You are on page 1of 10

A Procysive White Paper

Procysive Corporation 2530 Meridian Parkway Durham, NC 27713 919-806-4305 ph 919-287-2570 fax

Beware the Darknet
By Bradford Hutson, Procysive Corporation Michael Miller, The Molehill Group

© 2010 Procysive Corporation

―beneath the surface web. Understanding the Darknet There is a corner of the Internet where law-abiding citizens dare not to wander. It is where the majority of spam and phishing attacks originate. Like pages on the Darknet. This shadowy online area is variously referred to as dirty address space. from individual data thieves to organized crime syndicates. however. this content is not easily spidered or otherwise accessed by Google and other search engines © 2010 Procysive Corporation Page 2 of 10 . It is a secretive virtual black market that facilitates the storage and exchange of stolen files and other data. Most law-abiding individuals don’t even know that this part of the Internet exists. that area of the Internet that facilitates criminal communication and activity. We examine who accesses the Darknet. It is the refuge of thieves and spammers. We then discuss ways that sites on the Darknet can be discovered and infiltrated. deep web pages are typically invisible to search engines. Unlike the Darknet. in reality. music. it is where lawbreakers exchange criminal contacts. and for what reasons. the deep web contains legitimate content dynamically generated by the host website. Darknet should not be confused with the deep web or invisible web. users range from spammers and phishers to terrorists and large criminal syndicates.‖ the Dark Web. few could gain access even if they wanted to. This Darknet is an effective tool for criminals of all types. A brief history of the Darknet reveals the increasing sophistication of tech-savvy criminals and criminal organizations. we discuss the Darknet. child pornographers and terrorists. and video games. and then postulate on the future of the Darknet and its shadowy users. it is a vast repository of pirated movies.Contents Introduction Understanding the Darknet A Brief History of the Darknet Who Accesses the Darknet— and Why Inside the Darknet Infiltrating the Darknet The Dark Future of the Darknet Summary About Procysive 2 2 3 4 6 7 8 10 10 Introduction In this white paper. which refers to those web pages on the legitimate Internet that are hidden behind forms and password protection. as the physical data havens of the 1980s evolved into cyber sanctuaries for criminal behavior in the 2000s. or the Darknet.

in contrast. facilitate free political speech in those regions where censorship is common practice. in discreet jurisdictions in the Caribbean. Criminals mask their identities with online aliases. and store data in files that have been deliberately altered to avoid detection. infiltration is regularly thwarted. Yahoo!. Data havens have been used to hide tax information from government collectors. in servers built into the sea fort’s hollow legs. or where they’re physically located. These were physical locations where sensitive computerized information and activities could be concealed from the prying eyes of governments and other organizations. It’s a shadow network. with the added benefit of virtually © 2010 Procysive Corporation Page 3 of 10 . physical data havens were becoming more visible and more brazen. more organized surface web. a ―distributed decentralized information storage and retrieval system‖ created by Irish student Ian Clarke. Freenet enabled people to use the Internet without detection. it is less popular with criminals because it is more consistently monitored by law enforcement agencies. the Darknet is the digital equivalent of America’s Wild West. unlike the legitimate or surface web. except that concerning terrorism or child pornography. thus providing the same concealment services as a physical data haven. store pornography and other sensitive content. the evil mirror image of the more civil. hidden from the eyes of the unsuspecting public. host gambling operations. uncontrolled and virtually uncharted. and. HavenCo boasted that it would store any data. illicit websites do not appear in typical search and sell stolen information. a sovereign principality just outside British territorial waters. While the legitimate Internet can also be used for criminal activity. is more difficult to penetrate and monitor. By that point in time. housed on a former WWII-era sea fort in Sealand. physical data havens were being supplanted by virtual data havens that heralded the creation of the Darknet. however. The year 2000 also saw the launch of Freenet. The Darknet. and Bing do not spider this murky area of the web. on a more positive note. and brag about their exploits. It is extremely difficult to determine who uses the Darknet. For example. In the early 1980s. Attempts by outsiders to enter sites on the Darknet are typically blocked. A Brief History of the Darknet The concept of a hidden Internet. is almost as old as the Internet itself. it isn’t widely policed or monitored. What goes on in the Darknet stays secret. foiling attempts to monitor content or track users. the year 2000 saw the establishment of a data haven called HavenCo. By the turn of the 21st century. outside the borders of the public network. The sinister nature of the Darknet is typified by websites that fade in and out of existence in the blink of an eye. which makes it safer for criminal activity. Google. then. the first ―data havens‖ were established. This criminal activity is further fostered by the complete anonymity of the Darknet. In many ways. The Darknet has become a haven for criminals because.

