[Webinar Transcription] Track Your Relative Risk on the Darknet

Written by DarkOwl Content Team on . Posted in Blog, Webinars.

May 16, 2023

Or, watch on YouTube

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks.

Cue DarkSonar – DarkOwl’s latest product that serves as a relative risk rating that considers the nature, extent and severity of credential leakage on the darknet to provide a company with a signal that acts as a measurement for a company’s exposure.

In this webinar, attendees:

  • Reviewed the latest stats around the growth of cyberattacks
  • Learned why modeling risk is essential for all organizations of any size
  • Learned how DarkSonar can inform threat modeling, third party risk management, and cyber insurance
  • Saw first hand how DarkSonar can potentially predict the likelihood of cyberattacks

For those that would rather read the presentation, we have transcribed it below.

NOTE: Some content has been edited for length and clarity.

Kathy: I’d like to thank everyone for joining today’s webinar, Tracking Relative Cyber Risk on the Darknet. My name is Kathy. I will be your host. If you have any issues with hearing the audio or seeing the slides during the presentation, please feel free to ping me privately in the Zoom chat function or email me directly. Now I’d like to turn it over to today’s speaker, Ramesh, our Chief Technology Officer here at DarkOwl to introduce himself and to begin.

Ramesh: Great, thank you, Kathy. Good morning, good afternoon, good evening, everybody, wherever you are. So today I want to go over some very exciting innovation that we’re doing at DarkOwl as it relates to risk modeling. The topic for today is track your relative risk on the darknet. We’ll go over that in the next 35 to 40 minutes. Just a little bit about myself: I am the CTO at DarkOwl. I have over 25 years of software engineering and technology background, worked in a lot of firms as it relates to data risk mitigation, risk modeling, big data, real-time communications, and so on. So today’s agenda we’re gonna cover what is the darknet or the dark web, and where does dark, we’ll share some metrics and statistics about the cyberattacks and the growth of them over the last several years, what is risk modeling and why is it essential for your company and every organization that you partner with.

We have launched a new product, DarkSonar, which is a very interesting way to notify you about threat vectors and threat modeling, third party risk management, and if you are in the cybersecurity insurance business, this would be a very important topic as to how to quantify risk. And last, we will see some of the case studies and some of the firsthand insights that we have been gathering at DarkOwl on how DarkSonar could improve the likelihood of the prediction aspects as it relates to cyberattacks.

Darkweb 101

Okay, so without further ado, let me get started with what is the darknet. There are a lot of different terms that people throw around – some use darknet or dark web.

Essentially, these are the ones that you see in the bottom. So we go bottom to top. The darknet is a group of anonymized networks. They require proxies, and p2p type networks. They are specifically chosen by threat actors to hide their activity and they’re making a concerted effort to be a part of these networks. So that’s where you see the traditional ones, which are the onion or tor browser, I2P, ZeroNet. And there is a whole host of newer networks that get added every now and then. So that is truly the traditional darknet. But then what we have seen in the recent years is there is also a lot of activity in the deep web and the surface web. So, deep web is defined as anything that is behind an authentication wall, meaning anything that is behind a user ID and a password.

So that is where you would have things such as social media, your banking applications, but more importantly, as it relates to the darknet, a lot of the threat actors use the deep web for criminal forums and marketplaces, which we will talk more in detail, as well as any surface web links that you see that are only available once you have membership or credentials to access them. On the right hand side, you see a lot of chat platforms, for example, Discord and Telegram are very much in the news these days because that is where quite a lot of activity as it relates to darknet happens, whether it is exposing breaches or it is critical conversations, marketplaces, and so on. So chat platforms have grown in priority overall. Then the last, but not the least is what we all know as the surface web, which is everything that is indexed by search engines such as Google and Bing.

For the surface web, our focus at DarkOwl is more the high risk surface web, which is not just any webpage out there, but specifically, websites, domains, platforms that people use to collaborate, such as paste sites where you paste images or file sharing sites, discussion boards, GitHub is a big part of it. So the way it is color coded here is the ones that are in, um, the oranges and reds – they are all part of our current collection capability. The ones that are in deeper gray or black are the ones that we are having plans to go after and collect data. So that’s the picture you see on the right hand side. It truly is like an iceberg. We look at the world as what you see on the surface web – it is a very small sliver of the actual data and more interesting data and criminal activity happens on the deep web and the darknet.

Kathy: We have a question that has come in – how big is the dark net?

Ramesh: Great question. There’s no easy answer, but I would say that, a good one fourth of the web, about 25% is behind some form of user ID/password, and a subset of that would be darknet. So it’s really hard to quantify how much data there is in the darknet, but what I can tell you is as far as DarkOwl, we have over two 50 terabytes of data, which is specifically going after the deep and the dark web. So it’s quite extensive, but it is really hard to quantify as a percentage of the overall web.

DarkOwl by the Numbers

The next slide is little bit more about the metrics and numbers that we collect.

So at DarkOwl we have quite a lot of data that we’re actively collecting and we are essentially a data company, which is why we have several million documents. We have forums and marketplaces that are out there, and then we also have the Tor, I2P, ZeroNet, Telegram channels, and whatnot. So, given that, what I want to specifically draw your attention to is the amount of data that we have in terms of growth is clearly on the chat platforms side which which are pretty active as they contribute quite a lot of what we call entity data, which is the stuff that you see in the bottom: email addresses, IP addresses, credit card numbers, crypto wallets and crypto addresses and so on.

On any given day, there is between 1 to 3 million documents that we collect in a 25 hour period, and it’s a combination of crawling various sites and platforms and so on, as well as processing leaks. And leaks continue to keep increasing exponentially ever since the Ukraine conflict. So the bottom line here is the data is a whole variety of data. It is very disparate, and it all has to be collected from multiple places. We normalize it into a common data structure, and then we make it available. As far as the delivery channels, which is what you see on the right hand side, you could use our UI, which we call Vision UI. There’s a whole host of API endpoints that we make available for our customers.

You can search in the data, you can pull out entities and the recent docs, you can consume DarkSonar via API, same thing with ransomware. And if you have a customer or if you have a use case that would want our data, then we’re happy to license the data via data fees. So there’s a variety of mechanisms for you to consume all of this data that we’re collecting, curating, and making available to our customers. Okay.

Specifically this slide talks about what is in our data. So here are a few examples. So the high level way to look at it is the top left versus the bottom right, wherein the top left is the traditional things that you go after the clearnet, or even the Tor and the Onion browser.

Versus the bottom right is there where there is more and more need for us to have personas to do the authenticated access into the deep web services. So the things that you see up there, they’re just various categories of data that we have. So we go after crypto and pay sites, and darknet classifieds and blogs and ransomware gangs and so on. The authenticated ones include marketplaces, carding, going to chat rooms, ransomware gangs, social media, any discussion forms. I do wanna make sure that there’s a clear understanding – we do not touch any pornography content, or we call it CSA, which is child sexually explicit and adult material. That is not our focus. We do not want to be collecting images that are highly objectionable and criminal in nature.

Everything else, in terms of all the topics that I mentioned, we’re actively collecting. So some of the stats that you see up there, we have over 232 ransomware domains. We actively monitor 400, almost 500 marketplaces. Believe it or not, we not only have English, we have 51 other languages that we see in the darknet with Russian and Mandarin being at the top not surprisingly. So that’s kind of the diversity of data and how dispersed the networks are.

Cybercrime is Booming

Moving on, we all know that all of this data collection is there for a reason – because crime and cyber crime continues to keep booming and growing exponentially.

I’m not gonna read every one of these data points, but I think we all can agree that post Covid, the attack vector because of people working from home, the home networks are not as robust as corporate networks. So that just significantly increases the attack surface. The Russian Ukraine conflict has exploded, not just the Russian and the Ukraine side of the war and the data leaks that are out there between both parties, but it is truly a third party risk issue where every company who is dealing with a vendor who is in that part of the world is impacted one way or the other. And so we at DarkOwl keep seeing that this continues to grow, and customers and companies out there are struggling with the amount of alerts that they’re being subjected to their SOC teams and the XDR platforms and so on.

DarkOwl provides a more asymmetric and a unique insight that you don’t get from your traditional corporate security processes and procedures. So again, data is growing, crime is increasing. And we also see that ransomware gangs are becoming very sophisticated. They offer customer service and that’s why the term ransomware-as-a-service is in the vernacular these days, because it is a truly massive problem that we’re all being subjected to.

Kathy: We have had a couple of questions come in. How do you know when a company is being targeted on the dark web?

Ramesh: It’s a good question. There’s multiple things going on in the dark web. So one of the ways that a company can pay attention is, look into the darknet. For example, if you’re using our product or our Vision UI, you can set up an alert, which is basically a way to monitor your company domain and subdomains. And anytime there is any activity about your company, be it a conversation that is happening in a forum, or be it a marketplace where something is being sold, either your company credentials or your AWS keys or what have you, it’s always a good idea to set up these monitors so that you can pay attention to what’s going on. The other is, obviously we’re going to cover the DarkSonar, which is a numeric objective way to see what your risk tolerance levels are over time. You may be thinking you have really good security policies and practices, but it is super important for you to also look at products such as DarkSonar so that you know that you are either at or below the baseline of security and compliance that you should be at.

Kathy: Don’t threat actors only target larger companies?

Ramesh: You know, conventional wisdom is that threat actors would go after bigger companies that are much bigger in revenue, they have a bigger wallet and whatnot. However, you’d be surprised, there is a lot of targeting that happens with small businesses, with smaller educational institutions, from counties to hospitals to you name it, because the threat actor or the criminal is looking at two angles. One is, how much money can I make? And the other is, how little effort do I need to put? So a lot of the companies, the larger ones have gotten pretty sophisticated. So there needs to be a level of sophistication for the criminal to organize themselves and attack, versus there’s lots of much easier, smaller targets to go after. So I’d say the answer is, it really is all of the above. They go after the large ones. They also go after the small ones.

