A Procysive White Paper

Procysive Corporation 2530 Meridian Parkway Durham, NC 27713 919-806-4305 ph 919-287-2570 fax www.procysive.com

Beware the Darknet

By Bradford Hutson, Procysive Corporation Michael Miller, The Molehill Group

2010 Procysive Corporation

Contents
Introduction Understanding the Darknet A Brief History of the Darknet Who Accesses the Darknet and Why Inside the Darknet Infiltrating the Darknet The Dark Future of the Darknet Summary About Procysive 2 2 3 4 6 7 8 10 10

Introduction In this white paper, we discuss the Darknet, that area of the Internet that facilitates criminal communication and activity. A brief history of the Darknet reveals the increasing sophistication of tech-savvy criminals and criminal organizations, as the physical data havens of the 1980s evolved into cyber sanctuaries for criminal behavior in the 2000s. We examine who accesses the Darknet, and for what reasons; users range from spammers and phishers to terrorists and large criminal syndicates. We then discuss ways that sites on the Darknet can be discovered and infiltrated, and then postulate on the future of the Darknet and its shadowy users. Understanding the Darknet There is a corner of the Internet where law-abiding citizens dare not to wander. It is the refuge of thieves and spammers, child pornographers and terrorists. Most law-abiding individuals dont even know that this part of the Internet exists; in reality, few could gain access even if they wanted to. This shadowy online area is variously referred to as dirty address space, beneath the surface web, the Dark Web, or the Darknet. It is a secretive virtual black market that facilitates the storage and exchange of stolen files and other data. This Darknet is an effective tool for criminals of all types, from individual data thieves to organized crime syndicates. It is where the majority of spam and phishing attacks originate; it is a vast repository of pirated movies, music, and video games; it is where lawbreakers exchange criminal contacts,

Darknet should not be confused with the deep web or invisible web, which refers to those web pages on the legitimate Internet that are hidden behind forms and password protection. Like pages on the Darknet, deep web pages are typically invisible to search engines. Unlike the Darknet, however, the deep web contains legitimate content dynamically generated by the host website; this content is not easily spidered or otherwise accessed by Google and other search engines

2010 Procysive Corporation

Page 2 of 10

buy and sell stolen information, and brag about their exploits. The Darknet has become a haven for criminals because, unlike the legitimate or surface web, it isnt widely policed or monitored. While the legitimate Internet can also be used for criminal activity, it is less popular with criminals because it is more consistently monitored by law enforcement agencies. The Darknet, in contrast, is more difficult to penetrate and monitor, which makes it safer for criminal activity. Attempts by outsiders to enter sites on the Darknet are typically blocked; infiltration is regularly thwarted. This criminal activity is further fostered by the complete anonymity of the Darknet. Criminals mask their identities with online aliases, and store data in files that have been deliberately altered to avoid detection. It is extremely difficult to determine who uses the Darknet, or where theyre physically located. The sinister nature of the Darknet is typified by websites that fade in and out of existence in the blink of an eye, foiling attempts to monitor content or track users. Its a shadow network, the evil mirror image of the more civil, more organized surface web. In many ways, then, the Darknet is the digital equivalent of Americas Wild West, uncontrolled and virtually uncharted. Google, Yahoo!, and Bing do not spider this murky area of the web; illicit websites do not appear in typical search results. What goes on in the Darknet stays secret, hidden from the eyes of the unsuspecting public.

A Brief History of the Darknet The concept of a hidden Internet, outside the borders of the public network, is almost as old as the Internet itself. In the early 1980s, the first data havens were established, in discreet jurisdictions in the Caribbean. These were physical locations where sensitive computerized information and activities could be concealed from the prying eyes of governments and other organizations. Data havens have been used to hide tax information from government collectors, host gambling operations, store pornography and other sensitive content, and, on a more positive note, facilitate free political speech in those regions where censorship is common practice. By the turn of the 21st century, physical data havens were becoming more visible and more brazen. For example, the year 2000 saw the establishment of a data haven called HavenCo, housed on a former WWII-era sea fort in Sealand, a sovereign principality just outside British territorial waters. HavenCo boasted that it would store any data, except that concerning terrorism or child pornography, in servers built into the sea forts hollow legs. By that point in time, however, physical data havens were being supplanted by virtual data havens that heralded the creation of the Darknet. The year 2000 also saw the launch of Freenet, a distributed decentralized information storage and retrieval system created by Irish student Ian Clarke. Freenet enabled people to use the Internet without detection, thus providing the same concealment services as a physical data haven, with the added benefit of virtually

