Darknet intelligence secrets

Cyberattacks and data breaches are part of our day-to-day life, so much so, that people have become desensitized to these events. In every case, the customers’ compromised data recompense is “credit monitoring, free for one year”. We have often heard people joke about how many free credit monitoring packages they have due to the high number of data breaches their information was connected to in a 12-month period. Ten years ago, the darknet/deep web was unheard of compared to the buzzword status it has achieved, as it is a common term heard on television and radio. As recent as 2014, there were only two commercial entities offering Darknet Intelligence (DnI).

Currently, choosing a DnI provider is akin to buying a bottle of water; so many brands and prices for the exact same thing – water. Many DnI providers are packaging the same data sourced from crawling/scraping sites or human analysis by logging into darknet black markets or forums, sifting through the latest posts. Some DnI providers claim to index millions of pages every day from darknet sites by scraping. Scraping is possible for some darknet sites, but not all.

Experience has taught that the best intelligence is found in invite-only Vetting Required Membership (VRM) darknet sites. VRM sites generally have less than one hundred members and an anti-bot-scrape code. Anti-bot-scrape code identifies a scrape instance occurring, then instantly bans the scrape and user-id access, thus ceasing the scrape.

Darknet Intelligence Secret:

DnI providers omit disclosure to clients that scraping cannot bypass all login pages to capture content. Not all darknet sites are using CAPTCHA as an authentication method, especially the quality darknet sites. Authentication can be a randomly generated equation, a trivia question, or combination of both giving a limited time to input the correct answer. We have seen VRM sites that require a darknet history question be solved for authentication e.g. “What new site did TCF admin launch?” This darknet history question pre-dates the existence of most DnI providers back to 2014.

Therefore, scrape methods are often indexing a login page yielding zero actionable intelligence. Concluding, companies using scrape methodologies are likely returning the same results.

Since 2015, numerous DnI companies have launched, all competing for the same market space. Indeed, a competitive marketplace stimulates innovation, always striving to deliver the best product for the end user. However, DnI is stigmatized as being a murky abyss with stats that challenges us to comprehend the unknown. The fact of the matter is although the deep web is estimated to be 400 times larger than the indexed internet that you know and use daily, the darknet makes up only a fraction thereof.

Tor Sites

As of March 2018, there are approximately 70 thousand TOR sites, down from Spring 2017, where the number of TOR sites peaked at approximately 120 thousand. Furthermore, as of this writing (30 March 2018), there are currently 6,291 peer routers in TOR network. A TOR connection requires 3 random routers to connect to every 6 minutes, “entry guard > relay > exit node”. The Probability of a consecutively similar combination is 1-in-41,515,940,466.

Stand-alone DnI providers can best serve clients by disclosing that they can only provide a piece of the puzzle. Augmenting stand-alone DnI with other DnI sources is a unique concept, albeit exactly what intelligence is: verify, verify, verify. We discovered that, augmenting with other DnI providers, all parties retained their respective proprietary IP while simultaneously enriching the clients DnI visibility. DnI is unlike conventional cybersecurity products in terms of threat events monitored; cybersecurity products secure their clients from perimeter surface net attacks among many other vectors, while DnI attempts to provide timely intelligence from anonymous peer-to-peer networks.

“Two typical Darknet types are friend-to-friend networks (usually used for file sharing with a peer-to-peer connection) and privacy networks such as Tor.”

Many DnI providers purport to have billions of compromised data records, a statement which is highly likely. However, 98% of those records are re-mediated. Antiquated known data leaks are free for download and great for research. Actionable DnI is the unknown here and now.

In this series, we will be sharing the darknet threats we are seeing in real-time with timestamps, screenshots and description. We will kickoff this first article with unique never before seen compromised email addresses and passwords including .gov and .edu domains. Additionally, threat actor login credentials for darknet black markets and forums.

compromised email addresses and passwords.

Terrorism propaganda is real over twitter,whatsap,instagram...etc

Last weekend, alerts to a significant spike from normal baseline of Twitter links being shared in terrorists WhatsApp group channels.One of the products of a cyber intelligence group of ED ALCANTARA in USA, MORSE,showed that it logs in real-time WhatsApp terrorists group channels.  It also logs hundreds of other illicit group channels on the WhatsApp platform. Currently that group is getting real-time logging 200 WhatsApp terrorist group channels.

