STE WILLIAMS

Office macros have long been a vehicle for malicious code. Now, a team of security researchers has exploited Microsoft’s patchy macro documentation to hide malicious code inside innocent-looking macros. Researchers at Netherlands-based cybersecurity consultancy Outflank created a tool they say stops most major antivirus tools from detecting malicious macro code.

In Microsoft Office, macros are small helper programs written in Visual Basic for Applications (VBA). They automate repetitive tasks like dropping a company letterhead into a document or formatting tables. Just as with other programs, attackers can make macros that do malicious things like drop malware onto your computer.

Named after Microsoft’s ill-fated Office assistant from the late nineties, Outflank’s ‘Evil Clippy’ uses some undocumented features in the way Microsoft stores its macros.

Office stores macros in a file format called Compound File Binary Format (CFBF). Evil Clippy compromises macros stored in this format using a technique called VBA stomping.

VBA stomping uses an undocumented feature within CFBF. The format stores the VBA source code for the Office macro, but it also stores a version of that code compiled into pseudo-code (also known as p-code) that is easier for the VBA engine to run.

If the version of MS Office specified in an Office file isn’t the same as the version of Office that opens the file, then the VBA engine compiles the VBA source code from scratch before running it. However, if the versions are the same, then it just runs the p-code instead to be more efficient.

Evil Clippy can replace legitimate p-code with an attacker‘s malicious code while leaving the visible source code intact in the file. Then, as long as the attacker can specify the same version of Office in the CFBF file as the version of Office that will open the file, the malicious code will run.

Testing the concept with a well-known macro virus, Outflank found that “all major antivirus engines” missed the malicious p-code and allowed the file through.

“It looks like you’re hiding malicious code…”

In its blog post describing Evil Clippy, Outflank explains several techniques for finding out which version of Office an intended target is running. One involves hiding a tracking pixel in an email. When Microsoft Outlook reads the mail, it will generate an HTTP request that the sender can read to find out the Office version number. Sneaky.

Describing the tool and the conditions that allowed them to create it, Outflank‘s team had a few choice words for Microsoft:

Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial. We believe that the lack of adequate specifications of how macros actually work in MS Office severely hinders the work of antivirus vendors and security analysts. This blog post serves as a call to Microsoft to change this for the better.

An ability to target an undocumented flaw like this shows the potential to find flaws in a product with a large attack surface, especially when its underlying mechanics are obscure. It’s worrying news, given last month’s report that 70% of attacks in Q4 2018 targeted Office.

The answer? If you don’t use macros, turn them off. If you need them, at least turn off macros in documents downloaded from the internet (enterprise admins can do that by following these instructions).

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/G3aaSsRK5-o/

When it comes to school lunch, you’ve got choices.

You can get 1) the French toast sticks, 2) the baked fish sandwich with lettuce and tomato, or 3) to be a ruthless school concession tycoon who hacks into your competition, rips off student data, and tries to anonymously frame them for having crappy security.

Keith Wesley Cosbey, the chief financial officer of a Bay Area company in the student lunch business called Choicelunch, was arrested in April on two felony counts of allegedly choosing menu item No. 3. Or, in legal terms, for “illegal acquisition of student data” from the website of Choicelunch’s archrival, The LunchMaster, of San Carlos, California.

Vishal Jangla, the San Mateo County deputy district attorney, says that Cosbey, 40, is looking at more than three years in prison if he’s convicted of charges of hacking into The LunchMaster’s site to get data about hundreds of students, including their names, their meal preferences, information about allergies, their grades, and more, according to the San Francisco Chronicle.

Cosbey’s been charged with unlawful computer access and fraud, as well as identity theft. Jangla said he hasn’t encountered anybody at the executive level who’s pulled something like this:

Someone who’s an executive, that’s surprising. It’s a first for me.

Cosbey’s accused of not just hacking the data, but also sending it anonymously to the California Department of Education and claiming that The LunchMaster wasn’t appropriately protecting student privacy.

