, I like learning new things.” If you want to stay competitive in the field and if you want to stay on top of your game, you have to advance with technology. And so that makes it really exciting. Furthermore, to come into the Internet world that none of us had a background in, no computer science is one thing, but when you start seeing TORs and these closed down platforms and these kind of CAPTCHAs and you’re just like, “how did these people come up with this and how can they navigate this?” And then also wreak havoc across the world on every industry. From what Rich said, it influences policy, the defense sector, but it also influences the financial sector and industry of all kinds. And what these people can do, cyber criminals, namely on the dark web from remote places. It’s fascinating. And do you want to be part of the good or do you want to be part of the bad? Do you want to combat that and the damage they have internationally, or do you want to just let them go? So that’s why I stayed in it. And it’s amazing, especially the dark web. It’s fascinating. 

I love how you transitioned into why you stay in cyber. Rich and Erin, do you have comments to add? 

Rich: I’ll draw back to the link that Steph and I have, which is our cultural interests and linguistic interests, which got us into the industry. Why I’m going to be staying in it is because I’m constantly learning. I’ve had darknet experience at previous jobs, but the amount of information that I’ve learned since being here [at DarkOwl] and how much better I’ve gotten at doing cyber investigations and the exposure to different industries is because we’re not just selling to one particular type of client. It has been incredible. Developing darknet subject matter expertise is a really, really valuable skill that can be used in so many different ways moving forward. 

Erin: I just really enjoy it, honestly, that’s why I stayed in it. I love figuring stuff out. I love a puzzle of, you’ve got to find something and how do you go and find it? And one of the things I think in the industry that’s so different from government is it’s really on you to go and find that information. I think in government and military, you’re getting SIGNIT [signals intelligence], you’re getting all of this information coming to you, and then you just do stuff with it. Whereas in the jobs that we do, it’s a case of: what can we find and what places are we going to look and who do we need to talk to find out that information? Steph and Rich say it’s having those linguistic abilities or having that knowledge of the different cultures and knowing the kind of subsectors of the groups within the dark web and what they’re interested in and what you need to talk about in order to kind of to get in with them. It’s just interesting. I enjoy it. And as the other guys have said, it’s constant learning. It’s a constant challenge. There’s always new things to do. It always keeps you on your toes. 

Dustin: Erin, do you come from a computer science or tech background or more humanities? 

Erin: Humanities. I always say to people when I’m talking about my job and what I do is that I’m not technical but I have the ability to translate technical stuff to other people. I can take the technical information and tell you what it means in clear English. 

Steph: Can I piggyback off of that? I think another side skill that emerges when you talk about backgrounds, like Rich said, you don’t have to be from a computer science background or be a programmer, but all of us have the ability from government customers to industry customers to be able to translate what cyber actors are doing, nation states, governments at every level to C-Suites, Generals to HR [human resources] and everybody that has hands-on information. We get better at that every time there’s a new group or a new tactic because we have to essentially translate, how does this impact you? What is your risk and how can we help you make your environment better and safer? And it really is circumlocution direct approach, translation, running it off of each other. It’s a foreign language and its own lexicon in and of itself. And it’s really cool. 

Switching gears a little bit, now that we know who you guys are. Explain the concept of Darknet Services and why DarkOwl launched this offering. 

Erin: I think what Steph just said is a really great segue into this. One of the things that we’re able to do is take that technical information, take the trends that we’re seeing, take the groups that we’re seeing and put it into a report or presentation for people to understand what it is they’re looking at. The dark web is a very complex place, there are a lot of different groups on there, a lot of different individuals using it for a lot of different purposes. It can sometimes be kind of tricky to understand everything that’s going on and what that actually means and how that fits into the wider context of what’s going on in the cyber world and in the criminal world more widely and in geopolitical politics. And all of those things depend on what background you’re coming from or what and who you’re looking at.  

So the idea with Darknet Services at DarkOwl is we really wanted to support our existing customers and any new customers that come on board with our expertise of investigations and the dark web. We can help explain what they are looking at, what risks they should be concerned about, what remediation, if any, action that they can take, and really support them throughout any investigation needs. 

Steph: It’s everything that she just said. Absolutely. Darknet Services is also a really great offering because let’s face it, the tech and the dark web especially is intimidating and there’s a security risk. So we [DarkOwl analysts] assume that risk because we know it. Most of us have dealt with it for over a decade, if not two decades. So if you are an individual who isn’t comfortable with the darknet, you don’t know what you’re exposing inadvertently, you don’t want to be the weakest link in your organization, but you want to know what’s out there. We take that risk and we can do it as far as one website, or we can do it for a whole host of threats, a specific industry that you want to look into or a specific group that you want to look into. And we take being able to do those services very seriously because we want to make a positive contribution and a positive change.  