They drilled down into they data logs for the anomaly and found that terrorists have again manipulated social media platforms to post and share their propaganda. There were several terrorist WhatsApp group channels dedicated exclusively for teaching others how to spread the propaganda on social media. The goal here is for them to avoid social media accounts that are being suspended and having their propaganda be removed. Furthermore, they have discovered this new method reaches a much larger audience than other methods they have used. In one screenshot above atwitterr account being used has over 3 million followers.

terrorist propaganda on ttwitte is real.
The social media scheme being shared by the terrorists is as follows: 1. Identify legitimate news media and political Twitter accounts with millions of followers. 2. A list of Twitter accounts identified are then posted in the terrorists group channel. 3. Create the propaganda for dissemination as an image, video or audio file and upload it to a file sharing site for others to download. 4. Identify the legitimate Twitter account’s latest tweet posted with the highest count of replies. 5. Scroll down to the bottom of replies and on the last reply, post the propaganda for dissemination.  5. Copy the link to reply and share it on other Twitter accounts or platforms such as Facebook and Google etc.

This method is gaining traction as the propaganda posts still exists, successfully averting social media protocols for identifying such content.Ed alcantara's cyber intelligence group has identified graphic content that was posted several days ago still being shared in WhatsApp other terrorist groups.
Ed alcantara's group and other cyber intelligence groups are committed to eradicating this type of content through technology and innovation. Technology tools used by terrorists have been adopted by many of the underground cybercriminals.  We all know that Telegram and WhatsApp are commonly infested with such terrorist propaganda.  Both Apps have emerged as the new frontier for black market vendors and buyers. A year-to-date analysis of Alcantara's group's data (two terabytes) logged real-time from Telegram and WhatsApp shows an increase of approximately 130% from this time last year. Illicit transactions, money laundering, terrorists planning, and recruiting human trafficking offerings on WhatsApp and Telegram dramatically out number the illicit offerings from the Tor darknet black market and forums. Tor’s cybercriminal forums indeed are still actively used by many attackers as well as terrorists to acquire and/or develop their cyber arsenal.

The epidemic of illicit transactions migrating from Tor darknet to social media darknet platforms like WhatsApp is astounding. Users of such encrypted peer-to-peer messaging apps no longer require the sophisticated OPSEC methods used on Tor. Additionally, the consumer audience is now tens of millions on WhatsApp and Telegram respectively compared to approximately two-million Tor users. Of the two-million Tor users, only a small percentage use Tor for illicit transactions.

Sign Up Today!
WhatsApp is very interesting in that it requires a phone number to have an account.  Terrorists have figured out that accounts can be established with free VIOP numbers.  There are also many extremists and criminals that use a burner phone or their actual personal mobile number. Case in point, the events in this article for Twitter posts have been identified by alcantara's group to be originating from a mobile phone provider in Sweden. In fact, many of the group members of this WhatsApp channel for Twitter posts are originating from Europe Union countries, the Middle East and the United States.

What can social media and technology companies do to eliminate such content? For starters they can begin by swallowing their pride and accepting that third-parties have solutions available to help them. Next, they must accept that not all third-parties have the ‘silver-bullet’ solution that can justify their PR statements of “doing all we can”. Of the social media companies we offer to assist, the standard protocol is to be satisfied with current vendor relations. The other option is to choose to address the matter internally. Neither of the choices are enough. The case of the Twitter posts is a great example showcasing an attack being planned in the posts.

What then, should social media do when more people die senselessly because social media giants like Facebook, WhatsApp, Twitter and the like believe they can fix the problem? This is not a case of compromised logins or user’s personal data being resold. Actual human beings are being killed because social media is not compelled to proactively remove the content on their platforms. If 200 plus terrorist channels with 255 members in each channel is not enough for Facebook and WhatsApp to take action, then what is it?

Terrorists using facebook to transmit their propaganda

Social media has been enormously taken over the world and it connects alot of people throughout the world,many terrorist groups have used these platforms to discard their terrorism ideas by inviting many followers.This is a dangerous move and if not checked we may end up having many teenagers indoctrinated especially in the poor villages of Africa and Asia.
Facebook, WhatsApp, YouTube, Google, Twitter, Telegram etc.. have all been alerted (for years) to the enormous amount of terrorist propaganda found on their platforms. Yet- they aren’t compelled to proactively monitor their platforms. Recently, Mark Zuckerberg assured the world before United States Congress that Facebook is instituting new policies to protect their users. Sounds like a great plan – “A day late and a dollar short”.

Cyber security specialists and intelligence have always been analysing and have analyzed hundreds of darknet, terrorist, invite-only channels for social media links. Additionally, They share these links daily in theirr fight against terrorism. For example,BOC has notified Facebook, on more than one occasion, of the exploitation of their platform which fell on deaf ears as recently as February 2018. WhatsApp (purchased by Facebook for $19 billion) currently hosts over 200 terrorist propaganda channels for recruiting purposes. WhatsApp has approximately 300 employees at their headquarters in California; however it does not have the budget or priority to take action on extremists and hate content. Have they earned our confidence to entrust our private communications and content?