Cosbey hasn’t responded to media inquiries looking for a comment, but Choicelunch provided this statement:

Choicelunch is aware of the allegations and is awaiting more information before we can make a substantive comment. In its 15-year history serving California schools, Choicelunch has always endeavored to provide excellent service to its school lunch customers and will continue to do so while we await resolution of this matter.

Forks and drawn knives

The rivalry between the two lunch companies is no petty squabble. The $15 billion industry involves feeding kids 4.9 billion school lunches annually, according to FoodCorps. It’s a complex business, too: it involves navigating state and federal regulations and reporting requirements, planning menus, negotiating contracts with food distributors, hiring and managing staff, running the daily cafeteria operations, and collaborating with custodial and administrative staff, as FoodCorps tells it. It all differs from district to district, and all those lunches have to ring in at around $1.19 each.

So yes, competition is fierce as companies vie for multimillion-dollar contracts, but there’s also a most particularly fierce history between Choicelunch and The LunchMaster. As the SF Chronicle tells it, in 2014, Choicelunch sued The LunchMaster’s parent company, Nob Hill Catering, over alleged copyright infringement in its online ordering system.

It won. Choicelunch succeeded in getting Amazon Web Services to yank The LunchMaster’s website. That tasted pretty good, so it went in for a second helping, seeking to get the replacement site pulled, too.

“Please, sir, may I have another?” didn’t work out too well for Choicelunch, though: a federal judge slapped down the request and chewed out Choicelunch for overly broad interpretation of copyright laws. LunchMaster’s second website survived.

The Chronicle quoted Ted Giouzelis, founder of The LunchMaster:

We try to serve school lunches, but it’s so complicated sometimes.

The telltale IP address

The hacking is a whole ‘nuther nut ball, though. Giouzelis said that the Department of Education confronted the company about the security concerns, and that’s how it learned about the hack. Staff managed to find the breach and trace it back to an IP address in Danville – that’s where Choicelunch is located – among other locations.

An investigation suggested that the hacker ran an automated program that bombarded the site and revealed the students’ information at one school. The LunchMaster contacted the FBI and the county sheriff in April 2018. Cosbey was arrested following a year-long investigation. He’s now out on $125,000 bond and is due back in court on 22 May.

Giouzelis:

He went to the extreme this time. It’s ruthless.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/itSpHL9QQTM/

The Netherlands has extradited a Ukrainian man to the US to face charges of taking part in a multi-year, international malvertising campaign in which conspirators allegedly attempted to smear malware onto victims’ computers on more than 100 million occasions.

31-year-old Oleksii Petrovich Ivanov was indicted in a court in Newark, New Jersey, on Friday, according to the US Justice Department.

He’s facing one count of conspiracy to commit wire fraud, four counts of wire fraud, and one count of computer fraud. Dutch police have had Ivanov since his arrest on 19 October 2018, after an international investigation led by the US Secret Service in coordination with Dutch law enforcement. Indicted on 3 December 2018, Ivanov arrived in the US last Thursday and has been detained without bail.

A plate of bogus fed to online ad platforms

According to the indictment, between around October 2013 and on through May 2018, Ivanov and a group of unnamed accomplices allegedly launched online advertising campaigns that came off as legit but which tried to direct unsuspecting visitors toward malware, unwanted ads, and on to other computers that could install malware.

He and his co-conspirators allegedly hid behind fake online personas and phony companies to place ads on third-party sites, such as shopping, news, entertainment, or sports websites. Ivanov and his buddies allegedly told advertising companies they were distributing ads for real products and services and even cooked up false banners and websites showing purported ads. Those advertisements purchased by the ad companies were, however, used to push malware out onto the computers of whoever viewed or clicked on them.

The indictment gave this example of the malvertising campaigns: in June and July 2014, Ivanov allegedly posed as “Dmitrij Zaleskis,” CEO of a fake UK company called “Veldex Limited” to submit a series of malvertisements to an unnamed, US-based internet advertising company for distribution. Two of the campaigns, submitted on 15 July 2014, racked up about 17,328,129 impressions in a matter of days.