Risk Modeling

Okay. So let’s move on to what is risk modeling. Now, there’s lots of frameworks as it relates to risk modeling.

We’ve all heard of the NIST, which is the largest one in terms of a governing body that defines risk models, but there’s also other modeling tools available, such as ISO, CIS, ISACA, OWASP and so on. Depending on your company, depending on your needs, it would be good for you guys to pick your risk modeling strategy and a framework and then out of that framework, you also need to really pay attention to who are the stakeholders. Like, how do you want to make sure that between your SOC, your data protection folks, cyber governance, CISOs, if you’re in the cyber underwriting space, insurance brokers, underwriters, if you’re a startup, let’s say you might have VCs, investors, M&A things going on if you’re national security or a public government organization, the policy makers, any military operational decision makers.

It all depends on the type of stakeholders that you need to keep in mind as you build your risk modeling practice, right? So all of these type of assessments are, at end of the day, they’re defined by NIST, and these are to identify, estimate and prioritize the risk associated with your organization. So I’d highly encourage folks to take a look at these standards because they all try to achieve the same thing, which is be holistic, have a 360 view of your risk, rather than just pull in a hodgepodge of tools, to figure out what’s going on at any given point of time. So that’s kind of the risk modeling and the people that need to be be involved. And why does that matter? Because ultimately, when we talk about the darknet as it relates to ransomware just in and of itself is getting more and more sophisticated.

Ransomware

As I mentioned, there is a whole piece of the industry called ransomware as a service.

It starts with the threat signal, and you see the data flow associated with that. There is quite a bit of a lifecycle that that is involved when it comes to ransomware, and we’ve been watching the various ransomware groups and what we have seen is prior to ever executing a ransomware attack, the reconnaissance occurs either by members of the ransomware group or by a broker, the IAB. And this appears in tokenized mentions of the critical network data of your company. It could be credentials, it could even be mentions of your employees that would be targeted for social engineering. So on these forums, the threat actors are also discussing things like the common vulnerabilities like the CSV, and find ways to exploit and come up with techniques to exploit them.

They also come up with techniques to break your antivirus, evasion campaigns and so on. All of these are ways in which they’re trying to poke holes into your network, and either they do it directly or through these brokers, and then we kind of capture that as the dwell time, right? So dwell times, once they are in the network, they are gonna start poking things around. And then there is advanced operations that could take days, or it could even be done in a matter of hours. And these threat actors use the traditional Mitre attack techniques. And then once they’re in the network, they’re laterally moving and they’re elevating their privileges one step at a time, and they get more and more access into your network, and they exfiltrate more and more valuable data. So the key thing is persistence.

The level of persistence and hiding they do is very phenomenal. I mean, it’s like, it’s beyond professional. They cover their tracks, they know what they’re doing, and once the data has been removed or stolen from your network, the devices are encrypted. Then they go into the payment cycle where they’re starting to get the extortion payments that they’re demanding. So as part of that lifecycle, what we see is the announcements then go on Tor or whatever data source. They’re advertising the fact that a company has been breached, and then the data is stolen and all of the subsequent PR and all the other challenges to the business. So even though the data is not shared immediately as a data leak, it’s typically repackaged, shared and curated by the threat actors because they want to find the takers – how important is that data breach for that business?

And then they notify the suppliers, the vendors, possibly customers, any contractors, and they keep capturing more and more of the attention that this company they have targeted, they’ve been successful in targeting and exfiltrating, and now they’re looking for ransom, which means the temperature of the company that was a victim keeps going up, that they better pay the ransom amount, otherwise this keeps getting published to their customers and their partners, and it just keeps getting worse, right? So it is kind of like the threat signal always starts with somebody that has gotten access to your network, and then they’re raising their privileges, they’re grabbing the data, they’re publishing that, and then they’re collecting ransom. So given that lifecycle, and there was quite a lot of words there, but the bottom line is these attacks are on the increase.

They are on the increase globally, not just the US and UK but most of the Western regions where we can track them. A lot of the world is being subject to this, and there is also a need for a critical understanding of what are the motivators of these criminals and why are they doing what they’re doing? So understanding such type of risks is not just a nice to have, it’s a must have for any organization, large or small, and be prepared for these type of potential threats. So the takeaway here is be sure that you have a risk mitigation strategy. Look at some of these networks and protocols for risk modeling and truly understand what you and your company could be subject to as part of ransomware and the sheer fact that cyberattacks are on the increase.

DarkSonar API

Now, having said all that, what we’ve been busy in DarkOwl is building a product called DarkSonar. DarkSonar is to address some of the challenges that we have seen from our perspective. Essentially DarkSonar, we like to think of it as a signal. The signal is to inform threat modeling, third party risk assessment. It applies for cyber insurance, anything to potentially predict the likelihood of attacks. In other words, DarkSonar is a cyber risk rating. It is based on an algorithm that measures an organization’s credential exposure, primarily email password exposure over time. So it’s not just a one shot snapshot, we’re monitoring the health of your business and the credentials over time. And because emails are primarily leaked and sold in the darknet, they constitute a major vector for cyber and ransomware attacks. And we measure such exposure on an ongoing basis with DarkSonar.

This enables the organization’s customers and third party risk management folks to get an awareness and understanding of what your weaknesses are, what are your soft spots are, and you could be proactive in taking these mitigation steps rather than find out that it’s too late and you’re being subject to a ransomware attack. So it would be a mitigation step to prevent data theft, to prevent loss to your revenue, to your profits, loss of reputation, because at the time of ransomware, usually it is too late. So what we did is, as part of building the DarkSonar, we did an analysis of over 250 companies, well known companies to lesser known ones that suffered these cyberattacks. And we saw that in 65% to 75% of the cases, when we saw an elevated rating, it was having a direct correlation to a few months after an elevated rating.

There was an attack, and I repeat it is in 65% to 75% of the cases, we see a direct correlation that elevated risk rating equals elevated chances of an attack happening. So that was pretty powerful. And here is a little bit more breakdown of the data, the type of data that DarkSonar uses – so credentials, as I said, is emails and passwords, aka combos. We do see, not surprisingly, there’s quite a bit of plaintext passwords that we see in our collection efforts in our database. So that’s the big part of the pie that you see along with there are hashed passwords, and there are some where we get the email, but we don’t get a password, right?

So the way the DarkSonar model is built is, it’s primarily based on credentials. But we have a waterfall approach in the way we have designed the model. So first up is there is weightage given based on presence of emails of your company, meaning email of the domain that is in question. So they are unique plaintext passwords or hashed passwords, or just the sheer number of emails that we see. So that is weighted. The other thing that we also weight is the time and the time series. Did we get a breach recently which contributed to these emails appearing, or was it happening six months ago or nine months ago? So the older the data is, the less it is weighed in our algorithm. And we also consider duplication.

Duplication is kind of a vast topic. I technically call it correlation, but essentially is the data leak being reposted with the exact same details, in which case it’s a duplicate, or is this being reposted with additional data? Some of it is similar, meaning they’re correlated to the previous leak, but a lot of it is new information. But one way or the other, the sheer fact that threat actors are reposting, your company or your organization’s leaks over and over again is cause for concern. So our model accommodates the fact that there are these are things that are weighted both based on time as well as the number of times it gets posted, the duplication ratio, and then the baseline metrics we provide is based on the overall volume. So our API through which DarkSonar is available will give you data for the past 24 months, and it gives a relative risk rating for the organization in terms of the distance to the mean.

It’s like the bell curve that’s displayed here, you would start with zero, which is right in the middle. If it is in the negative, that means it is good. Meaning there is not that much exposure. If it is on the positive, anything that is greater than or equal to one, it means there is a cause for concern. So, one more time, back to what I just mentioned. Our results show that elevated exposure, meaning if DarkSonar were to say that the exposure is greater than one, an elevated exposure and the sustained elevated exposure over the last four months is a direct indicator that there could be a possibility of an attack in 74% of the cases. So that for us was very powerful. Any questions on this so far?

Kathy: Does DarkSonar distinguish what the username/password combos are used for?

Ramesh: The short answer is we do not distinguish at a per user username password basis, but we do collect the aggregate of all the usernames that are being exposed, specifically the emails, but not the username per se. We’re mostly focused on email and passwords.

Full statistics and chart can be found here.

One thing is DarkSonar is a good indicator of risk. I do want to highlight some of the threat factors here and what should be applied in which scenario. So if you’re looking for phishing emails, for example, and that there is quite a lot of phishing attacks, then DarkSonar would be a really good tool for us to assess. Same thing with third party risk management, third party supply chain, DarkSonar would fit pretty well, any weak or compromised credentials.

If you have any compromised credentials, then that would be directly visible in DarkSonar. However, there are things like brute force attacks, unpatched vulnerabilities, cross-site scripting, man in the middle attacks, right? These are not exactly things that are involving emails and passwords all the time, but our platform, which is the Vision UI platform, as well as the API endpoints and the entities that I talked about, these would all help in understanding such type of threat factors like the brute force or the unpatched vulnerabilities, the cross-site scripting, the man in the middle, DNS poisoning and so on. So think of it as using the right tool for the right job. It depends on what threat vectors you’re interested in. Some of these threat vectors DarkSonar would apply, and other threat vectors, you might be better off using our Vision UI or our Search API or entity lookups and so on.