Phishers. a secure staging area for questionable activities – which makes it an ideal refuge for the criminal element. Phishers also use the Darknet to buy and sell mailing lists for their phishing attacks. they also use these servers to house their lookalike phishing websites. It is a place where conversations can be had in nearcomplete anonymity. In the process known as ―carding. all types of unsavory characters frequent the Darknet. and collaborate with other criminals. criminals were quick to discover that they could exchange sensitive and stolen information anonymously in IRC channels. Like spammers. It is. Who Accesses the Darknet—and Why The Darknet is not typically used by the law abiding public. At approximately the same time. all from the safety of their local surroundings. but others down the criminal food chain.anonymous file sharing. This Darknet continues to strengthen and grow. in some cases. use the Darknet to sell or trade that information to other criminal entities. thieves establish their own Freenet websites to sell their wares. These are not necessarily the original data thieves. This combination of Freenet. and use anonymous Darknet servers to stage their spam attacks. Stolen credit card numbers are commonly traded in IRC channels or offered for sale on Darknet bulletin boards. the Darknet is a safe haven for criminals of all stripes.‖ criminals use the stolen information to Page 4 of 10 © 2010 Procysive Corporation . either physically or online. was being discovered by those seeking anonymity online. an Internet protocol first implanted in 1988. as more and more online criminals discover and utilize it to conceal their disreputable activities. it is also not used by everyday file traders. Identity Thieves and Information Traders Criminals who obtain personal information from victims. communicate in ways that are difficult to trace. IRC. indeed. Internet Relay Chat (IRC). and sold without legal interference. online chat. Despite common perception. Spammers Individuals or organizations that send out unsolicited commercial email (UCE) often buy and sell mailing lists on the Darknet. Because it can function as an online hideout or safe house. swapped. Criminals also use the Darknet to turn stolen information into cash. initiators of phishing attacks often use anonymous Darknet servers to stage their email-based attacks. It effectively gives criminals global reach. Instead. and web surfing. and hidden or protected websites soon coalesced into what is now informally known as the Darknet. The Darknet enables criminals to identify and contact large numbers of potential victims. without fear of being tracked by authorities. where purloined data can be stored. people wishing to share pirated music and movies can choose from plenty of peer-to-peer options on the public Internet. and then sell or trade purloined information gained from victims of these attacks. While IRC had and still has its legitimate uses.

They use the Darknet to Page 5 of 10 © 2010 Procysive Corporation . Street Criminals Street criminals typically don’t trade stolen data over the Internet—their unlawful activities seldom have an online component. where victim’s email addresses are bought and sold. video games. an anonymous Internet currency favored by online criminals. Most of these scams are initiated from the Darknet. Freenet. most of them initiated via email. The products purchased in this fashion are shipped to accomplices who then fence the goods for cash. Instead. Scammers The Internet is host to all manner of scams. in some instances. is host to much child pornography. Many large crime syndicates use the Darknet to manage their personnel and activities. gift cards (bought with cash).make unauthorized credit card purchases. For example. in this fashion. music. including movies. and where emails are sent from anonymous servers. Fences The Darknet can be used to exchange both digital data and physical goods. Payment is typically rendered via wire transfer. for a ransom. or 419 Scam. Online thieves use servers on the Darknet to store confidential data stolen from large corporations. which has driven pedophile rings to the relative safety of the Darknet. Fences use Darknet channels and forums to handle stolen property of all types. Media Pirates Servers on the Darknet are commonly used to store and distribute large media files. in particular. including databases of customer names and credit card information. or e-Gold. Child Pornographers Law enforcement regularly polices the public Internet for illegal child pornography. the Darknet serves as the online equivalent of the gangster-friendly bar in the shady area of town. Data Thieves The Darknet functions as a warehouse and clearinghouse for all manner of stolen digital data. if only the victim provides the scammer with his bank account information. They also tend to use Darknet channels to brag about their exploits. back to the victim organizations. pirates who steal distribution copies of first-run movies store those files on the Darknet. Crime Syndicates It isn’t just individuals who habituate the Darknet. presumably to facilitate the transfer of funds. where the scammer tries to convince a victim that he is the recipient of a large sum of money. These include the notorious Nigerian Letter Scam. they use IRC chat channels to trade information about potential targets and find willing accomplices. stored on the service’s anonymous servers. using the Darknet servers to stage further distribution of those movies to file sharing sites on the public web. arranging the trade or sale of ―hot‖ items. and computer software. until they can sell or trade that data to interested third parties—or.

