[HN Gopher] De-anonymizing ransomware domains on the dark web
___________________________________________________________________
De-anonymizing ransomware domains on the dark web
Author : auiya
Score : 65 points
Date : 2022-06-28 18:15 UTC (4 hours ago)
(HTM) web link (blog.talosintelligence.com)
(TXT) w3m dump (blog.talosintelligence.com)
| ziddoap wrote:
| #1 and #2 really should just be a part of #3: catastropic opsec.
|
| I don't know what it is about people who run these criminal
| enterprises on the darknet, but they constantly seem to be
| failing even the most basic of opsec. Re-using identities across
| multiple services, using e-mail addresses with real names,
| posting photos with identifiable information (and before websites
| stripped metadata for them, often posted with metadata), etc. I
| mean it's nice that they are making it easier to catch
| themselves, but at the same time I can only wonder how some
| genius can invent some novel and complex ransomware operation
| just to turn around and use the email they've had since they were
| 13 to register the services that operate it.
| number6 wrote:
| You only catch those who make those mistakes
| ziddoap wrote:
| Yes, thanks for that.
|
| My point is that those mistakes are made by plenty of
| ransomware gangs, some of the largest dark markets to ever
| exist (AlphaBay, Silk Road, etc.), Freedom Hosting, and more.
| All of which were, at some point, major entities on the
| darknet making absolutely rudimentary opsec mistakes.
| Closi wrote:
| You only have to slip up once to get caught.
|
| Some of the people caught on those listed examples had
| great Opsec... until that one time where they messed up and
| then suddenly ended up in jail.
| ziddoap wrote:
| Which ones of my list had great opsec? I'm not denying
| what you said, it only takes one slip up, but in the
| cases I mentioned by name:
|
| AlphaBay used their regular hotmail account to send
| password reset emails, and that email was tied to their
| LinkedIn.
|
| Freedom Hosting was taken down because the operators used
| outdated FF with javascript enabled.
|
| Silk Road's Ross Ulbricht posted his personal Gmail
| address, linking the identities.
|
| All of these are profound opsec failures, not just an
| oopsie that led to getting caught by talented LEOs.
| jstarfish wrote:
| What sort of answer are you looking for? All of these
| proprietors are human. Humans make mistakes and act
| irrationally at times. Criminal enterprises are complex.
| Opportunity for mistakes increases with scale. The guy
| who ran Doxbin is the only high-profile case I can think
| of with apparent-flawless opsec, and that much only
| because he _bailed_ before the long tail caught up to
| him.
|
| The tightest opsec I've ever seen is maintained by
| disability fraudsters. Privacy laws protect the evidence
| anybody would need to present against you, so as long as
| you keep doctor-hopping and never admit to anything,
| nobody can touch you. These people tend to be reclusive
| and not public-facing, but with such low risk comes low
| reward-- there's no _real_ money to be made in it.
|
| (...unless you're the doctor knowingly signing off on
| false diagnoses. This increases scale, at which point,
| the more of those you write, the greater the chances of
| some mistake made by you or any single one of your
| patients bringing the whole enterprise down.)
| ziddoap wrote:
| > _What sort of answer are you looking for?_
|
| They said that some of the 3 I listed by name had "great
| opsec". I am curious which one of those they thought was
| great, and laid out why I think the opsec in these cases
| was really far from "great".
|
| Maybe when they said "those listed", they were referring
| to the list on the website and not my list. In that case,
| I misunderstood and obviously my comment doesn't make
| much sense. But I presumed they were referring to my
| list.
|
| > _Humans make mistakes and act irrationally at times.
| Criminal enterprises are complex._
|
| Agreed on both fronts.
|
| But I think that the severity of mistakes is a scale, and
| some of the really big players on the darknet have made
| mistakes that I argue is much closer to the " _really_
| dumb mistake, trivially avoided " end of the scale, such
| as using your LinkedIn email to run your multi-million
| dollar black market.
|
| > _Opportunity for mistakes increases with scale._
|
| Agreed. But none of the three examples I listed by name
| were affected by scale. Using outdated software with
| known vulnerabilities, posting your own email, and using
| an email connected to your LinkedIn are all not issues of
| scale.
|
| Edit to clarify, as I think people may be
| misunderstanding me (maybe? hard to tell from just
| downvotes and no replies):
|
| Opsec is hard. 100%. You have to maintain it basically
| forever, which makes it really hard.
|
| But, if I walk into a bank intending to rob it and start
| shouting out my full name and address (or, say, left my
| drivers license at the scene), people would have a jolly
| laugh at how bad of a robber I was. This is analogous to
| using the same email to run your multi-million dollar
| black market as well as sign up for a LinkedIn account.
| Most people would agree that in my hypothetical, the
| robber made some really trivial mistakes. I'm not sure
| why it's so hard to say that for these darknet operators
| that basically did the same thing, but in computer form.