Hey, your ads are being flagged as malware, the ad company told Ivanov – repeatedly. He allegedly denied any wrongdoing and talked the company into continuing to run the malverts – for months.

After the malverts getting flagged by multiple online advertisers and advertising server platforms, Ivanov and others are alleged to have lied and denied that their ads were up to no good. When those ads were banned for being malicious, the conspirators allegedly simply switched to new online advertising companies, using new fake identities to buy more advertisements, as in, the malvert version of Whack-a-Mole.

The gang also allegedly used fictitious identities to register internet domains that hosted malvertising and launched advertising campaigns that were purportedly legitimate. Ivanov and co-conspirators also allegedly tried to sell access to botnets made up of the systems that they managed to infect.

Lots of victims

As we’ve seen before, even trusted, well-known websites can get polluted by malvertising. Over the course of one weekend in 2016, we saw the sites of the BBC, Newsweek, The New York Times and MSN all get infected.

The pain is spread all around: it hurts the victims whose computers are infected with malware after they visit what are normally boring, trusted sites, seeking what’s typically useful information; it hurts the sites that are affected; and it gouges a hole into what should be the profits of ad networks.

Recent big busts

Lately, US authorities have been cracking down on the ad fraudsters behind all that pain. In November, the US charged eight men from Russia and Kazakhstan with running a vast ad-fraud scheme that milked a total of $36 million from advertisers.

They raked in the money via two systems. One, dubbed Methbot by the researchers who discovered it in 2016, was a farm of 1,900 datacentre servers rented to host 5,000 spoofed websites that boasted bogus traffic coming in to equally fictitious sites made to look like real ones, including CNN, the New York Times, CBS Sports, and Fox News. The suspects allegedly made an estimated $7 million from what was basically a computer program talking to itself.

That ill-gotten gain was multiplied about four times by the other system, called 3ve, a hugely profitable clickfraud botnet comprising 1.7 million computers infected with the Kovter malware that ran between December 2015 and October 2018. By generating fake traffic to ads, the gang allegedly pulled in an estimated $29 million with 3ve.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n8mzzMBzZcA/

Google released its May security update for Android this week – but how many Android users will be lucky enough to get it this week, or even this month?

If you own one of Google’s Pixel devices, the answer is immediately. If you’re among the bulk of Android users who own smartphones made by other vendors, that security update could be anytime between this month and several months hence.

It’s a confusing and unsatisfactory situation Google’s been trying to solve for several years, and this week it detailed how it plans to improve things in the next version of Android, currently known as ‘Android Q’.

Currently, Google’s security updates arrive via phone makers as updates that incorporate elements proprietary to each model and vendor. Inevitably, this takes time.

According to details released at the Google I/O 2019 developer conference and in an interview with The Verge, the company’s ‘Project Mainline’ for Q will adopt a radically different approach, updating a list of 14 OS modules over-the-air straight from the Play Store.

Reportedly, those modules are:

• ANGLE
• APK
• Captive portal login
• Conscrypt
• DNS resolver
• Documents UI
• ExtServices
• Media codecs
• Media framework components
• Network permission configuration
• Networking components
• Permission controller
• Time zone data
• Module metadata

In other words, updating these elements will be done at Google’s direction, getting rid of the middleman.

However, an unspecified number of modules will still be updated via monthly patch cycle. It will also only be for devices that shipped with Android Q. Anyone who runs an older version (apparently, including Android 9 devices updated to Android Q) will need to update via the conventional channel.

Perhaps the biggest question mark of all is that, according to The Verge, device makers won’t be compelled to adopt the scheme. Presumably, because it’s a desirable feature, Google is assuming the majority will want to be on the inside.

This month’s Android patches

It’s a relatively light patching load this month, with only 15 CVEs, including 4 remote code execution (RCE) flaws rated critical, 10 rated high and 1 moderate across the two patch levels, and 2019-05-01 and 2019-05-05 (see last month’s coverage for an explanation of the difference between the two patch release dates).

