Dark Web Deanonymizing Technologies
8 March 2020
Avraham Chaim Schneider, Ariel Yosefi, Nimrod Kozlovski
Anonymity is the true currency of the dark web and not just for the criminals. Organizations such as the FBI’s J-CODE, Europol’s EC3, The German Federal Criminal Police, La Police Nationale Française and many others invest significant amounts of time and cash into technologies and methodologies used to break up large crime rings. Understandably, such organizations would prefer to have as much impact as possible whenever making a move. Not just for efficiencies sake but also because, like in chess, every move reveals a bit more of an attacker’s overall strategy and allows their opponents to prepare that much more for the next one.
Despite efforts to remain cagy, law enforcement is at a distinct disadvantage next to hackers as far as anonymity goes in that they’re burdened by the minor inconvenience of having to follow the law, which often forces them to disclose methodologies in court documents or government sponsored reports. These afford some fascinating insight into how authorities have been busting criminals on the Dark web. We’ve boiled down the technical highlights below:
Purely technological attacks exploiting dark web infrastructure or design flaws are rare but have their precedent. The most notorious example being a Traffic Confirmation attack back in 2014, when Carnegie Melon researchers (at the behest of the US DoD) were able to exploit Tor networking design by injecting sequences of ‘relay’ and ‘relay-early’ commands that served as code to track IP paths from entry to target in both directions, essentially allowing researches to determine the true IPs of users accessing sites on the dark web. The technique was one of the methodologies the FBI and Europol used to convict sellers from Silk Road 2.0, but it wasn’t the only weapon they employed.
A Sybil attack attempts to have multiple proxies infiltrate and comprise enough of a system or network to serve as an influential block to be used in any number of ways. Carnegie used their Sybil generated, virtual mini network of proxy nodes to allow targeted monitoring of entry and exit traffic, effectively breaking Tor’s anonymity architecture. Updates to Tor by administrators were made that mitigate against both Traffic Confirmation and Sybil attacks, but the principle is still sound and can be pulled off again should an appropriate configuration or some other factor be adjusted enough to avoid detection.
If not, don’t count on authorities to throw their hands up in despair. Often when unable to compromise a key node or relay they simply show up at the host’s house with a team of armed men in obscure, acronym adorned windbreakers and a search warrant. Something about the business end of a gun seems to work magic when technical chops just won’t cut it. But the use of such persuasive tactics requires authorities to know which doors to knock on, and that requires some creative technical solutions of its own.
Network Investigative Techniques (NITs) have been used as an indirect attack vector to locate dark web criminals by going after the browsers used to access the network. A 2015 raid against a child exploitation site made use of an unknown Mozilla Firefox vulnerability (Tor is based on the Mozilla browser) that allowed FBI agents to generate unique IDs for site visitors. Those ID’s allowed the FBI to infect visitor computers with a payload that recorded activity as well as identifying information (including the users’ true IPs), before sending the payload back to investigators unencrypted.
Another particularly scary technological workaround to locate dark web users is the use of Ultrasound Cross-Device Tracking (uXDT), as demonstrated by Mavroudis Vasilios at Black Hat EU and the 33rd Chaos Communication Congress. Originally developed as an advertising tool – the kind that serves up ads for BBQ wings on a user’s phone after mentioning offhandedly to their spouse that they’re in the mood for chicken that night – uXDT can also be employed to deanonymize dark web criminals. It works when a user visits a site featuring uXDT type ads, which are programed to emit a sub-audible encoded signal designed to be picked up by other devices within range. Smart phones and other IoT devices actively listening for commands register the code, which then directs the devices to send back their details to a central sever. Once under a unified Control and Command system, multiple devices can be networked for use in collective intelligence gathering on individual users.
As ingenious as some of these deanonymizing techniques are, more often than not it’s amateurish mistakes on the part of criminals that grant authorities the access they need. A common one involves failing to change vulnerable default configurations on host machines. For example, Apache servers come with Mod_Status enabled by default, which allows for /server-status searches that reveal a treasure-trove of information including resource usage, connected virtual machines and possibly even search histories (depending on the use of the machine compromised). This default configuration was designed to only work on local hosting machines as a security precaution, but due to the nature of the Tor network, the onion daemon that forwards service requests happens to run on local hosts. In other words, remember to reconfigure the hardware or get used to prison Wi-Fi.
However, the most common downfall of hackers has got to be their own ego. Several high-profile arrests were the result of overconfident hackers making sloppy mistakes, like using an alias in conjunction with their primary email or other identifiable information on open platforms.
Case in point: Paige Thompson, the former Amazon employee implicated in the recent Capital One breach (one of the largest involving a major bank exposing PII and credit card data from 100 million users) was caught despite her use of Tor to cover her tracks. It was actually through a tipster email address set up by Capital One Financial corp. for just this sort of scenario that initially informed the bank they had a problem. Thompson’s mistake: first she bragged about her misadventures on Twitter using her dark web alias ‘erratic’. Not the smartest move, but not half as careless as using her actual name on the GitHub address storing the stolen Capital One data.
There seems to be something about the criminal mind that lends itself prone to reckless, braggadocious, self-destructive behavior. Or as one Twitter user put it with regard to Ms. Thompson:
Replying to @RiCHi @CapitalOne and @TechBeaconCom
The alleged hacker is known as “Erratic”, a.k.a netcrave, a.k.a @0xa3a97b6c, a.k.a paigeaselethompson2019.
Oh wait. The last one was a bit of a dead giveaway.
This seems to be what the FBI thought, too.
2:20 PM Aug 1,2019
A similar version to this article first appeared in C-Tech.