Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

TOR Network Increasingly Being Abused by Cybercriminals: Kaspersky Lab

The TOR Network’s promise of anonymity is attractive for all kinds of Web users, human rights activists, political dissidents and everyday users concerned about privacy.

But this same anonymity also makes it attractive for cybercriminals.

The TOR Network’s promise of anonymity is attractive for all kinds of Web users, human rights activists, political dissidents and everyday users concerned about privacy.

But this same anonymity also makes it attractive for cybercriminals.

At Kaspersky Lab, researchers say there has been an uptick in criminal activity on TOR during the past few months.  

“Although the Tor infrastructure and cybercriminal resources are not on the same scale as the conventional Internet, we managed to find approximately 900 hidden services online at the current time,” blogged Sergey Lozhkin of Kaspersky Lab. “There are also approximately 5,500 nodes in total and 1,000 exit nodes, but the possibility of creating an anonymous and abuse-free underground forum, market or malware C&C [command and control] server is attracting more and more criminals to the Tor network.”

These underground marketplaces are used to move everything from drugs to weapons to malware. Carding forums are present as well, and stolen personal information is also for sale. Bitcoins play an important role in many of the transactions on these markets, Lozhkin explained.

“Almost everything on the Tor network is bought and sold using bitcoins,” he blogged. “Although it’s almost impossible to make a connection between a bitcoin wallet and real person, it is possible to track bitcoin transactions as all of them are transparent and public, to build up a scheme of what’s going on and find out the most valuable transactions made via bitcoin exchange services. That’s why money laundering services exist on Tor. Cybercriminals can create an account, deposit bitcoins and they will be broken up into various quantities, transferred through dozens of different wallets to make any investigation highly complicated.”

There has also been an increase in the amount of malware using TOR to mask their command and control infrastructure. Some recent examples are a 64-bit version of Zeus detected a few months ago and a piece of malware known as ChewBacca linked to attacks on point-of-sale systems. Late last month, researchers at Kaspersky Lab also spotted malware aimed at Google Android using TOR to hide its command and control as well. 

“While cyber-criminals have been using Tor for many years to communicate or to hide their location, only recently we have started to see Tor functionality being included in the actual malware,” said Stefan Tanase, senior security researcher at Kaspersky Lab.

“Unfortunately there isn’t much that can be done differently in regard to criminal forums hosted on Tor hidden services,” he added. “While such forums are operating anonymously in the clear internet as well, the only way law enforcement manages to shut them down is through classic investigation techniques – such as following the trail of the money in most cases.”

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...