these militant digital rights activists oppose what they view as the use of state and corporate power to control access to all types of works online. Facilitators Not all activity on the Darknet is overtly criminal. It is essentially a decentralized and anonymous network operating over the Internet backbone. initiate spam and phishing attacks. They typically use the Darknet to trade protected information.1 In addition. Inside the Darknet The Darknet today consists of several key components.‖ and access freesites established by other users. These suppliers sell tools or information to less-expert criminals and hackers. Freenet Freenet is a software application that enables users to anonymously share files. and distribute child pornography. Terrorists Terrorist organizations are increasingly turning to the Darknet as both a communications channel and source of funding. where users can only connect to trusted friends and associates. Because it is decentralized.facilitate identity theft. these facilitators are like online arms merchants to the criminal element. As represented by Hacktivismo and the 1984 Network Liberty Alliance. Freesites are used for both legitimate purposes (to post content outlawed by repressive regimes. depending on their activities and needs. Freenet is extremely resistant to attack. which then serves as a source of financing for their operations. The anonymity of IRC channels facilitates clandestine communications. should be free. store and trade stolen data. Criminals Page 6 of 10 1 Dark Web Forum. create Darknet ―freesites. chat anonymously on web forums. believing that all users should have reasonable access to all information posted on the Internet. who use these items to commit cybercrimes. in the process running afoul of numerous copyright laws—even if they themselves do not view their activities as criminal.000 extremist websites and more than 300 terrorist forums on the Darknet. University of Arizona © 2010 Procysive Corporation . Techno-Libertarians and Digital Rights Activists Beyond the obvious criminal element are those who believe in the concept that all online content. with nearly one million messages posted. for example) and for criminal and terrorist activities. Online criminals may frequent some or all of these areas of the Darknet. with at least 2 million copies downloaded to date. even and especially copyrighted content. terrorist organizations are using the Darknet to engage in the trading and sale of stolen digital content. Freenet is the core of the Darknet. Artificial Intelligence Laboratory. In many ways. These so-called technolibertarians adhere to an extreme view of freedom of expression. Some entities use the Darknet to traffic in tools and information of interest or use to the criminal element. especially when operated in Freenet’s darknet mode. research has identified more than 50. Freesites are also difficult to detect. release computer viruses and spyware. In this regard.

or occupy discarded addresses once used by the U.S. but is in general an ineffective approach. the chat channels themselves can be hosted in so-called ―secret mode. conducted in dedicated channels. Spidering the web for dark content covers a broad swatch of possible Darknet sites. for one reason or another. however. It’s difficult work and time consuming. and following whatever threads are exposed.‖ password protected. been abandoned. There are. trade stolen credit card data and other information. spam attacks. which makes it difficult for law enforcement to monitor activity on these sites. although shorter-term use is more common. and thus engage in ongoing conversation. While IRC technically is part of the public Internet. or accessible on an invitation-only basis. IRC is hosted on dedicated servers across the Internet. Some derelict sites are used to house stolen data. but it offers the best results. This means following known offenders as they move from site to site across the web. Online criminals or criminal syndicates take over these ―dark‖ addresses. military in the earliest days of the Internet. one must have an invitation from someone already on a website or in an IRC channel to gain access to that site or channel. Online criminals use these IRC channels to communicate with accomplices. these are forgotten properties. ways to gain access to these sites and channels—providing one can find them in the first place. the Darknet is available primarily by invitation only. IRC Internet Relay Chat (IRC) is a form of real-time text messaging. posing as criminals online to wean information from other criminals. investigating data stored on computers recovered from apprehended lawbreakers. or what others might refer to as ―chat rooms.typically use darknet mode to restrict access from unwanted visitors.‖ Multiple users can simultaneously access the same channel. One approach is to send out search spiders looking for specific properties common to criminally-oriented behavior. That is. to launch computer attacks. Most of these servers do not require users to register for an account. Whatever the origin. A more effective way to discover sites and channels on the Darknet is to utilize time-honored detective techniques. © 2010 Procysive Corporation Page 7 of 10 . been the victims of technical failures or disputes between Internet service providers. and phishing attacks. Derelict Websites Another component of the Darknet consists of formerly legitimate websites that have. particularly in secret or invitation-only IRC channels. These sites might have belonged to now-defunct companies. and buy and sell email addresses (for spam and phishing attacks). This facilitates anonymous use. Infiltrating the Darknet By its nature. ideal for exploitation by the criminal element. even if just for a few minutes or hours. especially for those invitation-only sites and channels. These actions effectively make these protected channels invisible and inaccessible to those without prior knowledge of their existence.

