Exploring the Dark Recesses of the Deepweb

Deepweb

Author note: This originally appeared at the defunct Norse Darkmatters blog during the summer of 2015: Exploring the Dark Recesses of the Deepweb (with minor edits).

. . .

Deepweb, Darknet, Darkweb – It’s Deep…

This is my ongoing saga (down the Deepweb rabbit hole) as I journey into the depths of the shadowy underbelly of the underground cybercrime ecosystem. While the black markets are expanding, forums are also evolving.

In Part 1 I questioned deviant mindsets, poked the Onion-pastebin, reminded everyone that there is great value in fresh stolen data and that data has an expiration date (decreasing in value with the passage of time).

I’ve been down under again, into the Darknet – checking out the markets, forums, pasties, and other illicit channels. There is a lot going on down there this week. Hackers, vendors, carders, and the like are beefing up their OPSEC.

Hell is Hot

The hell forum appears to be growing rapidly and this may be due in part to all the media attention from the fake OPM hack, as well as the media blast it received last month [CNN, Mashable, Motherboard] when the popular site adult FriendFinder’s approximately 3.9 million users discovered that their private data was hacked and posted on the forum.

Change is in the Air

Hell plans to make major forum changes beginning July 1. Fire and brimstone is destined to deluge Hells infernal regions where lethargic and secret profiles tend to lurk. All lurkers, zero posters, introverts, LE’s (law enforcement) and media hounds (that only utilize PMs) will be deleted.

Goodbye, adios and good riddance appears to be the emerging theme from forum members – where there was mention of removing open registration and limiting new members to invite only status.

PING is MIA

Hells main character “ping” appears to have recently left the pit. It’s been over a week (as of this writing) since I’ve jabbered with him. During our last jabber session I mentioned that I thought that his forum was full of LE. (I also entertained vague flip-side thoughts that the forum was possibly contrived by LE).

If only, I could keep my jabbers to myself. Either way, Hell is a hotbed.

“ping” has been missing in action since June 16 and some members are voicing fears that he may have been arrested. There is also speculation that he is in the forum and conceivably using a different pseudonym.

Motherboard

Last week PING initially scheduled a Jabber session with Vice Motherboard writer Lorenzo Franceschi-Bicchierai for June 18 – but on Thursday he never logged in and did not respond to Lorenzo’s email.

It is interesting to note that during a prior Jabber session, he told Lorenzo: “if I’m gone for over a day it means that I have been arrested.”

The last email I received from PING was dated Wednesday, June 10. PING’s email appeared somewhat troubled, stating that he planned to regroup due to problems that had risen, that placed him and others at risk. He said that he would keep in touch and let me know how it all played out in the end.

Hell’s Data for Sale

TOX ransomware source code is up for sale – though there is disagreement among cybercriminals if the crime-ware actually works.

In the carding forum CharlesAnderson is selling Wells Faro Bank logins. He allows escrow payments and provides a test account for the leery-minded. All orders are processed within 24 hours, though special requests may take up to 48 hours.

Price For One AccountAccount Value
$40$1000+
$80$2000+
$150$4000+
$300$7000+
$500$15000+

Anderson also claims to have accounts that hold balances as high as $500,000, so all you Lexus buyers need to arrange this type of sale via PM (private message). The seller explicitly states in the forum that he has worked with Wells Fargo Banks for a long time and that the bank is easy to login to with a good VPN.

All information is delivered to the buyer in the following format:

Darknet format

Vulns

Near the end of May, King420 posted 120 shelled WordPress sites. Sad to say that many of the hacked sites still have an outdated Apache web server, outdated WordPress core, or both.

The hacked sites run the gamut from a development corporation, a professional speaker, a fishmeal factory, a roofing contractor, a national market research company, a realtor, and a health and wellness site that is currently infected with SEO spam.

Though I did not have time to recheck all of the sites, I sampled 10 sites and 4 are still dirty.

MIT hack

Though the recent June 12 MIT (Massachusetts Institute of Technology) data breach netted the Hell Forum a mini-hack of 932 users – Anthony M. Freed reminded me that even mini-hacks can have back doors.

Once again, I ran into the problem of finding no point of contact at MIT to report a data breach. So I did the next best thing and contacted the webmaster. It took MIT until the 14th to patch the hole, but their departmental server is still a mess.

Deepweb Hell forum MIT hack

Ironically I found an old Microsoft Darknet paper on the msl1.mit.edu web server:

“There is evidence that the Darknet will continue to exist and provide low cost, high quality service to a large group of consumers.”

Abstract excerpt: The Darknet genie will not be put back into the bottle…

Markets

Agora Market features over 4,100 informational and pirated books in their Info/E-books section:

  • The Basics of Hacking and Penetration Testing in .pdf format by Patrick Engebretson is selling for $0.99 USD [00405970 BTC], and costs $12.30 for the Kindle edition at Amazon.
  • Hack Proofing Your Network (Second Edition) in .pdf format by Ryan Russell and Dan Kaminsky et al, is selling for $1 USD [0.00406637 BTC], and costs $25.83 for the Kindle edition at Amazon.

You can also purchase an “info book” to learn how to “spam efficiently” for $5.03 USD [0.02052039 BTC], and while you are learning to spam “efficiently” you can practice your craft with 12,000 porn email addresses for $40.15 USD [0.16353229 BTC].

Deepweb Darknet credit card fraud

Other items of interest is an anti-detect browser going for $5.99 USD [0.0241 BTC] with 75 orders sold since April 18, 2015. This browser is specifically targeted at carders:

“Whether you may be new to carding or experienced, this anti detect browser spoofer will help increase your carding success by 301%! Stop playing around with your money, stop wasting it, stop burning cards, BUY THIS and increase your success. The original price for this product is $400 from the website: http://www.antidetect.org/buy/, I am selling it for a mere fraction of that price!”

 


Part 1: Darknet Underground Meanderings 

Part III: Down the Darknet Rabbit Hole Again

This post originally appeared at the now defunct Norse Corporation Darkmatters blog. This concludes Part 2 of the 3-part series on my Darknet adventures.


Leave a reply