The TOR Network’s promise of anonymity is attractive for all kinds of Web users, human rights activists, political dissidents and everyday users concerned about privacy.
But this same anonymity also makes it attractive for cybercriminals.
At Kaspersky Lab, researchers say there has been an uptick in criminal activity on TOR during the past few months.
“Although the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time,” blogged Sergey Lozhkin of Kaspersky Lab. “There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C [command and control] server is attracting more and more criminals to the Tor network.”
These underground marketplaces are used to move everything from drugs to weapons to malware. Carding forums are present as well, and stolen personal information is also for sale. Bitcoins play an important role in many of the transactions on these markets, Lozhkin explained.
“Almost everything on the Tor network is bought and sold using bitcoins,” he blogged. “Although it’s almost impossible to make a connection between a bitcoin wallet and real person, it is possible to track bitcoin transactions as all of them are transparent and public, to build up a scheme of what’s going on and find out the most valuable transactions made via bitcoin exchange services. That’s why money laundering services exist on Tor. Cybercriminals can create an account, deposit bitcoins and they will be broken up into various quantities, transferred through dozens of different wallets to make any investigation highly complicated.”
There has also been an increase in the amount of malware using TOR to mask their command and control infrastructure. Some recent examples are a 64-bit version of Zeus detected a few months ago and a piece of malware known as ChewBacca linked to attacks on point-of-sale systems. Late last month, researchers at Kaspersky Lab also spotted malware aimed at Google Android using TOR to hide its command and control as well.
“While cyber-criminals have been using Tor for many years to communicate or to hide their location, only recently we have started to see Tor functionality being included in the actual malware,” said Stefan Tanase, senior security researcher at Kaspersky Lab.
“Unfortunately there isn’t much that can be done differently in regard to criminal forums hosted on Tor hidden services,” he added. “While such forums are operating anonymously in the clear internet as well, the only way law enforcement manages to shut them down is through classic investigation techniques – such as following the trail of the money in most cases.”