Understanding the difference in malicious activity between Surface Web and Dark Web

The world has seen a dramatic increase in illegal activities on the Internet. Prior research has investigated different types of cybercrime, especially in the Surface Web, which is the portion of the content on the World Wide Web that popular engines may index. At the same time, evidence suggests cybercriminals are moving their operations to the Dark Web. This portion is not indexed by conventional search engines and is accessed through network overlays such as The Onion Router network. Since the Dark Web provides anonymity, cybercriminals use this environment to avoid getting caught or blocked, which represents a significant challenge for researchers. This research project investigates the modus operandi of cybercriminals on the Surface Web and the Dark Web to understand how cybercrime unfolds in different layers of the Web. Honeypots, specialised crawlers and extraction tools are used to analyse different types of online crimes. In addition, quantitative analysis is performed to establish comparisons between the two Web environments. This thesis is comprised of three studies. The first examines the use of stolen account credentials leaked in different outlets on the Surface and Dark Web to understand how cybercriminals interact with stolen credentials in the wild. In the second study, malvertising is analysed from the user's perspective to understand whether using different technologies to access the Web could influence the probability of malware infection. In the final study, underground forums on the Surface and Dark Web are analysed to observe differences in trading patterns in both environments. Understanding how criminals operate in different Web layers is essential to developing policies and countermeasures to prevent cybercrime more efficiently

The Dark Web: A Brief Introduction

The dark web is a highly anonymized section of the Internet in which some users share sensitive and illicit content. Users on the dark web generate digital traces, allowing researchers to study previously difficult-to-observe phenomena, such as trading illegal products or services. Trading occurs on darknet markets, platforms that provide the infrastructure for vendors and buyers to convene, similar to surface web platforms, such as eBay. Listings on such markets predominantly include drugs but also fraud items, counterfeits, or cybercrime-related services, such as hacking. Studying the dark web can be challenging due to technical and ethical considerations. This article introduces the dark web and Tor, the most prominent used dark web network. The article continues with a brief overview of how users engage with the dark web and darknet markets and discusses past research as well as possible future avenues for further research.Das Dark Web ist ein stark anonymisierter Teil des Internets, in dem einige Nutzer*innen sensible und illegale Inhalte teilen. Sie hinterlassen dabei digitale Spuren, die es Forscher*innen ermöglichen, zuvor schwer zu beobachtende Phänomene zu untersuchen, wie zum Beispiel das Handeln mit illegalen Produkten oder Dienstleistungen. Solcher Handel findet auf Darknet-Märkten statt, Plattformen, die ähnlich wie etwa eBay eine Infrastruktur für Käufer*innen und Verkäufer*innen bereitstellen. Die Angebote auf solchen Märkten umfassen überwiegend Drogen, beinhalten aber auch Fälschungen, Betrugsanleitungen oder kriminelle Dienstleistungen wie Hacking Attacken. Allerdings wird die wissenschaftliche Erforschung des Dark Webs oft durch technische und ethische Hürden erschwert. Dieser Artikel stellt das Dark Web vor und erläutert die Funktionsweise von Tor, dem am häufigsten genutzte Dark-Web-Netzwerk. Darüber hinaus wird erklärt, wie Darknet-Märkte operieren und wie diese genutzt werden. Abschließend werden mögliche Forschungsrichtungen, sowie rechtlich und ethische Probleme diskutiert

ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast

International audiencePredicting the next threats that may occurs in the Internet is a multifaceted problem as the predictions must be enough precise and given as most as possible in advance to be exploited efficiently, for example to setup defensive measures. The ThreatPredict project aims at building predictive models by integrating exogenous sources of data using machine learning algorithms. This paper reports the most notable results using technical data from security sensors or contextual information about darkweb cyber-criminal markets and data breaches

The Network of Online Stolen Data Markets: How Vendor Flows Connect Digital Marketplaces

In the face of market uncertainty, illicit actors on the darkweb mitigate risk by displacing their operations across digital marketplaces. In this study, we reconstruct market networks created by vendor displacement to examine how digital marketplaces are connected on the darkweb and identify the properties that drive vendor flows before and after a law enforcement disruption. Findings show that vendors’ movement across digital marketplaces creates a highly connected ecosystem; nearly all markets are directly or indirectly connected. These network characteristics remain stable following a law enforcement operation; prior vendor flows predict vendor movement before and after the interdiction. The findings inform work on collective patterns in offender decision-making and extend discussions of displacement into digital spaces

Profiling the vendors of COVID‐19 related product on the Darknet: An observational study