These agents confirm the initial hit and activate the final level of agents. These professionals can then enter the targeted site or channel manually if more information is required. That is. which quickly and efficiently scan the entire web. a ―bot‖ that mimics human behavior and is capable of 24/7 surveillance. then forward that data to Procysive’s cyber intelligence analysts for further investigation. using software programs to crack the site’s passwords. This can be done by tricking a known member of the site to provide an invitation. not the automated behavior typical of search spiders. the human investigator is replaced by an automated software agent. In addition. an agent poses as a member of the criminal element and uses various techniques to gain access to the password-protected sites and channels. it simply isn’t profitable for companies and ISPs to leave such space unused. As the number of derelict sites decreases. Recognizing that avoiding detection is essential to successful infiltration of these sites. Processor agents grab relevant data from the suspected criminal sites. thus concealing their presence. Once inside a Darknet site or channel. CIPACS employs three types of proprietary software agents to infiltrate and monitor known Darknet sites and channels:  The initial level of infiltration is provided by recon agents. or filter through the retrieved data and forward their analysis to the company’s clients. The increasing commercialization of the Internet is leading to a drying up of derelict websites. the investigator can observe ongoing communications and explore stored content. and as tech-savvy criminals invent ways around this newfound surveillance. This non-intrusive process leaves little to no signature behind. Procysive uses this bot-based approach with its Cyber Intelligence Protection and Analysis Service (CIPACS). access can often be gained by surreptitious means. The data retrieved by Procysive’s search engines are forwarded to the company’s human cyber intelligence analysts. there are fewer unused addresses for the criminal element to appropriate. looking for hits on relevant keywords and search strings. including the Darknet. CIPACS disperses its software agents through multiple secure servers located around the globe. the Darknet is constantly evolving. As with the Internet itself. In some instances. as law enforcement and other organizations find ways to infiltrate existing sites. Once a potential hit has been identified. Page 8 of 10   © 2010 Procysive Corporation . software agents are programmed to mimic naturalistic human behavior.Once a Darknet site or channel has been identified. so that monitoring can continue without detection or interruption. The Dark Future of the Darknet Freenet and IRC provide an online haven for criminals today. or by using passwords gathered as part of the previous investigative process. but they may not represent the future of the Darknet. digger agents penetrate further into targeted Darknet sites. Procysive employs several stealth techniques when monitoring Darknet sites.

This is the continuing challenge for cyber investigators—to discover. © 2010 Procysive Corporation Page 9 of 10 . is beginning to use IPv6 as a secondary Freenet channel. as the major search engines improve in their abilities to spider areas of the Internet currently denied to them. infiltrate. will continue to flourish. however. Unfortunately. In response to this increased scrutiny. The criminal element. which provides increased anonymity for those who frequent the Darknet.In addition. The Darknet is also becoming less hidden. the Darknet. These efforts are designed to find more legitimate pages to fuel their search indexes. It is a regrettable truism that today’s criminals are often several steps ahead in technology than are the agencies assigned to track them. One example of this technological disparity concerns Internet Protocol version 6 (IPv6). law enforcement agencies continue to step up their cyber intelligence efforts. the criminal element is being forced further into the dark recesses of the Internet. riding on top of (or tunneling through) the current Internet. but has not yet been widely deployed in the commercial sector. especially in regards to terrorist activities. there is less resistance to providing user information. As long as criminals seek a place to gather and exchange information online. IPv6 was created to provide a larger address space than its predecessor protocol. ISPs are becoming more cooperative with law enforcement and government officials in these efforts. becoming more aggressive in tracking criminals across the Darknet. in whatever form it takes. but the discovery of Darknet content is a beneficial side effect. no equipment currently exists to monitor IPv6 traffic. and shut down these online channels of criminal activity. the new version of the technology protocol designed to succeed the current IP version 4.

Summary  The Darknet is a shadowy part of the Internet used for various types of criminal activity and communication. information traders. password-protected IRC channels. compression. facilitators. child pornographers. The Darknet is used by a variety of swindlers and lawbreakers. scammers. and site protection solutions. data thieves. ID thieves. and active human analysis provides the ultimate in online security for both intellectual and physical assets. fences. infiltrate. and appropriated derelict websites.      © 2010 Procysive Corporation Page 10 of 10 . crime syndicates. as tech-savvy criminals counter increased and more technically sophisticated investigative efforts. and monitor both legitimate and underground websites and services. It is likely that the Darknet will continue to evolve over time. street criminals. The primary components of the Darknet include Freenet freesites. used primarily as tax sanctuaries and places to store confidential data or engage in legally questionable activities. and terrorists. including spammers. deep web monitoring. Various investigate and spidering techniques can be used to discover and infiltrate sites and channels on the Darknet. phishers. Procysive’s technology and services revolve around unique deep web monitoring capabilities—software agents that work 24/7 to scan. About Procysive Procysive specializes in providing online tracking. Procysive’s combination of microdot encoding. encrypted compression. detect. The Darknet evolved from the physical data havens of the 1980s. thus uncovering the criminal activity within.