2010 Procysive Corporation

Page 3 of 10

anonymous file sharing, online chat, and web surfing. At approximately the same time, Internet Relay Chat (IRC), an Internet protocol first implanted in 1988, was being discovered by those seeking anonymity online. While IRC had and still has its legitimate uses, criminals were quick to discover that they could exchange sensitive and stolen information anonymously in IRC channels, without fear of being tracked by authorities. This combination of Freenet, IRC, and hidden or protected websites soon coalesced into what is now informally known as the Darknet. This Darknet continues to strengthen and grow, as more and more online criminals discover and utilize it to conceal their disreputable activities. Who Accesses the Darknetand Why The Darknet is not typically used by the law abiding public. Despite common perception, it is also not used by everyday file traders; people wishing to share pirated music and movies can choose from plenty of peer-to-peer options on the public Internet. Instead, the Darknet is a safe haven for criminals of all stripes. It is a place where conversations can be had in nearcomplete anonymity, where purloined data can be stored, swapped, and sold without legal interference. It is, indeed, a secure staging area for questionable activities which makes it an ideal refuge for the criminal element. Because it can function as an online hideout or safe house, all types of unsavory characters frequent the

Darknet. The Darknet enables criminals to identify and contact large numbers of potential victims, communicate in ways that are difficult to trace, and collaborate with other criminals. It effectively gives criminals global reach, all from the safety of their local surroundings. Spammers Individuals or organizations that send out unsolicited commercial email (UCE) often buy and sell mailing lists on the Darknet, and use anonymous Darknet servers to stage their spam attacks. Phishers. Like spammers, initiators of phishing attacks often use anonymous Darknet servers to stage their email-based attacks; they also use these servers to house their lookalike phishing websites. Phishers also use the Darknet to buy and sell mailing lists for their phishing attacks, and then sell or trade purloined information gained from victims of these attacks. Identity Thieves and Information Traders Criminals who obtain personal information from victims, either physically or online, use the Darknet to sell or trade that information to other criminal entities. Stolen credit card numbers are commonly traded in IRC channels or offered for sale on Darknet bulletin boards; in some cases, thieves establish their own Freenet websites to sell their wares. Criminals also use the Darknet to turn stolen information into cash. These are not necessarily the original data thieves, but others down the criminal food chain. In the process known as carding, criminals use the stolen information to
Page 4 of 10

2010 Procysive Corporation

make unauthorized credit card purchases. The products purchased in this fashion are shipped to accomplices who then fence the goods for cash. Data Thieves The Darknet functions as a warehouse and clearinghouse for all manner of stolen digital data. Online thieves use servers on the Darknet to store confidential data stolen from large corporations, including databases of customer names and credit card information, until they can sell or trade that data to interested third partiesor, in some instances, back to the victim organizations, for a ransom. Media Pirates Servers on the Darknet are commonly used to store and distribute large media files, including movies, music, video games, and computer software. For example, pirates who steal distribution copies of first-run movies store those files on the Darknet, using the Darknet servers to stage further distribution of those movies to file sharing sites on the public web. Fences The Darknet can be used to exchange both digital data and physical goods. Fences use Darknet channels and forums to handle stolen property of all types, arranging the trade or sale of hot items. Payment is typically rendered via wire transfer, gift cards (bought with cash), or e-Gold, an anonymous Internet currency favored by online criminals.

Scammers The Internet is host to all manner of scams, most of them initiated via email. These include the notorious Nigerian Letter Scam, or 419 Scam, where the scammer tries to convince a victim that he is the recipient of a large sum of money, if only the victim provides the scammer with his bank account information, presumably to facilitate the transfer of funds. Most of these scams are initiated from the Darknet, where victims email addresses are bought and sold, and where emails are sent from anonymous servers. Child Pornographers Law enforcement regularly polices the public Internet for illegal child pornography, which has driven pedophile rings to the relative safety of the Darknet. Freenet, in particular, is host to much child pornography, stored on the services anonymous servers. Street Criminals Street criminals typically dont trade stolen data over the Internettheir unlawful activities seldom have an online component. Instead, they use IRC chat channels to trade information about potential targets and find willing accomplices. They also tend to use Darknet channels to brag about their exploits; in this fashion, the Darknet serves as the online equivalent of the gangster-friendly bar in the shady area of town. Crime Syndicates It isnt just individuals who habituate the Darknet. Many large crime syndicates use the Darknet to manage their personnel and activities. They use the Darknet to
Page 5 of 10