Furthermore, let’s be serious about the fact that there’s new stuff emerging that even we [DarkOwl analysts] need outside assistance with doing. The platforms are ever-emerging and ever-changing. So, let the services team assume the risk to keep your organization protected because it is intimidating out there. But we do know the dark web, where to go, and how to be safe. 

Rich: I think one point to add to that is the ideal audience for Darknet Services at DarkOwl could be somebody who’s more beginner when it comes to darknet knowledge, or somebody on the more veteran experience side. To explain that further, let’s say you’re trying to better understand what the main risks are to you as an organization, and doing some ongoing monitoring. It could be a more simple engagement for somebody who’s newer to the darknet and with the eventual hope that they’ll be able to do some of the investigating on their own within our platform. But also there’s opportunities for people who might have more complicated queries about what’s going on in the darknet and maybe specific asks for what is going on in this particular community or things like that as well. So I think it’s just important to note that there’s not one ideal audience for Darknet Services. It can be somebody who’s more experienced on the darknet or not as well. 

Steph: Great point. Can I also add to that, like you said, it’s varied audiences and you might be a veteran, or you might be brand new. Furthermore, maybe you know that your company or organization is fairly safe and has good cyber hygiene, but your suppliers or your vendors or your third-party don’t. And maybe you don’t know how to investigate them and you don’t want to have that awkward conversation of like, “Hi, are you subjecting us to ransomware or credential theft?” So that’s another place where we come in and we can look at your supply chain and your vendors and that way you can have a more robust picture of all potential risks. 

Erin: The other thing I just thought of as well is it’s not just about doing that investigation and looking at groups or looking at your exposure. We can also do data acquisition as well. So we’ve had a lot of customers that have come to us and said “we’ve been told our information is out there or we’ve seen someone advertising this particular piece of information. Can you please go and get it for us or can you confirm that it’s there and what’s in it?” And that’s a really tricky thing for a lot of people to do as well, because it involves interacting with threat actors, which most corporations don’t allow their employees to do and you probably wouldn’t want to do. There’s a lot of other factors that go into that. We are experienced in working with those factors in order to get that information that the customer wants. So there are several use cases that we can support. 

Why is darknet data important in cyber investigations and risk monitoring? 

Rich: Dark web data is just another component of open-source intelligence. There’s darknet intelligence, open-source intelligence, different forms of intelligence, and in order to conduct all source intelligence analysis, you need a factor in dark web intelligence  into your picture. 

Steph: I think there’s an evolution of intel. Rich is right, darknet intelligence is a component. We’re not saying only focus on the dark web, but you do need a robust picture. Additionally, cyber actors in the evolution of technology follow the trends too. In the 2010s, when I first got on the darknet, these actors, and it’s still true to this day to an extent, feel safer on the dark web. They feel that it’s not as monitored as the open net or the clear net so they reveal TTPs [techniques, tactics and procedures], usernames, aliases, their whole criminal ecosystem. And now we were seeing threat actors on darknet adjacent sites, like chat platforms such as Telegram. You have to keep moving with them because they’re not as open on the dark web anymore, but they are on Telegram and other platforms and we can follow that evolution and follow that chatter to get some really deep insight that they don’t think is being monitored. 

Erin: Just to echo that, although we’re a dark web company, we also cover a lot of dark web adjacent sources and we’re seeing them becoming more and more integral to the investigations that we’re doing. With the Russia-Ukraine War, we’re seeing a lot of pro-Russian and pro-Ukrainian Telegram channels that have thousands of followers. Telegram is becoming a really important vector. Seeing how threat actors communicate is going to always be a key aspect to knowing what they’re doing so we need to be aware of those communications, and also look at things on the dark web like marketplaces and forums, to gather trends. By doing this, we’re able to see what types of cryptocurrency actors are using, how they’re doing their escrow services, how are they doing financial transactions, what drugs are most popular at the moment, etc. One of the things that we’ve seen recently is there’s been an increase in black market pharmaceuticals of things like Ozempic because people want to lose weight rather than the more traditional drugs that people would think of. We’re seeing increases in counterfeit and things like that.  