| Closi wrote:
| It sounds pretty easy to inadvertently visit a site on an
| old laptop with javascript enabled. Is this what counts
| as a profound opsec failure these days?
|
| Remembering that you only have to make an error like that
| once.
|
| Besides you were talking about all the silkroad arrests,
| not just Ross - and I mean some of the people arrested in
| conjunction with Silk Road WILL have had good opsec but
| when a nation state is coming after you, the tiniest
| mistake will cost you!
| gleenn wrote:
| The original Silk Road supposedly had amazing opsec but
| they caught him because one time he used the same,
| oblique username to register something many years
| previous IIRC.
| MikeDelta wrote:
| Maybe the dark web makes people feel safe and they let
| their guard down? I cannot imagine why else someone would
| use their own email address in any transaction or
| operation.
| FredPret wrote:
| The genius is the one selling the shovels to the gold diggers
| auiya wrote:
| Not sure why there's a mystique over the "dark web", they're all
| still just websites, and suffer the same types of
| vulnerabilities.
| mirntyfirty wrote:
| Yea, it would be rather unfortunate terminology to call
| websites outside the realms of Google and bing as "dark web" as
| if somehow these services legitimize the internet itself.
| nuccy wrote:
| I would personally call telegram/viber/whatsapp/et al.
| groups/chats/channels "dark web", since information is not
| indexed there and is basically decaying over time. In about a
| decade or decade and a half ago, forums flourished, it was
| really easy to find and share relevant information with
| relevant group of interested people. I particularly was
| interested in car's DIY service & retrofit topics.
| Unfortunately everything is mostly in messengers these days,
| which won users by offering real-time responses, but
| providing no real way of topic sorting or proper history.
| Duplicates of questions and answers of different topics and
| threads mixed together into an information garbage bin.
| tete wrote:
| > I would personally call telegram/viber/whatsapp/et al.
| groups/chats/channels "dark web", since information is not
| indexed
|
| That's a really odd way of naming thing.
|
| They are not web, and "not indexed" usually is referred to
| as "deep web", not "dark web".
| smegsicle wrote:
| the term 'deep web' refers to the subset of internet-
| connected information that is not widely published eg on
| search engines, where as the 'dark web' is specifically sites
| that hide their hosting information behind tor i2p etc
|
| as unfair as it may be, a huge part of the usefulness of
| information is its accessibility, and these search engines
| currently hold a near-monopoly on which sites can generally
| be considered readily accessible, ie the 'surface web' above
| the deep web
| dpapai wrote:
| orthoxerox wrote:
| This should come in handy if I ever have to run a website on the
| dark web
| aaron695 wrote:
| ipaddr wrote:
| So certificates do not enable privacy they take it away.
|
| SSL may stop your roommate or isp but they provide another vector
| for linking to other entities.
|
| I wonder how many are using this technique to link web properties
| together.
| no_time wrote:
| This is not a big deal really. Getting an SSL cert only
| requires you provide proof of ownership of your domain and has
| no KYC. You can get as many certs as you want, or sign it
| yourself.
|
| Right now, SSL(or PKI to be precise) is a very privacy
| respecting technology. For both the server and the client.
| [deleted]
| nick__m wrote:
| If you follow the best practices and do not bind your onion
| service on 0.0.0.0 and use selfsign and don't reuse key, they
| do provide privacy against snooping exit node.
| miloignis wrote:
| Certificates enable privacy _for the user_ - fundamentally,
| they are about proving the identity of the server, which is at
| least somewhat at odds with privacy of the server.
|
| Anyway, these all seem like pretty obvious opsec fails where
| the darknet website is also served over the regular internet,
| which is just atrocious.
| kmeisthax wrote:
| Anonymity of the origin server is not at all a design goal of
| SSL/TLS: in fact, the whole point is to tie a web host to a
| particular identity. Originally it was supposed to be legal
| identity, but that is actually fairly useless, so now it's just
| a domain name.
|
| For end-users TLS and Tor both provide privacy; since you don't
| need to identify _yourself_ in order to use https. In fact,
| with ESNI and DoH the only thing anyone snooping wire traffic
| can see is that you 're connecting to whatever data center is
| owned by the company hosting the website.
|
| The sites in the original article are criminal enterprises,
| which means they have the unique problem of needing the origin
| server to remain anonymous so that their _hosting provider_ can
| 't find out what they are doing. This is the one thing Tor does
| that TLS doesn't; and they _were_ deanonymized by them
| insisting on providing a self-signed cert anyway. However, this
| is a particularly unusual threat model that is far harder to
| maintain. Even the whole anticensorship thing is usually just
| hiding what sites you 're visiting from, say, the Great
| Firewall - we don't care that China can also use Tor to learn
| where Google's servers are.
___________________________________________________________________
(page generated 2022-06-28 23:01 UTC)