Severe flaws include the RCEs in the System, CVE-2019-2045, CVE-2019-2046, and CVE-2019-2047. However, Google rates the worst as being CVE-2019-2044 in the Media Framework, which it says could:

Enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process.

There’s also the usual bundle of fixes for proprietary Qualcomm components, which this month is also a modest 15, including 4 rated critical.

Bear in mind that if your Android device is earlier than version 7.x, you don’t get any of these updates and you’re on your own.

If your Android device runs 7, 8, or 9 and isn’t a Google Pixel, the May updates will appear – at some point.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/amd3gtKw1FE/

An Airbnb “superhost” has been arrested and jailed after a guest discovered a camera hidden inside an internet router placed in the bedroom.

The perv had picked on the wrong woman. Yunfei (her online alias) works in IT security and always checks hotel rooms that she stays in. She became immediately suspicious when she arrived at the apartment in Qingdao in China’s Shandong province.

“I found a motion sensor monitor at the flat’s entrance and two in the two bedrooms, which is odd since the flat had not been renovated for smart-home automation,” she told the Beijing Youth Daily.

She stuck stickers on the sensors and turned them toward the wall before embarking on a deeper search, checking the TV and smoke detectors for hidden cameras. It was when she spotted the internet router in the bedroom, facing the bed, that she began to get really suspicious however.

One of the lights that indicates an Ethernet connection to one of the ports in the back was slightly different to the others. On closer inspection it turned out that the four-port router had five lights. She found a picture of the same router online: it only had four lights.

So she unscrewed the devices and found a camera carefully installed behind the fifth hole, complete with memory card. “I immediately called the police after finding the card,” she explained. “They came and took away the equipment,” the South Morning China Post reported on Tuesday.

The “customized” router in question. Photo: Sina

She had never met the man and had exchanged details with the Airbnb host over email. She paid him 1,700 yuan ($250) for three nights – which Airbnb later reimbursed complete with an apology. The police later confirmed that they had arrested the owner and given him a 20-day jail term.

And now we take you to Ireland

Last month, guests at an Airbnb in Ireland reported a very similar – though slightly less creepy – issue.

The Barker Family from New Zealand were staying in Cork they spotted a hidden camera in the living room of the house. Again it was an IT security bod that discovered it: Andrew Barker ran a scan of the home’s Wi-Fi network and spotted a live feed taken from a camera concealed within a smoke detector.

According to the mom Nealie Barker, Airbnb’s response in this case was less than ideal – they dismissed her complaint, as did the owner of the property. The family left and stayed at a local hotel instead.

Scare-bnb: Family finds creeper cams

READ MORE

The Ireland home was still available to rent, prompting the family to contact media outlets. Soon after the story appeared on CNN, Airbnb said it was taking down the listing, said that its “original handling of this incident did not meet the high standards we set for ourselves” and refunded the family. The Chinese flat listing has already gone.

Airbnb’s official policy is that hidden cameras are prohibited but the company does not carry out regular audits of all its properties and so has no way of knowing whether there are hidden cameras or not.

In short, it’s worth being a little paranoid if you are staying in a stranger’s house. Best advice: scan the house network for anything unusual and check or unplug any device in the bedroom. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/08/airbnb_host_jailed/

A recently uncovered malware infection uses the basic functions of Microsoft’s Exchange Server to remotely monitor and control computer systems.

Researchers at ESET said this week the software nasty, known as LightNeuron, is particularly difficult for admins to detect as it takes advantage of legitimate components within Exchange.

Specifically, ESET says, LightNeuron runs a combination of a poisoned DLL and a specially-crafted Transport Agent. Designed for things like spam filtering and screening attachments, Transport Agents analyze all messages going in and out of a server.

Understandably, getting a malicious Transport Agent on a server (such as via a PowerShell command) would be particularly useful for someone wanting to spy on a company, and a bad thing for admins.

“To our knowledge, leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen,” ESET said.