To just touch on ransomware- ransomware is increasing exponentially and has been throughout last year and into this year. Ransomware groups are using the dark web to advertise the victims that they’re targeting. Then when they don’t get their ransom, the data from those victims is released. There’s a huge amount of information there. For corporations to know what exposure they have, it’s really important to be checking through all of those things because as Steph said, it’s third parties and vendors as well. Just because you didn’t get a ransomware attack doesn’t mean that your data hasn’t been exposed. Again, as Rich says, darknet data is part of the whole ecosystem of doing open investigations, and it’s something that should be covered. The Darknet is an area that a lot of people forget about. They tend to focus on social media, surface web forums, data brokers, and things like that and aren’t looking below the surface, and I think that’s where you find most of the useful information. 

Rich: I have one quick point I want to add about our data collection and why we equally collect from places like Telegram and darknet forums like Exploit. One threat actor I can speak about that’s gotten a lot of attention in the media recently is this guy Canadian Kingpin who’s selling services that take advantage of ChatGPT and using them for fraudulent products and services and selling them on places like Exploit and other forums. But one of the main ways this vendor first gained a reputation was through their Telegram channel, which goes by a different name. They also include the name Canadian Kingpin in there. But this threat actor is actually mostly involved with bank logs, targeting fraudulent products, targeting banks. But they’re also now involved with ChatGPT fraud bots and things like that. And they equally have a presence on Telegram and from what we were seeing in our research about 5 or 6 other darknet marketplaces, deep web forums and darknet forums as well. 

Steph: I have to jump in on that because Rich killed that. Not only are industries going to move to AI, but so are criminals. We have to watch that. Rich is exactly right and we are so aligned on our team – without even comparing notes, I had noticed Canadian Kingpin and his Telegram channel and then I got with Rich to see if he had any notes about it and he already had this threat actor mapped out into all of the forums that he just talked about. So I had seen his Telegram and Rich was like, here he is in 6 or 7 different forums and we were like, we have to watch this guy. His services are out there, he’s ahead of the curve. 

Any other themes and trends that you are seeing on the darknet? 

Steph: I think Erin really nailed it with the mention of Russia and Ukraine that put Telegram as well as the dark web and other adjacent services on everyone’s radar. I think a lot of people were a little doubtful of the dark web or OSINT contributions until that conflict started. And then it was basically a hybrid conflict taking place physically, but then also taking place on the dark web and on social media. When Afghanistan fell two years ago, the Taliban had some similar use cases. They were more on social media. It just goes to show you the absolute importance and trends of these actors and groups that once banned technology, and that’s in more regions of the world than just Afghanistan. Now you can track their checkpoints by Snapchat traffic and then you can go to Telegram and confirm if they’re talking about, “yeah, we’ve set up this checkpoint here. We’ve killed 30 people trying to escape.” This is going to continue. It’s going to be the same on Telegram and the dark web and keeping track of this is really going to be disparate. And we have to follow all of those disparate sources and continue to follow the trends that are emerging. 

Erin: Ransomware is a huge one, the growth of this area is massive and I think people aren’t really sure about it and want to understand what their exposure is. I would say leaks, in general leaks are not going away. We are seeing hundreds of them daily, information that’s being shared. Generally, some of the things that we’re seeing and since we’ve started the services is people are worried generally about what their exposure is. In this digital age with regulation and media – if anything goes wrong, it’s all over the news. People are really concerned about what exposure they have and want to make sure that they’re getting as much coverage as possible, which is great. But obviously, we would always err towards prevention rather than the cleanup. Another one that I’ve seen growing is physical security. With a lot of protests happening in recent years and other events, people are very concerned about when their employees are traveling to certain areas and making sure that they know if people are talking about that area or that building or any kind of attacks that they might take. And as always, phishing is not going away – phishing and smishing. We’re seeing actors getting more sophisticated with that, and through some of the other data sets that are out there from ransomware, data leaks, etcetera, they’re able to garner more information that they can use for those phishing attacks to make them more likely to work.  

Rich: I have one more trend I’ve noticed as well, and that is more from an industry level, from a threat intelligence perspective, investigations perspective. There’s an increasing appetite for digesting dark web data. We’ve observed this is larger tech companies that are actually creating their own dark web investigations departments with their own budgets. When large tech companies are making decisions like that, I think it shows a bit more maturity in the industry. Then, the type of data that we’re seeing would be most mentioning those type of companies, we’ll go back to Telegram one more time because the most the most common threat we’re seeing on Telegram and consequently also dark web marketplaces right now would be any company that facilitates or has a large mobile application user base. Those kind of companies are the most targeted on the dark web and Telegram right now in terms of fraudulent products. So whether it’s a Netflix account, a Spotify account, Amazon Prime, Pizza Hut, you name it, those are the most common threats on the dark web because it’s so easy to sell that information on there. 