Background In a time of unprecedented global change, the COVID-19 pandemic has led to a surge in demand of COVID-19 vaccines and related certifications. Mainly due to supply shortages, counterfeit vaccines, fake documentation, and alleged cures to illegal portfolios, have been offered on darkweb marketplaces (DWMs) with important public health consequences. We aimed to profile key DWMs and vendors by presenting some in-depth case studies. Methods A non-systematic search for COVID-19 products was performed across 118 DWMs. Levels of activity, credibility, content, COVID-19 product listings, privacy protocols were among the features retrieved. Open web fora and other open web sources were also considered for further analysis of both functional and non functional DWMs. Collected data refers to the period between January 2020 and October 2021. Results A total of 42 relevant listings sold by 24 vendors across eight DWMs were identified. Four of these markets were active and well-established at the time of the study with good levels of credibility. COVID-19 products were listed alongside other marketplace content. Vendors had a trusted profile, communicated in English language and accepted payments in cryptocurrencies (Monero or Bitcoin). Their geographical location included the USA, Asia and Europe. While COVID-19 related goods were mostly available for regional supply, other listings were also shipped worldwide. Interpretation Findings emerging from this study rise important questions about the health safety of certain DWMs activities and encourage the development of targeted interventions to overcome such new and rapidly expanding public health threats. Funding CovSaf, National Research centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN), Commonwealth Fund

Profiling the vendors of COVID‐19 related product on the Darknet: An observational study

/© 2023 The Author(s). Published by Elsevier Ltd on behalf of International Society for the Study of Emerging Drugs. This is an open access article under the CC BY license (http://creativecommons.org/licenses/by/4.0/)BACKGROUND: In a time of unprecedented global change, the COVID-19 pandemic has led to a surge in demand of COVID-19 vaccines and related certifications. Mainly due to supply shortages, counterfeit vaccines, fake documentation, and alleged cures to illegal portfolios, have been offered on darkweb marketplaces (DWMs) with important public health consequences. We aimed to profile key DWMs and vendors by presenting some in-depth case studies.METHODS: A non-systematic search for COVID-19 products was performed across 118 DWMs. Levels of activity, credibility, content, COVID-19 product listings, privacy protocols were among the features retrieved. Open web fora and other open web sources were also considered for further analysis of both functional and non functional DWMs. Collected data refers to the period between January 2020 and October 2021.RESULTS: A total of 42 relevant listings sold by 24 vendors across eight DWMs were identified. Four of these markets were active and well-established at the time of the study with good levels of credibility. COVID-19 products were listed alongside other marketplace content. Vendors had a trusted profile, communicated in English language and accepted payments in cryptocurrencies (Monero or Bitcoin). Their geographical location included the USA, Asia and Europe. While COVID-19 related goods were mostly available for regional supply, other listings were also shipped worldwide.INTERPRETATION: Findings emerging from this study rise important questions about the health safety of certain DWMs activities and encourage the development of targeted interventions to overcome such new and rapidly expanding public health threats.FUNDING: CovSaf, National Research centre on Privacy, Harm Reduction and Adversarial Influence Online (REPHRAIN), Commonwealth Fund.Peer reviewe

Exploring Cyberterrorism, Topic Models and Social Networks of Jihadists Dark Web Forums: A Computational Social Science Approach

This three-article dissertation focuses on cyber-related topics on terrorist groups, specifically Jihadists’ use of technology, the application of natural language processing, and social networks in analyzing text data derived from terrorists\u27 Dark Web forums. The first article explores cybercrime and cyberterrorism. As technology progresses, it facilitates new forms of behavior, including tech-related crimes known as cybercrime and cyberterrorism. In this article, I provide an analysis of the problems of cybercrime and cyberterrorism within the field of criminology by reviewing existing literature focusing on (a) the issues in defining terrorism, cybercrime, and cyberterrorism, (b) ways that cybercriminals commit a crime in cyberspace, and (c) ways that cyberterrorists attack critical infrastructure, including computer systems, data, websites, and servers. The second article is a methodological study examining the application of natural language processing computational techniques, specifically latent Dirichlet allocation (LDA) topic models and topic network analysis of text data. I demonstrate the potential of topic models by inductively analyzing large-scale textual data of Jihadist groups and supporters from three Dark Web forums to uncover underlying topics. The Dark Web forums are dedicated to Islam and the Islamic world discussions. Some members of these forums sympathize with and support terrorist organizations. Results indicate that topic modeling can be applied to analyze text data automatically; the most prevalent topic in all forums was religion. Forum members also discussed terrorism and terrorist attacks, supporting the Mujahideen fighters. A few of the discussions were related to relationships and marriages, advice, seeking help, health, food, selling electronics, and identity cards. LDA topic modeling is significant for finding topics from larger corpora such as the Dark Web forums. Implications for counterterrorism include the use of topic modeling in real-time classification and removal of online terrorist content and the monitoring of religious forums, as terrorist groups use religion to justify their goals and recruit in such forums for supporters. The third article builds on the second article, exploring the network structures of terrorist groups on the Dark Web forums. The two Dark Web forums\u27 interaction networks were created, and network properties were measured using social network analysis. A member is considered connected and interacting with other forum members when they post in the same threads forming an interaction network. Results reveal that the network structure is decentralized, sparse, and divided based on topics (religion, terrorism, current events, and relationships) and the members\u27 interests in participating in the threads. As participation in forums is an active process, users tend to select platforms most compatible with their views, forming a subgroup or community. However, some members are essential and influential in the information and resources flow within the networks. The key members frequently posted about religion, terrorism, and relationships in multiple threads. Identifying key members is significant for counterterrorism, as mapping network structures and key users are essential for removing and destabilizing terrorist networks. Taken together, this dissertation applies a computational social science approach to the analysis of cyberterrorism and the use of Dark Web forums by jihadists