“Moreover, in the few cases we studied, LightNeuron was running with SYSTEM privileges. It is typically hard to gain this level of privilege on a Microsoft Exchange server, as it is one of the most critical assets in an organization. Thus, once compromised, it is likely that it will stay undetected for months or years.”

The second half of the infection is a malicious DLL that processes and executes additional commands. The library is able to carry out orders to do things like send mail, log and transmit activity and modify messages that travel over the server.

Sending those commands requires embedding them into file attachments. In the case ESET observed, this was done by steganography- entering the commands into the hex code of a PDF or JPG file.

Extortionist hacks IT provider used by the stars of tech leaks customer info after ransom goes unpaid

READ MORE

The attacker would put the command into the file and send it as an attachment in a message to the infected server. The message would be spotted by LightNeuron’s transport agent, which would then pass it along to the DLL, where the image information would be accessed and any commands within it executed.

Thus, the bad guys (in this case Turla, a long-running operation targeting diplomatic operations in Europe and the Middle East) are able to keep remote access and control of Exchange Servers without ever catching the eye of malware or spam filters on the infected machine.

Even if it is caught, wiping out the infection with anything short of a complete re-write of the server is a tedious process.

“The cleaning of LightNeuron is not an easy task,” ESET explained.

“Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails.”

Rather, the security bod recommends that admins instead lock down the openings used to get LightNeuron on a server in the first place. Admin accounts should be well-secured with 2FA and PowerShell command access should be strictly limited and Transport Agent installations closely monitored. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/08/exchange_malware_lightneuron/

America’s foreign secretary is to deliver a telling-off to the UK over the British government’s decision to maintain the Huawei status quo for 5G networks, according to reports.

Mike Pompeo, who is the US Secretary of State, will meet Brit prime minister Theresa May and make a speech mentioning Huawei, reported the BBC.

This reflects America’s long-held position that allowing Huawei equipment into 5G mobile networks would be a bad thing for US interests. Though the Americans’ public position is, perhaps not unjustifiably, that Huawei’s Chinese origin means its equipment could be used as a tool for Chinese state espionage on the West, there has been no public proof that backdoors have been installed in Huawei firmware.

Pompeo will, according to the Beeb, spend a day in Blighty meeting Theresa May, the UK’s current prime minister, lunching with foreign secretary Jeremy Hunt and then have a chinwag with the Archbishop of Canterbury about religious freedom. He recently cancelled a planned meeting with Germany, a country that has been increasingly friendly towards Huawei.

Suspicion is rising that what the US truly fears is Chinese technological domination of the comms tech sector.

The UK Huawei row has determinedly refused to die down, having begun boiling over in January as Huawei started publicly fighting back against US rhetorical attacks before reaching fever pitch when its UK overseers from the Huawei Cyber Security Evaluation Centre revealed the company’s dirty software development laundry to the world.

While Huawei certainly poses a threat through old-fashioned slackness in development practices leaving known holes wide open, so far HCSEC has been unable to find proof of an actual backdoor.

The revelation of the National Security Council’s decision to keep allowing Huawei equipment into the edge (but not the core) of mobile phone networks ended up costing former Defence Secretary Gavin Williamson his job after allegations that he leaked the news to the Daily Telegraph. While the witchhunt found a victim, notably, nobody in the British establishment actually denied that the decision had been made. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/08/mike_pompeo_uk_visit_huawei_fears/

The administrators of a news website dedicated to the dark web have been arrested by the FBI and cops in Israel on suspicion of receiving commission for directing readers to a Tor-hidden souk that sold drugs and weapons.

News and features website Deepdotweb focused on things like noting when markets were on or offline, providing coverage of dark websites being hacked, running reviews of online bazaars, and producing interviews with people who used the underside of the internet. The site was seized by authorities this week, however.

The US Attorney’s Office for the Western District of Pennsylvania granted the FBI a seizure warrant to shut down the site. The case falls under the US Department of Justice’s Computer Crime and Intellectual Property Section and the Organized Crime and Gang Section.

