The internet is no stranger to crime. From counterfeit and stolen products, to illegal drugs, stolen identities and weapons, nearly anything can be purchased online with a few clicks of the mouse. The online black market not only can be accessed by anyone with an Internet connection, but the whole process of ordering illicit goods and services is alarmingly easy and anonymous, with multiple marketplaces to buy or sell anything you want.
Understanding how the market thrives—unregulated and untraceable—can give you a better sense of the threats (or resources) that affect you and your business.
In our scenario we are going to legally transfer $1,000 USD out of a regular bank account and into a mathematical system of binary codes, and then enter a neighborhood of the Internet largely used by criminals. This hidden world anyone lets purchase bulk downloads of stolen credit cards, as well as a credit card writer, blank cards, some "on stage" fake identities—and maybe even a grenade launcher they've had their eyes on.
A journey into the darker side of the Internet starts with two open-source programs: Bitcoin and the Tor Bundle.
Bitcoin (www.bitcoin.org) is system tool that will act as a personal bank for storing and investing digital currency on your computer. Once it's installed on your system, it sits empty like a piggy bank, waiting to be filled with untraceable digital cash.
Getting it filled is the tricky part.
The digital monetary system online is predominately operated by the likes of Paypal, Western Union, and banking companies that try to follow government regulations to prevent fraud and money laundering. There are two steps to legally take money and have it converted at the current Bitcoin rate into BTCs in our digital and anonymous bank.
Start by opening a Dwolla (www.dwolla.com) banking account with no fees. You can use your real information—you aren't doing anything illegal. In about three days you will be given a fraud test and have to identify small transfers in your Dwolla and personal bank account. Once your account is confirmed, wire any amount from your personal bank to Dwolla from a lump sum or the estimated price of your purchase you have in mind. After you confirm the transfers, your legit money will now be stored in a new global bank with less restriction than US banks.
Next you need to set up an account with the largest bitcoin exchanger, MtGox. Due to fraud concerns, MtGox will only allow transfers from banks like Dwolla.
After your Dwolla transfer moves to MtGox, you can use the money to purchase Bitcoins on the open market for a small percentage-based fee. Once this sale is complete, your bitcoins are best stored in your own bank account that is residing digitally on your computer.
The whole process can be completed in less than a week, and the $1,000 USD is now exchanged to $191 BTC. Now you are ready to go shopping on the black market.
The conversion of dollars to Bitcoins was legal and relatively safe. Actually engaging in black market shopping, though, connects you to various kinds of illegal activities. We'll continue our walkthrough but we are NOT endorsing these activities. This information can help security professionals understand how stolen identities and credit cards are used, how products are fenced or distributed illegally, and more.
Clearly anyone engaging in black market activity wants to remain anonymous. So the next step in black market shopping is to download and open the Tor Bundle Pack (https://www.torproject.org/).
We have touched on Tor two or three times to protect your identity while online, but Tor includes other functions. Developed by the US Navy for secret communications and now used to circumvent blocked websites at offices across the country and to inspire Arab Springs, TOR has a darker cousin: Hidden Tor Servers.
The same random spider-web routing of Internet traffic that hides an end use's IP and location from any prying eyes can hide server locations too.
Hidden Tor Servers are now the norm for storing, accessing and hiding illicit activity such as child pornography. The level of protection provided by Tor makes law enforcement's job tracking such activities next to impossible. (Interestingly, the hacktivist group Anonymous has recently brought attention to such evil servers by controlling them as DDOS servers against some of their targets, including law enforcement and government groups. If the CIA is struck with a DDOS attack, the agency suffers but also, in investigating the source of the attack, discovers the child pornography and hopefully cracks the pornography ring.) Hidden Tor Servers are likewise home to much black market activity.
Where does one find "the black market"? What does it look like? Of course, Google search answers these questions easily. Using your Tor browser (which, yes, is much slower than a standard browser) search for "Tor Directories". These websites offer a collection of Tor's hidden web pages for all kinds of storefronts. Here you will find websites similar to the Yahoo's early days, categorizing storefronts including Drugs, Weapons and other illegal goods and activities. If the directory (or store) is listed with a standard .com or .org domain, it will open in your standard browser; if it ends in .onion then it means it's a hidden server only viewable on the Tor browser.
One example is the Nobody@Zerodays website (nobody.zerodays.org/hidden-directory/), which offers reviews and direct links to current Hidden Tor sites. In our scenario we are going to check out the Black Market Reloaded and look for the current price of some credit cards and tools.
Using Tor you can quickly jump to the Black Market Reloaded website, register (no real information needed), and start shopping. As on Amazon, sellers show off their products with details, pictures and pricing, including feedback collected from past buyers. On a given day in April, current pricing for bulk credit cards is running at $6.5 BTC with great seller feedback. One seller advertises:
"All of our Products are coming with full given Information. That means: All needed information like cardnumber, security code, expiration date, name, address, city, state, zipcode, country, phone, SSN, DOB, security question etc. is given. Also Track 1+2 data and PIN. All CCs are checked and have a minimum Balance of 1000¬/$, and most of them are from an EU-Country. We also have US-Cards, but it's easier to cashout the money at ATMs (/buy virtual money online/link the CC to PayPal) with european ones."
A "Credit card reader/writer, HiCo/LoCo, all ISO complete" is going for 76.60350 BTC (or $366.63 USD at the time of our exchange) and there are also a handful of unregistered handguns, including a brand new M9 Tactical handgun with an illegal silencer, unregistered of course, for 225.00000 BTC or $1,076.87 USD.
Anyone who executes these purchases via anonymous bitcoins will leave no trace of the transaction. All users can send data via Hidden Tor email servers, or ship physical items like drugs and weapons with the US Postal Service to prevent any searches without a warrant. When shipments come from within the US, the illegal goods are likely to arrive at the right mailbox without incident. For those who want an added layer of protection—say in the event that good are being shipped from outside the US—many people in the "Services" section of this site will buy and/or receive items on your behalf using their own bitcoins and addresses, and then remail the goods to you, for a small fee.
(Also, some users of these sites will offer to sell you bitcoins via Paypal so you can skip the two banking steps above and jump right into buying your goods; there is of course no guarantee that you will receive your bitcoins after giving up your cash.)
Tor's Hidden Servers provide a real insight to an underground world that once was limited to dark alleys, shady places, and dangerous criminals. Much like the Internet has expanded our e-commerce into a borderless global market, bitcoins and Tor have made shopping for illicit goods and services almost as easy as ordering an iTunes song on your computer.
As a reminder, most of the purchases described here are illegal and/or dangerous. While it's extremely difficult to identify the individuals involved without additional intel, law enforcement personnel and corporate investigators can use these processes to keep tabs on the flow of stolen, counterfeit, or diverted goods.
If these transactions are being executed on your corporate network, that activity can expose your organization to legal and other risks. While network logs will not show the Tor websites, software audits for programs like TOR, network sniffing of actual traffic, computer monitoring and computer forensics can show employers who is using TOR sites and what they are doing.
Brandon Gregg is a corporate investigations manager.