Getting to know the Cyber Underground

Being updated on recent news is just one piece of the puzzle. You should at least know how the underground world looks like, how the underground economy operates, what kind of information they buy/sell, what is the price of the ‘services’ being sold, among many others.

As soon as you understand all of the above you might get a little bit scared – but this is an important part of your knowledge of your enemy and one of the first steps in building adequate defenses.

Rule: never visit underground cyber-crime websites / communities from work. Never do it using an unprotected desktop or via an unprotected network – a VPN service is a must and a minimum. Use hardened sandboxed browsers and / or virtualized operating systems.

Most of the underground communities operate in closed forums and in the Tor network under domains ending with .onion – which are only accessible if you are on the Tor network as well. There are TOR search engines and other sites – if you get creative with your searches you will surely find what you’re looking for. Hint: criminals operate with digital and non-digital goods – finding a digital marketplace for one usually leads to a seller selling the other.

You can see everything being sold underground. For example, this recent 0-day exploit:

underground-exploit-market

If it’s not clearly visible on the image above: this is the MS15-034 Microsoft IIS Remote code execution exploit, sold for 517 Bitcoins, or roughly $121 000 at the time of this writing.

On the side-bar of the image you could see 4 other 0-day exploits being sold, along with 1 1Day private exploit.

Considering the money which could be made having this exploit and being able to remotely execute code on almost all IIS installations globally this price is peanuts compared with the return on investment for whoever buys it.

To gain a glimpse into this world, just download the Tor browser from here:

https://www.torproject.org/projects/torbrowser.html.en

Once done, you will be able to access all Tor resources and browse privately and of course, will be able to see all Tor hidden service websites, such as this underground search engine:

http://grams7enufi7jmdl.onion

If you search for “private exploit” the search engine returns 417 results at the time of this writing. This is no Google and the results are not as reliable – some are for underground guides on hacking ATMs, others on cashing out stolen credit cards, selling guns, drugs and all the likes you would see on a criminal market place.

Recently (well, more than 2 years ago) criminals started using the I2P (https://geti2p.net/en/) network for their operations as well. Installing the client and getting around in the network gill give you some idea of what to expect – data from your organization may be extracted towards tor or i2p networks – you must be prepared, recognize and control this traffic coming in/out of your network.

The closed communities are usually forums with a pre-approved list of members – you could only enter if you are invited by a member. Some of them offer paid membership. Just remember that in some countries even accessing such a forum might get you in trouble with the law and be informed of the local laws before even attempting to visit them.

Some underground communities operate using the SILC protocol – which is similar to IRC in operation but much better protected from snooping.

Some still operate on IRC though – and you will still find plenty of criminals communicating via IRC.

If you are not new in this field you should have plenty of experience in communicating this way. If you are new – and we should accept the fact that there are youngsters who have never even used this protocol – start with the program called NetTalk – http://www.ntalk.de/Nettalk/en/ – as it is one of the few free and feature rich applications for Windows for that purpose – and work your way through it. Useful channels to join on the FreeNode network are ##security and #linux. A word of advice: do NOT start talking when you join an IRC channel. Spend a few hours reading how others communicate and follow their example. Do not start messaging random people. Be polite and people will help you with your questions.

Once you get used to the IRC channels on FreeNode you will be able to explore the deeper web and join other networks and other channels – just keep quiet and listen as a rule – criminals will sniff you in a second as soon as you start talking and you will be kicked out and banned in no time.

Knowing foreign languages or using Google Translate efficiently will help as well.

I am not willing to share links to underground criminal sites here for various reasons – but simple searches should serve you well, just imagine what would they be willing to sell and how would they “market” their services online – it’s easy.

Note: it is a good idea to block unauthorized VPNs, encrypted channels, IRC/SILC and / or TOR at the firewall level, both egress and ingress.

Encrypted connections originating inside your network and connecting to the outside must exist only on a whitelist basis and preferably connect only to whitelisted addresses.