Two Israelis aged 35 and 34, involved in running deepdotweb, were arrested in Tel Aviv and Ashdod, according to The Times of Israel in a sting operation led by the FBI. The pair allegedly received millions of dollars in commission for referring their dot-com’s readers to the dark-web marketplace Wall Street Market, where drugs, weapons, and other illicit goodies could be ordered.

Europol takes down Wall Street market: No, the other cesspool of dark international financial skullduggery

READ MORE

The arrest was made a week after three men in Germany and another one in Brazil were apprehended by Europol for suspicion of managing Wall Street Market. The site, described as the second largest illegal online market, hosted some 5,400 sellers and over a million user accounts, where dark net surfers could purchase things like illicit drugs, weapons, counterfeit goods, and malware using various cryptocurrencies.

European officials seized over €550,000 ($615,563) in cash, as well as hundreds and thousands of Bitcoin and Monero, several vehicles and some computers. Two other people accused of being the top sellers on Wall Street Market were also arrested in Los Angeles. US authorities confiscated $1m in cash, methamphetamine, fentanyl, and weapons in the bust.

That’s not the end of the Wall Street Market rabbit hole, however. The marketplace was embroiled in another scandal just before it was shut down: one of its moderators known online as Med3l1n was accused of blackmailing its users for Bitcoin, demanding digital dosh or he or she would shop buyers to the Feds.

Later, netizens accused the marketplace of operating an “exit scam,” as it absconded with $30m in people’s cryptocurrency held by the site, according to a thread in the in Dread Forum, a Reddit-like forum for discussing dark-web markets. ®

PS: Hackers stole more than 7,000 Bitcoin worth $40m from Binance, the enormo-crypto exchange admitted on Tuesday.

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/08/deepdotweb_take_down_fbi/

Months before top-tier hacking tools, likely built by the NSA, were leaked to the public by a group calling itself the Shadow Brokers, the exploit code was apparently being used by Chinese state hackers to infiltrate systems.

This is according to Symantec, whose researchers this week said that an operation known as Buckeye was spotted in 2016 using tools from Equation Group, the probably-NSA hacking team that had its code swiped and dumped online a year later in a series of high-profile disclosures.

That China was able to get its hands on the code a year before the public release would suggest that the Equation Group tools were known about and stolen significantly earlier than first thought.

Specifically, the Beijing-backed Buckeye crew was using an exploit tool called Bemstour to infect targets with a backdoor called Double Pulsar. The kit targeted then-unknown vulnerabilities in Windows to open the backdoor and allow hackers to access and monitor their targets.

The malware was used by the hackers to get and maintain access to targets in Hong Kong and Belgium. The package was later modified and used in separate attacks on machines in Vietnam and the Philippines.

“How Buckeye obtained Equation Group tools at least a year prior to the Shadow Brokers leak remains unknown,” Symantec says in its write-up.

“Buckeye disappeared in mid-2017 and three alleged members of the group were indicted in the U.S. in November 2017. However, while activity involving known Buckeye tools ceased in mid-2017, the Bemstour exploit tool and the DoublePulsar variant used by Buckeye continued to be used until at least September 2018 in conjunction with different malware.”

While Symantec could not say exactly how China had been able to get its hands on the US government’s attack tools, one possible explanation is that they spotted the code being used to attack their systems and simply tweaked the malware payload to their own ends.

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

READ MORE

“Based on the timing of the attacks and the features of the tools and how they are constructed, one possibility is that Buckeye may have engineered its own version of the tools from artifacts found in captured network traffic, possibly from observing an Equation Group attack,” Symantec explained.

Such a scenario was outlined last year at the RSA conference in San Francisco, when researchers Kenneth Geer and Kārlis Podiņš showed how a government could reverse engineer and weaponize attack tools used against them with relative ease simply by swapping out key components (such as the targeted files or malware payload) with their own tools.

The key takeaway from that talk was “You don’t launch a cyber weapon, you share it,” a statement that may perfectly sum up this week’s findings from Symantec. ®

Sponsored:
Becoming a Pragmatic Security Leader

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/07/equation_group_tools/

The number of live, accessible .onion sites amounts to less than 0.005% of surface web domains, researchers report.