Okay, so now comes kind of the interesting part. So all that theoretical risk model, what does that mean for companies? So I have some use cases and companies as examples to kind of walk you guys through.

So here is the famous Colonial Pipeline incident that happened in April of 2021.

So Colonial Pipeline is one of the largest fuel pipeline and its breach literally had created shortages for oil and gas up and down the East coast. And this was a result of compromised passwords.

The, the interesting thing is we saw an elevated level of DarkSonar. As you could see, it was kind of hovering in the negative zone, which is good. And then in September of 2020, we’re starting to see the increase and the elevated risk, and then it became 0.5 and then decline to one. Anything above one, like I mentioned, it definitely has a clear indicator of risk, and that is where in from our data, we saw that a month prior to the attack, which is back in April of 2021, we were seeing that elevated risk. And then in May, the attack happened, right? So DarkSonar was able to detect based on these credentials, which are easy to do, the account takeover and instigate that attack. So that was on the Colonial Pipeline case. The next one is General Motors.

General Motors, same thing. We see a three month window where there was an elevated signal to the time that the attack was announced. So again, part of the challenge is when big companies, and you know, big outlets have this challenge, it becomes a media issue. Many of the companies do not report it. They try to pay up the ransom or negotiate with the criminals, whatever they’re doing on the backend. It may or may not be in the news, but we capture what we gathered from General Motors from the time that they had announced, which is April of 2022. When we go back in time and look at March and February and January, there was a clear elevated risk. So our DarkSonar model detected an abnormal increase in the plaintext and hashed credentials, literally months leading up to the attack. The next one is Fujifilm.

Same type of thing where their servers were infected with ransomware and nobody would ever know when the exact ransomware was launched and what exactly happened. But according to the bot ransomware, it came through a phishing attack. And clearly the takeaway is we detected an increased email exposure prior to the actual attack happening.

The last one that I would say is back to the question, that was asked earlier about smaller companies – you’re still very much vulnerable for these type of attacks. And in the City of Tulsa’s use-case, we saw a five month attack window of elevated risk as it relates to DarkSonar. The signal was elevated for five months prior to the attack. So the reasons were really the group installed ransomware in late April, the program began to operate the city firewall and other security protocols were kicked into the city’s technology department. They took their time, but the bottom line is this was months in planning by the criminals. And we see that elevated risk as far as DarkSonar literally five months prior to the attack.

Kathy: Can you answer, what is the likelihood of a breach if the signal goes above one?

Ramesh: Anything above one, there is an increased exposure. An increased exposure would correlate to increased risk. An increased risk would correlate to, there’s much more chance of a breach. So I would say anything over one, companies need to be really, really careful. Pay attention, take the proactive steps, rotate your passwords, put in the multi-factor authentication on your servers, whatever you are doing. As for security operations and proactive things y you should, you should be careful, right? Does that mean anything below one is fine and dandy – I would say look at DarkSonar as another way and another tool in your tool chest. And if it is over one, that means the temperature is going up, right? And if the temperature goes up and it keeps going up and up and up, bad things happen. So that’s the best response I would give. Is anything over one, you better watch out.

Okay. As I mentioned, here is a little bit of technical detail on how the docs owner API is represented.

We give you the results based on a company domain and we give it to you a JSON format. And like I mentioned, we present that data for the last 24 months, and we give you the rating as well as the baseline and the signal we will indicate if it is low or elevated or high, right? And to Kathy’s earlier point, anything about one would be elevated. So if you are in the low category, that’s good, you have good security best practices. If you’re one or above, it’s time for you to pay close attention to what can you and your company do to mitigate these type of risks.

So again, it’s predominantly available via API, you can hit individual domains or you could hit multiple domains at the same time. It’s up to you. And then the results, like I mentioned, is it’s really, we did the internal analysis for the 237 publicly disclosed attacks between the last couple of years, 2021 and 2022. We see the accuracy is very strong. We were actually surprised it was this strong a correlation between the risk level and the attacks. So all attacks was 74%, ransomware was 75%, breaches was 74%. So it’s tracking pretty closely to a very high percentage accuracy for the elevated risk versus the attack. And then we also went to some of our customers. We went to some of our prospects and we call it the beta clients. And we did a pretty extensive evals on the attacks. And we see that there is a pretty strong correlation there as well.

Interested in learning how DarkSonar can help alert for potential threats to your organization? Contact us.

Urgency of Action at AFCEA’s TechNet Cyber: DarkOwl Recap

Written by DarkOwl Content Team on . Posted in Blog.

May 12, 2023

Last week, DarkOwl joined Carahsoft’s pavilion at AFCEA’s TechNet Cyber flagship event in Baltimore. AFCEA is a professional association that “brings people together from all demographics worldwide to strengthen global security, provide education and help prepare tomorrow’s science, technology, engineering and math (STEM) workforce.” They connect people, ideas, and solutions globally – because knowledge matters. Leading this year’s conversations were the U.S. Cyber Command, DISA, the DoD CIO, and many other industry and academia partners. You can check out the 2023 coverage here. This blog outlines some highlights.

TechNet Cyber 2023 Theme: The Urgency of Action: Focused, Aligned and Ready

The theme of TechNet Cyber this year was spot on. According to research, there was a 38% increase in global cyberattacks in 2022, and within the last year cybersecurity attacks against industrial control systems (ICS) have skyrocketed in volume and sophistication. Putting this into numbers, in 2022 cyber incidents cost 6 trillion dollars and it is predicated that 33 billion accounts will be breached in 2023.

The invasion of Ukraine in February of 2022 and the events of the year since have shown us that cyber is an increasingly critical component to a nation state’s military arsenal and its ability to ultimately defend it’s critical infrastructure, territory and sovereignty. As TechNet cyber claims, “The cyberspace battlefield has changed. No longer an arena where adversaries launch a single distributed denial of service attack, lob a virus or infiltrate a network, it is now a state of persistent barrages and simultaneous campaigns.” DarkOwl could not agree more. The only way to combat the shifting landscape and current political landscape where there are persistent attacks and ever-increasing sophisticated campaigns that threaten global political, economic and security interests, is to come together to share ideas, the latest in technology and solutions, and to stand together to combat the global security challenges.

Representing DarkOwl at TechNet Cyber was Matthew Kromalic, Client Operations Manager, out of DarkOwl’s Denver headquarters. Through our partner Carahsoft, DarkOwl was given a dedicated monitor to give demos of our industry leading darknet search platform Vision UI. Matt remained busy at the DarkOwl stand and shared, “The amount of in-depth conversations with real focus on product offerings and use cases with attendees and vendors this conference was way more than what I am used to at events – showing huge promise that darknet data is being seen as a must-have and no longer a nice-to-have.”

Darknet Data for Intelligence Agencies

Due to the layer of anonymity the darknet provides, it is often a hub for illegal activity. However, investigating crime on the darknet and deep web poses technical challenges, including the fact that darknet sites are continually coming on and offline with pages vanishing from one minute to the next, and are not easily searchable. These characteristics pose a severe challenge to law enforcement and government organizations wanting to effectively track criminal activity pertaining to their investigations. Even for the most technologically advanced investigators, the darknet can be a difficult and dangerous place to gather intelligence from and conduct criminal investigations.

Using DarkOwl Vision UI, investigators are able to collect intelligence about persons or subjects of interests, including usernames, aliases, chatroom activity and other potentially incriminating information, and us that data to compile evidence and solve complex crimes. Our use cases are far reaching and include tracking threat actors, criminal activity such as drugs and human trafficking, malware, hacking forums, searching marketplaces for illegal or stolen credentials, personal identifiable information and and intellectual property.

DarkOwl Vision has been used to support local and federal police investigations, as well as work done in intelligence centers and federal agencies to uncover human trafficking, opioid selling, terrorism, security issues, and other illegal activity, making TechNet Cyber the perfect event to share DarkOwl Vision. The technology DarkOwl uses to scrape on the darknet and deep web are key to maintaining proactive situational awareness in the current cybersecurity landscape. DarkOwl is proud to be able to support the global law enforcement community in their efforts to police illegal and nefarious activity on the darknet.

Learn more about how darknet intelligence informs law enforcement investigations and contact us!

Understanding the Difference Between Scams and Fraud

Written by DarkOwl Content Team on . Posted in Blog.

May 09, 2023

Many times we use the words “scam” and “fraud” interchangeably. Fraud is an umbrella term, legally referring to various types of chargeable criminal offenses. Scams, on the other hand, are a particular segment of fraud. 

One way to think about the difference between these two is from a legal perspective. Fraud is serious criminal business, while scams are considered more minor offenses in comparison. Many types of fraud are classified as felonies, versus scams which are typically charged as misdemeanors.

Another way to look at it is from a banks’ perspective. Financial institutions differentiate the two as such: scams are theft of funds with your permission or knowledge, while fraud is financial theft without your permission or knowledge.

Figure 1: Example of a dark web site offering a combination of Fraud and Scams (Source: Tor)

To make things even more confusing, oftentimes, a threat actor may start out with a simple scam, that then progresses to fraud. For example, an email phishing scam may allow a threat actor to access enough personally identifiable information (PII) to file a false tax return on the victims behalf, which is tax fraud. According to the New Zealand CERT, “a scam becomes fraud when a scammer gets someone’s personal or financial details and uses them for their own gain, or receives money from their target under false pretences.”

Figure 2: Example of a romance scam that does not cross over into fraud because the victim willingly gave the threat actor their money (Source: DarkOwl Vision)

Examples of Fraud

Invoice Fraud – Compromised business email account is used to send falsified invoices for services and goods that were never rendered.

Insurance Fraud Receiving medical care using someone else’s insurance card.