Steph: I would add hacktivism as well. Early on it was like actors would log on, maybe deface a website and put an obnoxious picture. But now to the ransomware point, which we’ve discussed, is continuing to just explode. Actors are now, if they can get inside of an organization and no matter what their viewpoint, no matter where they stand on an issue, an actor takes umbrage with that and then goes after it and exposes that company for supporting a cause, disputing a cause. So hacktivism is tying into ransomware. It’s tying into all of the fraudulent campaigns, for example, if Netflix takes a stand on some issue that’s common in the US, somebody’s going to go after that because they disagree and say, “Well, I have 8,000 Netflix accounts that I can sell. Netflix doesn’t support cause xyz. Here they are.” Hacktivism is also bleeding into the other cybercriminal ecosystems. It’s very interesting. 

Any projects that are coming up that you guys are really excited to dive into? 

Steph: It’s really nerdy to say, but every day. I came back to the dark web, this area for a reason. But ransomware is how I got my start in cyber. It’s what I initially started translating, and I’m absolutely obsessed with it. I can’t believe how it’s evolved, how common it is. It’s not just nation-states, it’s criminal actors. It’s everywhere. It’s going to be increased by AI. So, for me, I am probably most excited about ransomware projects and combating that and doing our part to contribute to lowering that risk globally. I’m really excited about that. 

Erin: I am trying to think what projects we can actually talk about, to be honest. 

As we’ve got the analyst team set up, we’re trying to deep dive more into different areas. We’re looking at different threat actors on the dark web, we’re looking at threat areas like terrorism. As Steph said earlier, the dark web used to be a safe space and now it’s somewhat less of a safe space. A lot of forums have been taken down in this last year or so, and that’s changed the way that people are operating. It’ll be interesting to see what we can find and how things are changing in those areas. 

Steph: Another aspect of excitement is that our analyst team is getting really deep and granular on our projects. We really love it. We have to liaison and have constant back and forth with customers, they’re going to see different things that we also need to be paying attention to. It’ll be great to record what we see in trends, what we’re observing, and then match that with what the customers need and what customers are facing. That feedback from them is also going to be really integral to bettering us and bettering our Services. It’s fun to have a two-way conversation as well. And who you’re having that conversation with isn’t always going to be an analyst. They’re going to be coming at it from a different perspective and we’ll learn a ton from that.  

To wrap up, any tips or tricks for other analysts out there or beginner analysts that are looking to get into a role like this? 

Erin: Be curious. There’s a lot of information out there. There’s a lot of training out there. There’s a lot of free training and reading that you can do. There’s some really great resources on open source training. So I would delve into those. As we said at the beginning, this is a constantly evolving role and you’re always learning. So I’m always looking at those resources and things as well, going to conferences and hearing about new tools and new ways of doing things is always really interesting. So again, be curious, find out as much information as you can and don’t be intimidated by it. If it’s something that you’re interested in, I think you can figure out how to do it. 

Rich: I would say to try to find different parts of the industry that are interesting to you and excite you and maybe are related to some of your other interests. I recently saw a LinkedIn post where somebody was actually hiring open-source investigators that have a background being truck drivers because they need to be familiar with threats to transportation and the logistics industry. Just think about that. A truck driver is now an OSINT investigator. 

Steph: That’s amazing. 

Erin: I like that. 

Steph: Erin took the words right out of my mouth. And Dustin, you’ve heard me say it before, you have to be curious whether you’re brand new to the field or you’re 20 years into this. Your curiosity can’t stop, you’ve got to stay one step ahead. There’s going to be naysayers and people who poo poo the dark web or poo poo OSINT. Don’t be intimidated and always be curious. 

Rich: One point I’ll make is, if you want to get into dark web investigations, threat intelligence investigations, OSINT investigations of any sort, make sure you balance it with having some interests outside of it. I think a lot of us can relate to the fact that sometimes the subject matter of things that we’ve been engaged with in our careers has not been always the most positive. So I think it’s really, really important to balance your interests, your professional interests and aspirations with this stuff equally, with things that are totally opposite of it. 

Erin: You’ve got to have a sense of humor as well. Some of the stuff you can see on the dark web, it’s not for the faint hearted, which is probably another reason why people ask us to do it. 

Steph: Both make good points. And in addition to the sense of humor, you have to take time for your mental health. Have a sense of humor and take breaks. 


Check out DarkOwl Darknet Services and how our team can be an extension of yours.

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.