The big, scary Dark Web may not be as big or scary as many believe.

Over the years, the Dark Web has garnered a reputation as a nebulous platform for cybercrime. Highly publicized arrests and news stories have fueled the idea there is a massive network of cybercriminals plotting scams in this corner of the Web. But the actual amount of live, reachable onion sites makes up less than 0.005% of about 200 million surface Web domains.

It’s worth noting the Dark Web is defined as any Internet content that requires specific software, configurations, or authorization to access. Oftentimes it’s conflated with the Deep Web, which refers to all parts of the Web not indexed by search engines. The Dark Web includes the Tor network, which consists of onion domains and direct links between them.

“The term has a little bit of a life of its own,” says Garth Griffin of the Dark Web. Griffin is the director of data science at Recorded Future, where analysts recently set out to characterize the entire Tor network as part of a new study. “Anybody can figure out how to use Tor but most people haven’t bothered to do that, so it sort of has this aura of mystique around it.”

To provide clarity on the Dark Web, researchers crawled some 260,000 onion pages to estimate the full reachable Tor network from a starting set of onion sites they pulled from public lists and internal content. They found 55,828 onion domains; of these, only 8,400 (15%) were live sites.

“We were not surprised to find the actual extent of the Tor network is not as broad as it’s talked about,” says Griffin. There are criminal sites where illicit activity happens, he adds, but it’s not the massive machine people assume it is. In the report on their findings, Griffin and Recorded Future’s Juan Sanchez say the common idea of a hidden, mysterious Dark Web is likely attributable to a tiny portion of unpublicized, invitation-only communities on onion sites.

“There’s a set of sites that are kind of obscure, even within the obscurity of the Dark Web,” Griffin continues. “These are sites that might be highly respected in the criminal community.”

On the surface Web, popular sites attract millions of inbound link counts. Researchers found the most popular Tor site was a market with 3,585. The top eight onion websites most valued in the criminal community had a maximum of 15 inbound link counts, with an average of 8.7 per site. Still, scams abound: one Dark Web typosquatting scheme claims to have defrauded visitors of more than 400 popular onion websites and generated thousands of dollars in Bitcoin.

Dark Web sites are generally unreliable, disorganized, and short-lived as scams and attacks pervade this part of the Internet. When onion servers fall victim to cybercrime, websites follow. Consider Daniel’s Hosting, which provided Tor hosting services to about 6,500 onion sites and caused a massive outage when it was hacked in 2018. While it was eventually back up and running, the downtime represents a common pattern in service outages among onion sites.

The gold standard for websites is 99.999% availability, otherwise known as “five nines.” Facebook’s uptime is about 99.95%, researchers explain for context. Onion sites are typically much lower: even popular markets can have uptime below 90%; one well-known marketplace had 65% uptime at the time the report was published. Some sites simply disappear for good.

It may be smaller than perceived, but the Dark Web is falling under greater scrutiny as law enforcement cracks down on the small slice of cybercrime. Late last week, the world’s second-largest Dark Web marketplace was taken down in an international law enforcement operation. “Wall Street Market” had hosted the sale of illegal drugs, stolen data, fake documents, and malicious software. Its shutdown led to the arrested of three German nationals in the US.

In January, another law enforcement operation shut down xDedic, a Russian language site known for selling stolen identity data and access to compromised servers. As officials continue to investigate and dismantle cybercriminal operations, they force operators to rethink their strategies: marketplaces are now being replaced with smaller forums and individual chats. Cybercrime isn’t limited to the Dark Web – it’s also happening in chat apps and other tools.

Related Content:

• 7 Ways to Get the Most from Your IDS/IPS
• The Big E-Crime Pivot
• Russian Nation-State Group Employs Custom Backdoor for Microsoft Exchange Server
• Attackers Add a New Spin to Old Scams

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/risk/the-dark-web-is-smaller-than-you-think/d/d-id/1334631?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple