Botnets and ransomware for hire. Stolen credit card numbers for sale. Drugs, guns, ammunition for purchase. Hitmen for rent. Chances are that anything shady going online is taking place on the dark Web.
It is a small and rare section of the Internet where Google cannot crawl. Because its key characteristic is anonymity, it is attractive to people, especially criminals, who want remain “unsearchable”.
Cybersecurity expert Ziv Mador said international cooperation among law enforcement agencies is needed to nab these criminals because their location, operations and attacks are usually in different countries.
Law enforcement agencies face a long and tough journey to bring the cyber criminals to justice, said Mador.
Often they have to “travel” to the dark web to unmask them and to collect evidence. Collaboration between law enforcement agencies can also be slow as countries have different judicial and legal processes.
Despite this, there have been successes, said Mador, vice-president of security research for the SpiderLabs team at Trustwave, which is a Singtel company. He was speaking at the Singapore International Cyber Week held at Suntec Convention Centre last week.
He cites the arrest of spam kingpin Peter Severa last year by Spanish authorities as an example of international collaboration. Severa, a Russian programmer was in Barcelona when he was arrested and then extradited to the United States.
There he was successfully convicted for operating the Kelihos Botnet which had been used to facilitate malicious activities. These included harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software. He is to be sentenced soon.
“Security vendors collect and analyse the intelligence, but we don’t have the authority to arrest. We cooperate with the law enforcement agencies, by sharing our intelligence,” said Mador.
Collaboration among law enforcement agencies is critical because often the perpetrators are in one country while their computers and servers are located in another nation, he added.
Mador, who is in charge of security research at SpiderLabs, heads a large team of cybersecurity researchers. They include more than 150 ethical hackers and digital forensic investigators who help organisations fight cybercrime, protect data and reduce risk.
They also identify global threats and produce the proprietary intelligence that powers Trustwave cybersecurity solutions and managed security services.
Research into the dark Web also shows that stolen Singapore credit cards are being sold at a higher price than those from other countries.
Each costs about US$50 instead of US$30 for other cards because the thieves believe Singapore card holders are wealthier, with higher credit limits. Besides Singapore credit cards are also more trusted, unlikely to cause suspicion among merchants.
Mador explains that the route to unmasking the cyber criminals is through public forums on the dark Web.
Access to the dark Web is via special networking routing software like TOR (The Onion Router) which anonymises the identities of users.
““Membership to these forums is mostly by invitation only. There’s a vetting process and individuals have to be vouched for by current members,” explained Mador.
“Once the individuals get in, they have to create a profile, get to know people and gain trust,” he added.
Once the trust is gained, then law enforcement officials and security analysts can start moving around in the dark Web to identify the criminals and collect evidence.
Ironically, the public forums are anything but chaotic. Members have to abide by forum rules which mirror the community guidelines of many websites. They include:
– Forum members are not allowed to engage in threatening behaviour towards other members
– Only quality posts that benefit members are allowed
– No attempts must be made to infect the forums with malware
– Respect privacy of members.
Rules are enforced by the forums’ administrators. Break the rules five times and members can be kicked out, said Mador.
Arguments on the public forums will be settled via conflict resolutions. The forum administrator nominates an arbitrator, who like a judge collects evidence and negotiates a deal between the two parties.
A defender who refuses to pay the penalties when guilty is marked as a ripper or a scammer which means he or she is not to be trusted.
CORRECTION at 08/10/2019 5:38pm: An earlier version of the story misspelt cybersecurity expert Ziv Mador’s name. This has been corrected. We are sorry for the error.