General Financial Fraud – Unauthorized use of credit card for purchases.

Account Takeover (ATO) – Criminal accesses victim’s financial bank accounts to steal or move money illegally.

Identity Theft – Unauthorized use of someone’s identity to open credit cards or get a mortgage.

“Safe Account” Fraud  Victim is lured into moving money into a ‘safe account’ after fraudster convinces victim there has been ‘suspicious activity’ on the account. Fraudster asks for financial details and then performs the transfer – which is why it is fraud and not a simple scam. 

Tax Fraud Impersonating someone to get a tax refund you’re not entitled to.

Figure 3: Example of a tutorial on the dark web for committing Tax Fraud (Source: DarkOwl Vision)

Examples of Scams

Phishing Scams – Emails and texts to get people to click on a link to enter PII. (Read our analysis of a year’s worth of phishing emails here.)

Investment Scams – Fake investment schemes (‘boiler room’) and non-existing charities.

Counterfeit Scams – For example, you order an expensive Rolex watch online, but instead received a cheap knockoff. 

Prize/Lottery Scams – A phishing email may claim “you’ve won all this money… but you need to pay fees and taxes up front,” and then the prize or promised reward is never delivered.

419 or “Generic” Scams – One of the most common 419 scams is sometime referred to as the “Nigerian Prince Scam”.

Invoice Scams These are typically pitched with a high sense of urgency demanding payment for goods or services never provided.

Social Media Scams – Romance Scams fall under this category. These scams involve using social deception designed for financial gain, but because the victim willingly hands over the money, it’s not tagged as fraud. 

Occupation Scams – Money mule schemes advertised as legitimate job opportunities.

Inflation Scams – False government programs advertised as legitimate ‘financial relief’ for energy costs or pandemic relied, for example.

Debt Elimination Scams – Promise to consolidate or remove debt in exchange for upfront fee that is stolen and no services provided.

Figure 4: Advertisements for a variety of tools threat actors can use to scam victims, pre-built including spoofed webpages (Source: DarkOwl Vision)

Tips for Spotting the Difference

When trying to decide if something should be categorized as a scam or fraud, differentiating the criminal’s intentions and the means of financial or illicit gain is a good starting point. A question to ask is, is this threat actor a fraudster or a scammer – or both? Also, what was the level of the victim’s involvement in the crime? Remember that not all fraudsters are scammers, and not all scammers are social engineers.

Financial fraud and scams are a time-consuming investigative area for many a local law-enforcement and federal/international cybercrime units. To learn how DarkOwl can help support fraud and scam investigations, contact us here.

Password Hygiene and Awareness: Trends from the Darknet

Written by DarkOwl Content Team on . Posted in Blog.

May 05, 2023

In honor of this week’s World Password Day, we took a look at how different password trends have evolved over the past year. In doing so we found that many people are still making common password mistakes, such as using their favorite year or using highly popular (and crackable) strings of characters like “123456”. Read on for a breakdown of these trends, as well as some additional insights from our data science team.

Passwords on the Darknet

Credentials are one of the most sought after and frequently exchanged digital goods in the darknet economy. In many cases, large quantities of compromised accounts will be combined and reshared across multiple darknet and deep web forums, including dark web adjacent platforms such as Telegram. Criminals leverage this data in a variety of ways. For example, some may use a credential cracking or “stuffing” tool to cross reference emails with other password lists – or use common password conventions to guess the password – and verify an active email and password combo. In the gravest of cases, when active corporate accounts are discovered, they can be used to gain initial access into a company’s network and allow the intruder to commit a crime such as ransomware.

Credential lists also sometimes appear with an email + hashed password combination. However, this is less common and is considered moderately less risky as it requires the threat actor to go through the process of unencrypting the password to make use of it.

Changes in Password Volumes in DarkOwl Vision

Overall, we saw a 16% increase in the total number of email addresses in our darknet data. In 2022, we detected 8,680,000,000, which has since risen to 10,069,116,483 total compromised emails. Though this does include some that did not have associated passwords, an exposed email still poses a degree of risk.

Of the exposed emails in our dataset, over 50% of them appeared with an associated password. The total number of email and password combos detected currently is 5,681,306,514 – up from 5,460,000,000 last year.

Alarmingly, the number of plain text passwords with an associated email jumped by over a fifth in the last year. We detected 5,160,309,835 with plain text passwords as compared to last year’s 4,285,451,030.

Overall, the number of emails with associated hashed passwords remained fairly consistent. 2022 analysis indicated 518,566,724 hashed password and email combos, which has only risen slightly to 520,996,679 this year.

Password Lengths

Of the plain text passwords we analyzed, 8 characters is by far the most common password length. We expect to see that number shift in coming years as companies implement more rigorous password policies including multi-factor authentication (MFA).

Password Strengths

A positive trend of note is that over the past year, we saw an increase in the total number of “strong” passwords. Per industry standards, “strong” passwords are defined as containing special characters, digits, lowercase, uppercase, and length greater than 8 characters. Overall, we detected 643,498,941 passwords that are considered “strong” – up from 637,000,000 last year.

On the flip side, we saw a decrease in the number of passwords using digits by nearly 10%. Using digits, as well as special characters is highly recommended as a method of defending against password crackers. Unless an 8-character password includes numbers and symbols, the password can be potentially brute forced.

Common Patterns Persist

Perhaps out of laziness, a common trend that we see consistently with passwords is the use of strings of digits or characters that can be easily made on a keyboard. This unfortunately appears to be a persistent trend, with the number of people using “123456” or “123456789” increasing across the board.

While less popular that number strings, other keyboard patterns “qwerty” remain a popular choice of password. In fact, the number of passwords containing or comprised of “qwerty” jumped by 10% this year.

Perhaps most egregiously, we saw a massive jump in the amount of exposed email addresses who’s associated password was literally “password”.

Using Your Date of Birth or Anniversary as a Password is Still a Bad Idea

A relatively sizable portion of the passwords we analyzed contained a year date, such as “darkowl1990”. Interestingly, we found 102368238 passwords with that followed a yyyy-mm-dd format, and 13223 with passwords with yyyy/mm/dd. While this is positive in that it utilizes special characters, the prevalence of users who incorporate a date into their password means that threat actors will leverage this to attempt to brute force accounts.

The most popular year detected in our data is 1990, with 14,518,056 containing that year. Years between 1990 and 1999 remain the most popular, which is consistent with last year’s analysis.

Hashed Passwords

In cryptography, hashing involves using a mathematical algorithm to map data of any size into a bit string of a fixed size. In password hashing, a ‘hash’ consists of a unique digital fingerprint (of a fixed size) corresponding to the original plaintext password which cannot be reversed. There are several different types of ‘hashing algorithms’ available for encrypting passwords.

The most common hash in DarkOwl’s darknet collection is MD5, followed by SHA-1. While this is consistent with last year, we did not see an increase in hashes of this type, as one might expect to happen as more data is collected over time. On the other hand, over the past year we saw a massive jump in SHA-256 and SHA512 hashes from 2022. This suggests that these types of hashes are becoming more popular and we should expect to see this number grow in the coming years.

Other Takeaways: Trends in Password Sharing Between Accounts

According to reporting, 51% of people use the same password for their work and personal accounts. To see if our data is consistent with that account, our data team conducted an analysis to estimate the number of “shared passwords” between work and personal accounts. To do this, our data team partitioned the data into two categories: commercial email providers (gmail, yahoo, etc.) and companies (DarkOwl, Apple, Microsoft, etc.). Then, we looked for the number of accounts that had the same username between company and commercial emails, such as [email protected] vs. [email protected]

Once detected, we looked for the number that shared the same username and the same password. In doing so we found that 45% of matched accounts re-used the same password. This is likely an under-estimation due to variations in naming conventions across email accounts, but supports the notion that using the same password for multiple accounts is a highly common practice. Overall, we detected 35,085,849 instances of linked email addresses that appeared with the same password.

In addition to being able to search all collected darknet data for exposed credentials, DarkOwl extracts entities such as IP addresses, credit card numbers, bank identification numbers, and cryptocurrency addresses. This enables an organization to search specifically for relevant entities, such as server IP addresses and email addresses on the same darknet forum. Learn more about Entity API.

Another RSA Conference in the Books: DarkOwl RSA Recap

Written by DarkOwl Content Team on . Posted in Blog.

May 05, 2023

RSA Conference in San Francisco, this year held April 24-27, is one of biggest and most anticipated cybersecurity events of the year, and for DarkOwl specifically, that is no exception. The DarkOwl team plans and plans and looks forward to RSA each year; to see friendly and new faces alike, hear the latest trends, news and innovations in cybersecurity, share our latest product updates and offerings, and of course have some fun around San Francisco. The team was happy to have a booth on the show floor, host a customer dinner on Tuesday night and have a private meeting space around the corner from Moscone Center to hold one-to-one meetings with prospects, partners and clients.

“Stronger Together”

The RSA Conference slogan, “Where the World Talks Security” is the perfect quick elevator pitch for what happens each year at RSA – thousands of security professionals from around the globe gather together to hear and discuss new and leading perspectives, innovation and best practices. The most memorable RSA moments can be found on their website here.

The theme of RSA this year was “Stronger Together.” The cybersecurity space is often very competitive, with so many amazing products and solutions in the space, this is inevitable. However, given the geopolitical landscape, the ever-growing increase in digital reliance and increases in cybercriminal activity and creativity, trust and learning from eachother is more important that ever. The opportunity to meet end-users, thought leaders and security teams face to face and build relationships helps combat this perceived sense of competition – we are all in this together.

DarkOwl Highlights

Representing the DarkOwl team, we had several executive team members, sales reps, customer success managers, and analysts present manning the booth and holding private one-to-one meetings. Of note, DarkOwl Co-Founder and CEO, Mark Turnage, Co-Founder and CFO, Russell Cohen, and CBO, Alison Halland, all noted that this was the busiest RSA in DarkOwl’s history in terms of quality meetings and conversations being set up prior to the show. Hoping follow up is just as successful! Sales Representatives, Chris Brown and Magnus Svärd were happy to report a very busy show floor, finally feeling like RSAC is “back to normal.”

The DarkOwl team remained busy over the three days manning the booth, meeting new prospects and showcasing our industry leading darknet platform, Vision UI, which allows users to search and monitor the most comprehensive darknet dataset. With many current clients present, the DarkOwl team was able to spend time understanding how we can best optimize and elevate our current partnerships and how we can continue to provide the most value as their darknet data provider, focusing on continuing to build up our customer relationships, building trust, and working together!

In anticipation of RSA, our product and data teams were hard at work getting new features and new product ready to launch and showcase in time for the show, and the team was happy to share some of these highlights at the booth:

  • A new monitoring product—DarkSonar—which is designed to be predictive of cyberattacks. In an analysis of over 250 companies that suffered from cyberattacks, their DarkSonar signal was elevated nearly 75% of the time months prior to the attack.
  • A new darknet threat actor lexicon and database, covering almost 1,000 known threat actors, and providing information for these actors; and
  • A new feature on VisionUI that allows searching and tracking Telegram users by username across over 2,000 channels.

RSA provided the perfect environment to not only gather feedback from current customers and partners on their current products but also garner feedback on recently launched features and DarkSonar in particular. We are happy to report lots of positive feedback and are excited to have those follow up conversations!

DarkSonar 101

With cyberattacks increasingly on the rise, organizations need better intelligence to safeguard themselves, employees and customers from incidents such as data breaches and ransomware attacks. This rise in illicit cyber activity only increases the need to protect against and determine the likelihood of these attacks.

Research shows that most cyber incidents stem from a threat actor gaining initial access through a compromised set of credentials. Many of these attacks result in substantial costs including an organizations’ time and money, as well as long term effects such as loss of reputation— not to mention the potential effects on their clients and their employees.

DarkSonar is a relative risk rating that considers the nature, extent and severity of credential leakage on the darknet to provide a company with a signal that acts as a measurement for a company’s exposure.

DarkSonar enables companies to model risk, understand their weaknesses and anticipate potential cyber incidents. In turn, organizations are able to take mitigating actions to protect themselves from loss of data, profits, and brand reputation.

To learn more about DarkSonar, check out our datasheet.

Didn’t get a chance to meet with our executive team at RSA? Contact us to set up some time to chat!

Threat Intelligence RoundUp: April

Written by DarkOwl Content Team on . Posted in Blog.

May 01, 2023

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Stolen, cloned and sold: Inside the digital black market for SNAP benefits – The Baltimore Banner

In this months-long research investigation, learn how and why cybercriminals are trafficking benefits online. This article dives into the fact that benefits theft has been increasing nationwide, focusing on food assistance programs and cybercriminals trafficking welfare benefits on the darknet across multiple marketplaces. Read full article.

2. iPhones hacked via invisible calendar invites to drop QuaDream spyware – BleepingComputer

An Israeli-based company QuaDream have available a spyware able to compromise iPhones using “a zero-click exploit named ENDOFDAYS.” Citizen Lab has said the attacks were “backdated and invisible iCloud calendar invites.” This particular exploit is able to run without the user’s knowledge because when calendar invites with dates from the past are received by an iPhone they are automatically added to the calendar. The victims have not been names publicly but are known to be high-profile individuals. Sophisticated detection-evasion techniques include self-deletion. Read more.

3. Kodi discloses data breach after forum database for sale online – BleepingComputer

The Kodi Foundation has announced that that they suffered a data breach after their MyBB forum database was stolen. Hackers were able to access and steal the forum database using old credentials from a staff member and logged into the Admin console. The database contains information about public forum posts, private messages between users, as well as credentials. Kodi has advised all users to think of their passwords as being compromised. They have shared the stolen emails with Have I Been Pwnd. Read more.

4. Blind Eagle Cyber Espionage Group Strikes Again: New Attack Chain Uncovered – The Hacker News

Cyber threat actor, Blind Eagle, also referred to as APT-C-36, has been linked to multi-stage attack chain which leads to NjRAT remote access trojan on compromised systems. Blind Eagle is thought to be a Spanish-speaking group and is targeting mainly private and public entities in Colombia, but also expanding to Ecuador, Chile, and Spain. Read full article.

5. IRS-authorized eFile.com tax return software caught serving JS malware – Bleeping Computer

EFile.com is an IRS authorized software used for filing tax returns. Security researchers have found malicious JavaScript malware in the e-file. This security concern is limited to eFile.com and does not affect the IRS’ e-file Infrastructure. The JavaScript malware being used is popper.js. The file from the site does not have the malware anymore. The first signs the site was being attacked came on March 17th with an SSL error. Security researchers observed an update.js file connected to the attack given by an Amazon AWS endpoint. A script analyzed by The Bleeping Computer shows the malware was a backdoor allowing for remote access by threat actors. Read here.

6. Iranian Hackers Launch Sophisticated Attacks Targeting Israel with PowerLess Backdoor – The Hacker News

APT35, an Iranian nation-state threat actor, who has been active since at least 2011, has been associated with a new wave of phishing attacks targeting Israel. To attack their victims, APT35 usually leverages fake social media personas, spear-phishing techniques, and N-day vulnerabilities. Read more.

Make sure to register for our weekly newsletter to get access to what our analysts are reading on a weekly basis.

Introducing DarkSonar: An Interview With our Product Team

Written by DarkOwl Content Team on . Posted in Blog.

April 25, 2023

In honor of the launch of our newest product, DarkSonar API, our marketing team sat down with DarkOwl’s Director of Product, Sarah Prime and Product Manager, Josh Berman to learn more.

Leah: Hi! Thanks for taking the time to chat with me today. Let’s start out with the basics: what is DarkSonar and what it does it do?

Josh: DarkSonar is a relative risk rating based on exposed credentials in the darknet. So, basically, it looks at not only the volume of a company’s exposure, but also the severity of it. For example, a leaked email address that was posted with an associated plain text password would be considered a greater indicator of risk than just a standalone email address. DarkSonar takes that into account and generates a signal that is specific to that company based on its historical exposure, which means companies can monitor for their specific level of risk. Basically, you can think of DarkSonar as an indicator of current cyber risk. 

Sarah: Yeah – really the most defining characteristic of DarkSonar is that it tells you something. It gives you a signal, versus just giving you a score. Is your risk elevated today compared to what it was last week? This is really valuable information for threat intelligence teams or anyone in charge of assessing cyber risk levels. 

Leah: Why did you decide to focus on credentials as the basis for DarkSonar risk signals?

Josh: Exposed or compromised credentials are something that have been definitively proven to be a direct predictor of cyberattacks, which is leaked credentials. Basically, that means that DarkSonar takes into account not just the presence of the emails, but also the context in which it appears. DarkSonar asks questions like, is it just an email by itself? Or, is there a plaintext password with it? Those are two very different things that a threat actor is going to do two very different things with.  

For example, if we detect a domain that has a bunch of emails and plaintext passwords that were put on the darknet yesterday, there’s a very good chance somebody out there is going to try to use those plaintext passwords. I say that because, from the perspective of the threat actor, there’s almost no work they have to do on their end to exploit that information. It’s like it’s an invitation to use this for an attack. Whereas, if there’s no passwords – or even if there’s a hashed password – there’s an extra step there that a threat actor would have to take to compromise that account. And so that’s why that’s weighted heavier in our new calculation. Because of the weighting we have, which accounts for the recency and the severity, we’re able to make an assessment about the relative likelihood of an attack.  

Sarah: As we were thinking about the DarkSonar model, we thought about how we incorporate the actual risk of an exposed entity more meaningfully. You know, instead of just looking at the overall hackishness of the page where an entity is mentioned, how could we assess the hackishness of the mention? We set out to develop a tool that evaluates exposure in a qualitative way, rather than just quantitative. 

Leah:  What does “relative risk” mean in the context of DarkSonar? 

Josh: I think it’s important to point out that by incorporating standardization into the algorithm, DarkSonar signals are relative to the company itself. It has nothing to do with other companies, which means it’s a lot more indicative of actual risk.  

Sarah: Yeah, another way to think about is that DarkSonar gives you a personalized risk indicator.  

Leah: Do you envision companies using DarkSonar for monitoring? 

Sarah: Absolutely. We believe that darknet data is a really important source of insight into criminal activity and potential threats to your attack surface. We know that breaches and ransomware are a huge problem for businesses of all sizes. At a conference I attended recently, one of the presenters cited a survey where 80% of CISOs felt that they were going to be hit by a ransomware attack in the next year. So, with things like that being very top of mind, we’ve continued to innovate new ways to help companies monitor for and potentially even predict cyberattacks.  

Josh: That’s a good point, Sarah. Essentially, we want to help companies use darknet data in a way that means something to them. 

Leah: So lets say I’m a company monitoring my DarkSonar signal and it suddenly is elevated. Does that mean a cyberattack is imminent?  

Josh: It does not mean an attack is imminent, but it does mean that there is a greater likelihood of such an attack occurring. We know this based off of our internal research, combined with validation by external companies that we’ve partnered with. The results of that analysis showed that there’s a pretty strong indicator that an elevated DarkSonar signal correlates with cyber risk.  