2010 Procysive Corporation

facilitate identity theft, store and trade stolen data, release computer viruses and spyware, initiate spam and phishing attacks, and distribute child pornography. Terrorists Terrorist organizations are increasingly turning to the Darknet as both a communications channel and source of funding. The anonymity of IRC channels facilitates clandestine communications; research has identified more than 50,000 extremist websites and more than 300 terrorist forums on the Darknet, with nearly one million messages posted.1 In addition, terrorist organizations are using the Darknet to engage in the trading and sale of stolen digital content, which then serves as a source of financing for their operations. Facilitators Not all activity on the Darknet is overtly criminal. Some entities use the Darknet to traffic in tools and information of interest or use to the criminal element. These suppliers sell tools or information to less-expert criminals and hackers, who use these items to commit cybercrimes. In this regard, these facilitators are like online arms merchants to the criminal element. Techno-Libertarians and Digital Rights Activists Beyond the obvious criminal element are those who believe in the concept that all online content, even and especially copyrighted content, should

be free. These so-called technolibertarians adhere to an extreme view of freedom of expression, believing that all users should have reasonable access to all information posted on the Internet. As represented by Hacktivismo and the 1984 Network Liberty Alliance, these militant digital rights activists oppose what they view as the use of state and corporate power to control access to all types of works online. They typically use the Darknet to trade protected information, in the process running afoul of numerous copyright lawseven if they themselves do not view their activities as criminal. Inside the Darknet The Darknet today consists of several key components. Online criminals may frequent some or all of these areas of the Darknet, depending on their activities and needs. Freenet Freenet is a software application that enables users to anonymously share files, chat anonymously on web forums, create Darknet freesites, and access freesites established by other users. It is essentially a decentralized and anonymous network operating over the Internet backbone. In many ways, Freenet is the core of the Darknet, with at least 2 million copies downloaded to date. Freesites are used for both legitimate purposes (to post content outlawed by repressive regimes, for example) and for criminal and terrorist activities. Because it is decentralized, Freenet is extremely resistant to attack. Freesites are also difficult to detect, especially when operated in Freenets darknet mode, where users can only connect to trusted friends and associates. Criminals
Page 6 of 10

Dark Web Forum, Artificial Intelligence Laboratory, University of Arizona

2010 Procysive Corporation

typically use darknet mode to restrict access from unwanted visitors, which makes it difficult for law enforcement to monitor activity on these sites. IRC Internet Relay Chat (IRC) is a form of real-time text messaging, conducted in dedicated channels, or what others might refer to as chat rooms. Multiple users can simultaneously access the same channel, and thus engage in ongoing conversation. While IRC technically is part of the public Internet, the chat channels themselves can be hosted in so-called secret mode, password protected, or accessible on an invitation-only basis. These actions effectively make these protected channels invisible and inaccessible to those without prior knowledge of their existence. IRC is hosted on dedicated servers across the Internet. Most of these servers do not require users to register for an account. This facilitates anonymous use, particularly in secret or invitation-only IRC channels. Online criminals use these IRC channels to communicate with accomplices, trade stolen credit card data and other information, and buy and sell email addresses (for spam and phishing attacks). Derelict Websites Another component of the Darknet consists of formerly legitimate websites that have, for one reason or another, been abandoned. These sites might have belonged to now-defunct companies, been the victims of technical failures or disputes between Internet service

providers, or occupy discarded addresses once used by the U.S. military in the earliest days of the Internet. Whatever the origin, these are forgotten properties, ideal for exploitation by the criminal element. Online criminals or criminal syndicates take over these dark addresses, even if just for a few minutes or hours, to launch computer attacks, spam attacks, and phishing attacks. Some derelict sites are used to house stolen data, although shorter-term use is more common. Infiltrating the Darknet By its nature, the Darknet is available primarily by invitation only. That is, one must have an invitation from someone already on a website or in an IRC channel to gain access to that site or channel. There are, however, ways to gain access to these sites and channelsproviding one can find them in the first place. One approach is to send out search spiders looking for specific properties common to criminally-oriented behavior. Spidering the web for dark content covers a broad swatch of possible Darknet sites, but is in general an ineffective approach, especially for those invitation-only sites and channels. A more effective way to discover sites and channels on the Darknet is to utilize time-honored detective techniques. This means following known offenders as they move from site to site across the web, posing as criminals online to wean information from other criminals, investigating data stored on computers recovered from apprehended lawbreakers, and following whatever threads are exposed. Its difficult work and time consuming, but it offers the best results.