Sarah: In developing DarkSonar, we looked at 250 companies with known cyberattacks, and found that their signal was elevated nearly 75% of the time in the months leading up to the attack. For those companies, the DarkSonar signal would have been an early indicator of a future cyberattack. And, to our knowledge, there is no other cyber risk monitoring tool out there that could do that.   

Leah: Are DarkSonar signals something that would benefit small businesses? Or are they more geared towards enterprise companies? 

Josh: DarkSonar is absolutely valuable for small companies as well. That’s because, as we’ve been saying, signals are relative to the company. It’s relative to how they’ve been doing the last two years. So it was not built for just big businesses or just small businesses… it adds the same value to any company with a domain that has email addresses. That’s who it applies to.  

Leah: Are there any other use cases for DarkSonar other than monitoring your own company’s signal?  

Sarah: Oh my gosh, yes. Many. DarkSonar can be used to assess risk for anything that is a part of your attack surface, including third party vendors for example.  

Josh: Monitoring for your own company is definitely important, but, it definitely shouldn’t end there. Your full attack surface includes your supply chain, your clients, your clients’ clients, and so on. This is a tool for monitoring risk across your entire portfolio.  

Leah: Any other closing thoughts? 

Josh: Yeah, I think just generally, we’re proud of the evolution of our darknet exposure monitoring tools. We think it’s super important that we listen to our customers, conduct regular product evaluations based on feedback, etc – and that is what we do every day.  

Sarah: For me, particularly given the environment that we’re in with ransomware attacks that you can see in the headlines on a daily basis, we’ll be thrilled if we can help even one company be aware of a potential risk by using DarkSonar. 

Learn how DarkSonar can help your organization track risk and potentially predict cyberattacks. Contact us.

Cybercriminal Arrests: 2022 Lookback

Written by DarkOwl Content Team on . Posted in Blog.

April 20, 2023

Cybercriminals who see the most return on their cybercrime-related activities can also suffer the greatest consequences at the hands of law enforcement. Despite the anonymous nature of the darknet, law enforcement has developed sophisticated tools and procedures to take down the most notorious criminals who operate on the darkest corners of the internet.  

Major cybercrime arrests of 2022 show insights into the operations and true identities of several noted cybercriminals. This includes individuals involved in sophisticated illicit cyber activity from as young as age 15, business entrepreneurs who were virtually unknown in the darknet community, and whom no one suspected, to those who committed the crime a decade ago. DarkOwl analysts round up some of the most notorious arrests of 2022.   

Diogo Santos Coelho  (aka “Omnipotent”, aka “downloading”, aka “shiza”, aka “Kevin Maradona”) 

The case of Diogo Santos Coelho, aka omnipotent, highlights the importance of OPSEC (operational security) and illustrates that many notorious cybercriminals, or hackers can be very young. On Tuesday April 12, 2022, the United States Department of Justice announced the seizure of RaidForums and unsealed criminal charges against Diogo Santos Coelho, RaidForum’s alleged administrator. He was arrested on January 31 in the United Kingdom. The six-count indictment against Coelho charged him with conspiracy, access device fraud, and aggravated identity theft. The FBI allege that he was the administrator to RaidForums from around January 2015 to January 2022. 

RaidForums was a popular online marketplace known for providing leaks and breaches for sale or sometimes for download, either via credits accrued on the site or for free. These leaks could include powerful personal identifiable (PII) and financial information, ranging from social security numbers to credit cards, and would be used by criminals to commit fraud as well as accessing company networks. RaidForums was taken down in Operation TOURNIQUET, which was a joint operation with Europol, the United States, the United Kingdom, Sweden, Portugal, and Romania. Similar key cyber operations and law enforcement agencies involved in darknet takedowns can be found in DarkOwl’s interactive timeline

Court documents show that Coelho used the names OMNIPOTENT, DOWNLOADING, SHIZA, and Kevin MARADONA. OMNIPOTENT and DOWNLOADING were used on the RaidForums site. In addition to being an administrator, the indictment shows he also provided a middleman service for buyers and sellers on the site. Searching in DarkOwl Vision, it appears that there is no honor among fellow thieves on the darknet, as Coelho was then subsequently doxxed.

According to DarkOwl’s darknet glossary, a dox is to publicly name or publish private information (PII) about an unwitting target. Doxxing can be used as a form of aggression between conflicting groups, such as when 22 members from Trickbot were doxxed as part of the Russia-Ukraine cyberwar by a pro-Ukrainian affiliate. Other times it is to express political opinions.

Figure 1: Screenshot of Omnipotent Doxx; Source: DarkOwl Vision 

As seen in Figure 1, the name on the account is “Kevin Maradona.” Using DarkOwl Vision email lexicon, the email didi-lover[@]hotmail.com is in a document linked to omnipotent[@]raidforums.com, Kevin Mardona, and his address. It is not known exactly the techniques that law enforcement used to identify Diogo Coelho, however, personal information such as emails, aliases, and addresses all help investigations. Law enforcement were able to seize three domains which hosted the RaidForums site, leading to further investigations.

Not only did Diogo Santos Coelho establish arguably the most popular online marketplace to illegally buy, sell, and trade highly sensitive information from around the world, but he started this site when he was only 15 years old.  

Ilya “Dutch” Lichtenstein and Heather Morgan (aka “razzlekhan”) 

The indictments against Ilya Lichtenstein and Heather Morgan of New York were ones that no one, except perhaps the IRS, saw coming. Both were known in the business world and involved as entrepreneurs in startups. Morgan even had an online rapper persona, Razzlekhan. The couple was arrested in New York and charged with Money Laundering Conspiracy and Conspiracy to defraud the United States. The indictments stem from their alleged attempts to launder $3.6 billion in stolen bitcoin from the Bitfinex exchange hack.

It is alleged that Lichtenstein and Morgan moved the funds through multiple transactions to different accounts across separate platforms to try and hide the paper trail. U.S. law enforcement successfully traced the stolen bitcoin via the blockchain to several accounts owned by Lichtenstein and Morgan. Lichtenstein kept the addresses and keys in cloud-storage which law enforcement was able to decrypt and discovered a file with 2,000 cryptocurrency addresses and the private keys to each. A federal magistrate judge in New York ruled that Morgan and Lichtenstein be released on bond for $3 million and $5 million respectively. However, the Chief U.S. District Judge ruled that Morgan may return home to New York “under strict conditions” but that Lichtenstein must remain in prison in the District. 

Figure 2: Picture of Heather Morgan who called herself a cold-email expert; Source: Forbes.com

Sebastien Vachon-Desjardins

NetWalker Ransomware group primarily targeted healthcare and education institutions as well as other sectors such as law enforcement, companies, and emergency services. Most well-known for taking advantage of the global COVID-19 pandemic to leverage targeted attacks against their victims, NetWalker distributed pandemic-related phishing emails to target healthcare institutions already pushed to their max by the global health crisis.

In January of 2021, the Department of Justice announced the successful disruption of NetWalker ransomware group as the result of an international law enforcement operation. Law Enforcement were able to seize almost $500,000 and Canadian national Sebastien Vachon-Desjardins was charged with wire and computer fraud, “intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer arising from his alleged participation in a sophisticated form of ransomware known as NetWalker.” In March of 2022, the Department of Justice announced Sebastien Vachon-Desjardins’ extradition and the seizure of $28,151,582 of cryptocurrency after executing a search warrant.

Conspiracy to commit computer fraud and wire fraud, intentional damage to a protected computer, and transmitting a demand in relation to damaging a protected computer arising from his alleged participation in a sophisticated form of ransomware known as NetWalker

On October 3rd, 2022 Sebastian Vachon-Desjardins was sentenced to 20 years in prison (following his extradition to the U.S.). He agreed to give up $21.5 million as part of a plea agreement. He is believed to have been a key active affiliate for the ransomware NetWalker group and is rumored to have close affinity with the hacking group REvil.

Information from the seizure of NetWalker’s backend servers in Bulgaria highlighted the true number of victims exploited by the group. The FBI reports that 115 victims filed a report, however, the true number of victims is likely between 400 to 1,500. In the words of U.S. Attorney Roger B. Handberg, “the defendant in this case used sophisticated technological means to exploit hundreds of victims in numerous countries at the height of an international health crisis.”

Figure 3: Screenshot from NetWalker’s darknet blog; Source: DarkOwl Vision

Mark Sokolovsky (aka “photix”, aka “raccoonstealer”, aka “black21jack77777″)

On October 25, 2022 a grand jury unsealed indictment charges against Ukrainian national Mark Sokolovsky due to his alleged role in Raccoon Infostealer as a core member. Raccoon stealer is a prolific infostealer which functions using a malware-as-a service model. Raccoon stealer is available for purchase for around $200. Customers (typically cybercriminals) receive access to a control panel with the most recent version of the malware, could work on infected systems in real time, and see the stolen data such as logins and credentials and interact with the ransomware.

Information stealers such as Raccoon are a type of infostealer malware, also known as a Trojan or a remote access tool (RAT), that is designed to steal sensitive information from victims’ computers or devices. Once infected, Raccoon typically operates in the background, while it systematically searches for and collects a wide range of data from the compromised system. This data can include login credentials, credit card numbers, social security numbers, banking information, and other types of personal and financial data. Raccoon may also capture screenshots, record keystrokes, and log other user activity to further gather information. This data is collected and leveraged for fraud and exploitation such as identity theft or the draining of bank accounts. At the time of the indictment, the FBI found over 50 million unique credentials and pieces of identification taken with the stealer’s help.

Sokolovsky is charged with one count of conspiracy to commit computer fraud and related activity in connection with computers; one count of conspiracy to commit wire fraud; one count of conspiracy to commit money laundering; and one count of aggravated identity theft.

Figure 4: Mark Sokolovsky leaving Ukraine and avoiding mandatory military service, taken at the Polish border; Source: KrebsOnSecurity.com  

James Zhong  

The Silk Road was notoriously one of the first well-known and most used darknet marketplaces created by Ross Ulbricht, a.k.a Dread Pirate Roberts. The marketplace was shut down by law enforcement in 2013. However, billions of dollars were unaccounted for despite the site’s seizure. In November of 2022, the Department of Justice announced they found $3.36 billion worth of Bitcoin that had been stolen from The Silk Road around 10 years before. It was hidden in a popcorn tin in a bathroom closet along with Casascius coins and bars of precious metals. $661,900 in cash was also seized.  

The announcement from the Department of Justice read that in 2012 Zhong made 9 accounts on The Silk Road and triggered over 140 transactions “to trick Silk Road’s withdrawal-processing system into releasing approximately 50,000 Bitcoin from its Bitcoin-based payment system into Zhong’s accounts” which he then put through cryptomixers and moved to various accounts to cover his tracks. Zhong gave up 1,004.14621836 Bitcoin to the government. He pled guilty to one count of wire fraud.

Figure 5: The popcorn tin where the criminal proceeds of James Zhong was found; Source: Department of Justice
Figure 6: Some of the physical Bitcoins (Casascius coins) and other items seized by law enforcement; Source: Department of Justice

Paige Thompson (aka “erratic”)

The case of Paige Thompson highlighted the potential grey area between a white-hat hacker and a cybercriminal. The former Amazon employee was responsible for a major breach in 2019 when she downloaded and posted to the darknet the personal information of more than 100 million Capital One users. The data included 140,000 social security numbers and 80,000 bank account numbers.

Figure 7: Paige Thompson, alias “erratic” posting on a forum the Capital One data; Source: DarkOwl Vision 

Prosecutors said Paige Thompson exploited misconfigured web application firewalls to get credentials stored by customers with a Cloud Computing Company, access sensitive data and use the servers to mine cryptocurrency. Her lawyers argued that her actions fall under the category of a white-hat hacker, as she was scanning for online vulnerabilities and probing what they exposed. The Federal Government contends that she had no intention to disclose the vulnerabilities and wanted to use the stolen information for her own gain.

She pled not guilty for violating the Computer Fraud and Abuse act. She was found not guilty of identity theft and access device fraud but was found guilty of wire fraud, damaging a protected computer, and five counts of unauthorized access to a protected computer. Capital One paid $80 million to regulators and $190 million to the people whose sensitive information was exposed.

Conclusions: Law Enforcement is Never Far Behind

Cybercriminals who commit large crimes are likely to attract the attention of law enforcement. However, the illicit cybersphere is so decentralized that it would take many, many years for law enforcement to track down every cybercriminal.

To help facilitate these efforts, law enforcement agencies have developed sophisticated tactics to attribute online crimes to people even if they are working in an anonymous environment. Using darknet search and monitoring services such as DarkOwl is one such tactic favored by law enforcement as it allows investigators to gather evidence and follow leads over time in order to build a robust case.

To learn more how DarkOwl can aid in cybercriminal investigations, contact us.

Cyber Risk Modeling: Introducing DarkSonar

Written by DarkOwl Content Team on . Posted in Blog.

April 18, 2023

Over the past few years, there has been an increase in global cyberattacks, with reports indicating that overall attacks were up 38% in 2022 from years previous. In the USA alone there was a 57% increase, while the UK experienced a 77% increase in cyberattacks. Many of these attacks result in data breaches and ransomware attacks, which cost organizations time and money, as well as long term negative effects such as loss of reputation. 

On top of this, the average cost of a data breach has reached a record high of $4.35 million. The cost of a ransomware attack is $4.54 million, on average, not including the cost of a ransom payment. With cyberattacks on the rise, organizations need better intelligence to enable them to model risk and take mitigating actions, particularly small businesses which are three times more likely to be a target of a cyberattack.

Darknet data is a key source of insight into criminal and other nefarious activity. The darknet—or dark web as it is also referred to—is a layer of the internet that cannot be accessed by traditional browsers. Sensitive corporate information is regularly leaked or sold on the darknet. These sets of darknet data can be used to identify cybersecurity threats and calculate organizational risk. Understanding risk enables an organization to better be prepared for potential threats.

Cybersecurity Risk

Cybersecurity risk can be most simply described as the amount of potential the risk your organization faces against a cyberattack. The possibility of a cyberattack feeds several different corporate risk calculations. One of the biggest threats of a cyberattack poses is the loss or public exposure of data, which presents a significant risk to a company’s brand and reputation.

Stolen and leaked intellectual property can pose a significant risk to a company’s profit/finances/bottom line and competitive edge. In addition to loss of data, there is a direct risk to executives and key leadership from phishing attacks and stolen credentials. If the direct risk within a company wasn’t enough, there is also an indirect risk through third-party vendors and suppliers. To better map out cybersecurity risk, organizations need to model risk.

Figure 1: Generic Risk Model; Source: NIST

The figure above shows a generic risk model and the relationships between the components. In organizational risk calculations, threat includes anything that can cause harm to the organization. This includes threats from natural disasters, significant hardware or backup failure that triggers a disruption in services or production, and cybersecurity attacks by external malicious entities. Threat calculations are often tied to scenarios with likelihoods of occurrence that involve an adversary’s intent, capability, and targeting. To effectively model risk, organizations need to (1) model internal threats, (2) model external risk from third parties, and (3) determine the likelihood of specific scenarios. The risk is then calculated from a combination of impact and likelihood.

DarkOwl Data

DarkOwl provides a variety of data to model risk and threats to an organization:

Leaks/Data Breaches: Leaks, or data breaches, are aggregate data files of information obtained without the owner’s consent. This can consist of internal email records, usernames and passwords, personally identifiable information (PII), financial records, and more. Leaks are often sold for profit on the darknet, though they are sometimes posted and leveraged by criminal actors for means other than financial gain.

Dark web search data: Vision UI provides access to a variety of darknet and deep web resources. Additional capabilities enable the user to search for cve’s, construct searchblocks, etc. The platform provides the ability to fully customize darknet searches based on individual priorities and focus areas. Approximately 10-15 million pages/targets are crawled daily, with updated content becoming accessible to users in near-real time.

Entities: In addition to being able to search all collected darknet data, DarkOwl extracts entities such as IP addresses, credit card numbers, bank identification numbers, crypto addresses, email addresses, and credentials. This enables an organization to search specifically for relevant entities, such as server IP addresses and email addresses.

Group data: Vision UI enables a user to search for groups. Groups include chan, ransomware, forum, market, and paste data. Ransomware and forum data are particularly useful for determining organizational risk. Discussions of relevant software and exploitability of specific CVEs can assist an organization in determining potential unpatched vulnerabilities.

Telegram and Chat Platforms data: Telegram and other chat platforms data consists of encrypted, semi-encrypted, and open-source chats. DarkOwl has over 400 thousand telegram chats. Discussions between threat actors can be found on these chat platforms.

DarkSonar: DarkSonar is a risk metric based on darknet intelligence and measures an organization’s credential exposure on the darknet. It provides a relative risk rating for an individual email domain. The metric is based on email exposure using three parts of email entities: unique plaintext credentials, unique hashed credentials, and total unique email address volume with no credentials. 

DarkOwl’s data can assist an organization with threat modeling, managing third party risk, and potentially predicting the likelihood of an attack.

Threat Modeling

Identifying threats involves creating threat scenarios consisting of threat events exploits caused by threat sources which exploit vulnerabilities which are weaknesses in systems. Vulnerabilities can be internal, such as an unpatched server or poor employee awareness, or external, such as a third-party vendor.

Threat vectors refer to the vulnerability pathway that cyber attackers take to gain access to an organization’s network. Regardless of the actor or the motivation, they will utilize one or more threat vectors to gain access to a system. Below, Table 1 gives a list of common threat vectors used by an adversary. Also included are the associated solutions that DarkOwl data offers to help to model risk and mitigate damage for each of these different threat vectors.

 Table 1: The Most Common Threat Vectors

Threat VectorsStatisticsDarkOwl Data
Phishing Emails61% increase in rate of phishing attacks in the six months ending October 2022 compared to the previous year and attacks are getting more sophisticated.
90% of IT professionals believe email phishing is the top cyber threat to their organization due to sharp increase in email phishing.
92% of malware was delivered through email in 2021. Phishing emails in particular were responsible for 90% of 2021’s data breaches.		– DarkSonar: Risk Signal
– Entities: Emails, Credentials
Third Party Vendors/Supply chain48% of organizations deem third-party relationship complexity as their main problem.
54% of businesses do not vet third-party vendors properly and do not have a complete list of all the third parties who have access to their network.
59% of companies experienced a third-party data breach. Only 16% say they effectively mitigate third-party risks.
65% of firms have not identified the third parties that have access to their most sensitive data.		– DarkSonar: Risk Signal
Weak or compromised login credentials80% of hacking incidents caused by stolen and reused login information.
82% of data breaches involves a human element, including phishing and the use of stolen credentials.		– DarkSonar: Risk Signal
– Entity Emails: Credentials
Brute Force Attacks– Brute force is the most widely used initial vector to penetrate a company’s network.
– Brute force attacks increased from 13% to 31% in 2021.
Over 80% of breaches caused by hacking involve brute force or the use of lost or stolen credentials.		– Vision UI: Company mentions
– Entity Emails: Credentials: available data for credential stuffing for brute force
Unpatched vulnerabilities60% of breach victims admitted they were breached due to an unpatched known vulnerability where the patch was not applied. 62% claimed they weren’t aware of their organizations’ vulnerabilities before a breach.
75% of attacks in 2020 used vulnerabilities that were at least two years old.
84% of companies have high-risk vulnerabilities on their external networks, more than half of these could be removed simply by installing updates.
87% of organizations have experienced an attempted exploit of an already-known existing vulnerability. 		– CVE Mentions: for relevant software and combination CVE mentions for 0-days
– Forum data: discussions of malware development
Cross-site scripting (XSS)It is estimated that more than 60% of web applications are susceptible to XSS attacks, which eventually account for more than 30% of all web application attacks.– Entity IP addresses
– CVE mentions: for exploitable web server vulnerabilities
Man-in-the-middle (MITM)Nearly 58% of all posts on criminal forums and marketplaces contain banking data of others collected by MITM or other attack types.– Vision search: company mentions
– Entity IP addresses
– Forum data
DNS PoisoningA six year study of DNS data showed that DNS spoofing is still rare, occurring only in about 1.7% of observations, but has been increasing during the observed period, and that proxying is the most common DNS spoofing mechanism.Entity IP addresses
Malicious Apps/Trojans46% of organizations have had at least one employee download a malicious mobile application which threatens their networks and data.DarkSonar: for phishing attacks which often include links or attachments of malicious apps/trojans
Insider Threat– Insider threats increased by 47% between 2018 and 2020.
70% of organizations witnessing more frequent insider attacks.		Vision Search: searchblocks for insider targeted searches

Examples

Email Exposure

DarkSonar provides a metric to chart an organization’s relative risk ratio over time. To demonstrate this, we have included several case studies using actual organizations that experienced cyberattacks. The example below looks at AMD, who publicly announced that they experienced a cyberattack in June of 2022 (as illustrated by the dotted line). 

Figure 2: DarkSonar exposure for AMD over time

Figure 2 above shows that DarkSonar detected an elevated risk signal for AMD from January to April. This figure shows an elevated risk from January to April of 2022. An elevated score indicates that the exposure on the darknet has dramatically increased, which translates to higher risk. In this example, DarkSonar forecasts the attack that ultimately transpired with an elevated signal in the months preceding the incident.

Entity Explore

Entity Explore provides information about entities in DarkOwl’s entity database. Using the Entity Explore or the Entity API allows an organization to see all emails, IPs, credit card and bin numbers, and crypto addresses. Additionally, when viewing emails, all plaintext and hashed passwords can be sorted and analyzed. For financial institutions, credit card numbers and bin numbers provide a notion of financial exposure for their risk calculations. Organizations can also search for IP addresses of their sensitive infrastructure points to determine if and how those IP addresses are being discussed on the darknet.

The example below looks at Entity results for Honda.com and illustrates how a company can use Entity Explore to assess their credential exposure within Vision UI.

Figure 3: Email Entities for honda.com; Source: DarkOwl Vision

Vision Searches

Additionally, DarkOwl Vision UI provides tools to focus an organization’s search of darknet content. Group searches enable an organization to focus on forums and ransomware sites. Similarly, queries can focus on specific sources, such as telegram content. Search blocks provide terms that can be used to focus on insider attacks and exclude results from search engines. 

After a recent product update, Vision now allows users to more easily search for specific CVEs. This enables an organization to find discussions of exploiting vulnerabilities relevant to software they run on their network. Figure 4 shows a forum discussion about an exploit for CVE-2022-30190, which is a Microsoft office vulnerability that hackers can leverage for remote code execution.

Figure 4: DarkOwl Vision search reveals an exploit based on CVE-2022-30190; Source: DarkOwl Vision

Manage Third Party Risk

As per the data shown in Table 1, third-party vendors pose a significant risk to businesses of all sizes. Most organizations don’t even know who has access to their sensitive information. This is in part due to the fact that, typically, an organization does not have adequate insight into the types of protection mechanism a third party takes to protect their data. 

To fill in this gap, DarkSonar provides an organization with a risk metric for their third-party vendors based on email exposure on the darknet. This enables an organization to better understand the risk of a third-party. 

Figure 5: Example of a third-party vendor attack, where the Cancer Centers of Southwest Oklahoma’s data was compromised through third party cloud provider Elekta.  While Both companies exhibit an increase in their DarkSonar signal, Elekta’s is elevated higher 5 months prior to the attack.

Figure 5 gives another case study example of how DarkSonar can be used to forecast a third-party attack. In this case, the Cancer Centers of Southwest Oklahoma’s third-party cloud-based storage provider, Elekta, was the victim of a data breach in April 2021.

During the attack, unauthorized personnel accessed the protected health information of 8,000 oncology patients from the Cancer Centers of Southwest Oklahoma. While both companies experienced an increase in DarkSonar by the time of the attack, the third-party vendor, Elekta, was elevated higher for longer prior to the attack.

Help Determine the Potential Likelihood of Threat with DarkSonar

Calculating organizational risk is a combination of the likelihood of a threat and the adverse impact it may have on your organization. Overall, DarkSonar exposure signals can help to indicate when the likelihood of a particular attack increases. In fact, in a study of 237 publicly disclosed data breaches and ransomware attacks from 2021 and 2022, DarkSonar was shown to have an elevated score within several months for 74% of the attacks. 

Given that such a large percentage of cyberattacks start with an email, DarkSonar can be particularly beneficial to an organization in determining the likelihood of an attack.

Conclusions

Darknet data includes a variety of information relevant to organizational risk. Utilizing DarkOwl’s data sources enhance an organization’s ability to understand threats posed to their organization, manage third-party risk, and potentially determine the likelihood of a threat. Modeling risk enables an organization to both understand their weaknesses and take mitigating actions to protect their organization from loss of data, profits, and reputation. 

Contact us today to learn how to monitor your darknet exposure.

Tax Fraud on the Darknet and Deep Web: 2023 Update

Written by DarkOwl Content Team on . Posted in Blog.

April 17, 2023

Last year, we covered some emerging trends around tax fraud that our analysts found on the dark web. This year, we’re continuing that theme by highlighting some of the most recent content our analysts found in DarkOwl Vision ahead of tomorrow’s Tax Day. 

Read on to see examples of the various forms of tax fraud being proliferated on the the darknet, deep web, and adjacent platforms such as Telegram.

Note: In each example, a screenshot is provided that captures the listing in its original source location, followed by a screenshot of the result as it appears in DarkOwl Vision, our searchable database of darknet content.

Recent Marketplace Listings Aimed at Tax Fraud in DarkOwl Vision

Example Listing: Telegram

Posted on April 4th, 2023 – The Telegram shop FixCombo MarketPlace has numerous recent listings for tax fraud products such as tax returns.

In this example, an advertisement points fraudsters to another Telegram channel that allegedly sells W2 forms as part of its various product listings. In many of these listings, the offers include other associated information to enable criminals to commit digital identity theft, including sensitive information such as Social Security Numbers, Drivers Licenses images and information, past tax returns, W2s, and more.

Figure 1: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, Telegram)
Figure 2: Screenshot of Listing for PII to Commit Tax Fraud on FixCombo Marketplace (Source, DarkOwl Vision)

Example Listings: Dark Web

Posted on March 16, 2023 – Nemesis Market is a dark web onion site that requires authentication to gain access. This marketplace has become more popular in recent months – likely as a result of users seeing a new outlet after other well-frequented marketplaces continue to be taken down via law enforcement operations, such as that of Hydra Market during the summer of last year.

In this example, the vendor “Equifax” is selling a 2023 tax fraud product, including all associated PII needed to file illicitly file on tax return another behalf, for $69 USD.

Figure 3: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 4: (Continued) Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, Tor)
Figure 5: Screenshot of Tax Fraud Listing on Nemesis Marketplace on Tor (Source, DarkOwl Vision)

Posted on March 25, 2023 – This listing for Australian tax return fraud tutorials was posted on the authenticated hacking forum, CryptBB. The well-known onion site is predominantly used by English language speakers, and is a darknet site popular among competent hackers, carders and programmers. Many also consider this forum to be a a good place to develop one’s darknet persona and to learn how to improve one’s hacking skills.

In this example, the tutorial was posted alongside a download link, which could be a secondary motive for the vendor – i.e. to install malware on those looking to seek to download the tutorial.

Figure 6: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, Tor)
Figure 7: Screenshot of Country-Specific Tax Fraud Mechanisms on Dark Web Market CryptBB (Source, DarkOwl Vision)

Example Listing: Deep Web

Posted on March 7, 2023 – This posting on the deep web site XSS is for a 2023 – 2024 “Tax Refund Method Tutorial.” Certain sections of the forum requirement payment via escrow services in order to receive full access.

XSS is considered to be one of the most popular deep web hacking forum among Russian cybercriminals.

Figure 8: Screenshot of Tax Refund Tutorials on the Deep Web (Source, XSS)
Figure 9: Screenshot of Tax Refund Tutorials on the Deep Web (Source, DarkOwl Vision)

Fraud is one of the most common motivations for crime on the darknet, and comes in many different varieties. To dive deeper, our analysts highlighted some other methods used to commit fraud in a webinar that you can watch on demand.

Learn more about how DarkOwl can help your organization detect and investigate fraud by contacting us here.

Products

Services

Use Cases

Company

Copyright © 2024 DarkOwl, LLC All rights reserved.
Privacy Policy
DarkOwl is a Denver-based company that provides the world’s largest index of darknet content and the tools to efficiently find leaked or otherwise compromised sensitive data. We shorten the timeframe to detection of compromised data on the darknet, empowering organizations to swiftly detect security gaps and mitigate damage prior to misuse of their data.