2010 Procysive Corporation

Page 7 of 10

Once a Darknet site or channel has been identified, access can often be gained by surreptitious means. That is, an agent poses as a member of the criminal element and uses various techniques to gain access to the password-protected sites and channels. This can be done by tricking a known member of the site to provide an invitation, using software programs to crack the sites passwords, or by using passwords gathered as part of the previous investigative process. Once inside a Darknet site or channel, the investigator can observe ongoing communications and explore stored content. In some instances, the human investigator is replaced by an automated software agent, a bot that mimics human behavior and is capable of 24/7 surveillance. Procysive uses this bot-based approach with its Cyber Intelligence Protection and Analysis Service (CIPACS). CIPACS employs three types of proprietary software agents to infiltrate and monitor known Darknet sites and channels: The initial level of infiltration is provided by recon agents, which quickly and efficiently scan the entire web, including the Darknet, looking for hits on relevant keywords and search strings. Once a potential hit has been identified, digger agents penetrate further into targeted Darknet sites. These agents confirm the initial hit and activate the final level of agents. Processor agents grab relevant data from the suspected criminal sites, then forward that data to

Procysives cyber intelligence analysts for further investigation. Recognizing that avoiding detection is essential to successful infiltration of these sites, Procysive employs several stealth techniques when monitoring Darknet sites. CIPACS disperses its software agents through multiple secure servers located around the globe. In addition, software agents are programmed to mimic naturalistic human behavior, not the automated behavior typical of search spiders, thus concealing their presence. This non-intrusive process leaves little to no signature behind, so that monitoring can continue without detection or interruption. The data retrieved by Procysives search engines are forwarded to the companys human cyber intelligence analysts. These professionals can then enter the targeted site or channel manually if more information is required, or filter through the retrieved data and forward their analysis to the companys clients. The Dark Future of the Darknet Freenet and IRC provide an online haven for criminals today, but they may not represent the future of the Darknet. As with the Internet itself, the Darknet is constantly evolving, as law enforcement and other organizations find ways to infiltrate existing sites, and as tech-savvy criminals invent ways around this newfound surveillance. The increasing commercialization of the Internet is leading to a drying up of derelict websites; it simply isnt profitable for companies and ISPs to leave such space unused. As the number of derelict sites decreases, there are fewer unused addresses for the criminal element to appropriate.
Page 8 of 10

2010 Procysive Corporation

In addition, law enforcement agencies continue to step up their cyber intelligence efforts, becoming more aggressive in tracking criminals across the Darknet. ISPs are becoming more cooperative with law enforcement and government officials in these efforts; there is less resistance to providing user information, especially in regards to terrorist activities. The Darknet is also becoming less hidden, as the major search engines improve in their abilities to spider areas of the Internet currently denied to them. These efforts are designed to find more legitimate pages to fuel their search indexes, but the discovery of Darknet content is a beneficial side effect. In response to this increased scrutiny, the criminal element is being forced further into the dark recesses of the Internet. It is a regrettable truism that todays criminals are often several steps ahead in technology than are the agencies assigned to track them. One example of this technological disparity concerns Internet Protocol version 6 (IPv6), the new version of the technology protocol designed to succeed the current IP version 4. IPv6 was created to provide a larger address space than its predecessor protocol, but has not yet been widely deployed in the commercial sector. The criminal element, however, is beginning to use IPv6 as a secondary Freenet channel, riding on top of (or tunneling through) the current Internet. Unfortunately, no equipment currently exists to monitor IPv6 traffic, which provides increased anonymity for those who frequent the Darknet.

As long as criminals seek a place to gather and exchange information online, the Darknet, in whatever form it takes, will continue to flourish. This is the continuing challenge for cyber investigatorsto discover, infiltrate, and shut down these online channels of criminal activity.

2010 Procysive Corporation

Page 9 of 10

Summary The Darknet is a shadowy part of the Internet used for various types of criminal activity and communication. The Darknet evolved from the physical data havens of the 1980s, used primarily as tax sanctuaries and places to store confidential data or engage in legally questionable activities. The Darknet is used by a variety of swindlers and lawbreakers, including spammers, phishers, ID thieves, information traders, data thieves, fences, scammers, child pornographers, street criminals, crime syndicates, facilitators, and terrorists. The primary components of the Darknet include Freenet freesites, password-protected IRC channels, and appropriated derelict websites. Various investigate and spidering techniques can be used to discover and infiltrate sites and channels on the Darknet, thus uncovering the criminal activity within. It is likely that the Darknet will continue to evolve over time, as tech-savvy criminals counter increased and more technically sophisticated investigative efforts.

About Procysive Procysive specializes in providing online tracking, compression, and site protection solutions. Procysives technology and services revolve around unique deep web monitoring capabilitiessoftware agents that work 24/7 to scan, detect, infiltrate, and monitor both legitimate and underground websites and services. Procysives combination of microdot encoding, encrypted compression, deep web monitoring, and active human analysis provides the ultimate in online security for both intellectual and physical assets.

2010 Procysive Corporation

Page 10 of 10