The optics for large tech companies combating hate content is more self-serving rather than a sense of social responsibility and good corporate governance. We often hear in the news stories of extremist content found on social media platforms before their respective talking-heads attempt to assure us they are doing all they can. We then hear these same social media companies’ deflecting their responsibility. Statements pop up implying that companies rely on users to report hate content.

Law makers and leaders globally all agree that social media is accountable for the content shared by users to the extent that Germany can impose fines of up to €50 million per day. Is this enough for social media to proactively institute their own policies for removing content? Unfortunately, fines and reprimands are not enough. We as a society have the option to not use social media for sharing where we live, work, educated and eating.

Another trend seen is extremist hacking Facebook accounts and taking over user profiles. The hacked FB profile link is then added to invite-only extremist channels on Telegram and WhatsApp which act is too alarming. After all, millions of Facebook users are abandoning their accounts due to privacy concerns.

Google's 2FA is nonsense

Messenger,instagram and google are prone to SS7,FINFISHER and PERGUSUS intrusions! The 2FA on these applications is just nonsense!!!!
 gmail like facebook and instagram are not safe means for messaging.if you wouldn't like your calls to be listened or your messages to be read by an intruder or your bank account to be drained by a fraudster if you use mobile banking,then you must pay attention to this.With the recent coming of finfisher ,pergusus and the ss7 exploit in the region,the email we do send over our mailing services are not safely delivered. Worse of it all the more like social media like instagram and faceboo messenger arent safe!!The ss7 developed in mid 70s is a protocol that enable phone networks to exchange information needed in passing calls and text messages between networks and ensuring the correct billing among the networks.
The recent emerging of the ss7 flaw has left mant telecom companies wondering on how to prevent intrusion in the data transfer.ss7 exploit execution is very simple and fast with alot of effects on the privacy of customers on a give telephone network. It only needs one to be having and understanding linux os and the Ss7 SDK plus knowing the victim's IMSI.with this it is easy to monitor the victims location, listen to their calls,divert their calls,read their message or divert them to certain numbers.Every one using a phone and a simcard is liabe to this attack be it even the hacker himself. As i recently have been writing,the people in africa may unknowingly have been subjective to this form of spying either by their governments or independent hackers.Every one using a mobile phone to access internet services like emails,social media platforms like google plus,blogger,instagram,gmail,yahoo,hotmail etc are belived to have had their messagin and call intercepted or listened to.This is .ore profound in countries that do not offer freedom and rights to privacy.Starting from around October 2017,i came ro discover that the 2FA authentication on instagram,facebook and google were just toothless and nonsense. I learnt that a certain group of people in Uganda had been monitoring users of social media platforms and monitoring specified mobile phone numbers!!! They seemingly had diverted calls and messages of such phones to a group of mobile phone numbers or they were constantly monitoring the activities of some people on social media.Their phone number could relay 2FA messages of reset codes to phone numbers which the victims used on Gmail accounts,Instagram accounts and facebook accounts!!when i tested it on Gmail i discovered that the would even be able to set phish pages because if one revoked the devices on which the account may be logged in,and you try to re-login the reset message would be sent by google itself but after one logs out again like in two hours,the same numbers would again be the ones to send the message. On facebook,it was really shocking that as we all know a reset code is sappossed to spend a limited small time before its used,i had two scenarios where a same reset code sent by these numbers could be used even after 12hours!!!
Its shocking to many of you ,but what i ask myself is"who are the owners of these numbers? " do telecom companies in uganda know the owner?? Could the telecom employees be involved?does mtn,airtel,orang..know of thisform of spying??Are Ugandans aware?
I have seen many Ugandans think that using VPNs is safe,but with this ss7exploit everyone be it even the hacker is prone to this attack.If the government can use this for surveillance, then all the mobile phone users in the country can be monitored!!
Many Ugandans have resorted to cryptocurrencies,mobile phone banking,mobile marketing and the widely used mobile money,this ss7 exploits you to danger qand you owe to be extra cautious when carrying on your activities. Am not scaring anyone or blemishing any of the telecommunications companies but this attack is real and very dangerous and hard to overcome!!its even more worse here in uganda because of alot of ambiguity in the simcard registration,many fraudsters may be using phone numbers that are not registered in their own names. Can you imagine that some phone numbers have different names on imsi registration and mobile money registration!!!! I think the whole process of registration must be repeated. Otherwise its all trash!!!!!!
I compel those who think the phone nimbers are targeted to use other services like.
-whatsapp messaging and calling
-use Apple's i messaging
For calls start using
-whatsapp permit calls
-open source signal application
-silent circle end ti end encrypted phone services
For location monitoring, the only thing you can do is turn off your phone or use wifi

the above numbers sent Google 2FA code and others in picture below sent to Facebook.... Does goigle

Uganda police nabs an European at Entebbe airport with Drugs

One Arrested for Drug Trafficking
Entebbe

Police has arrested one person in connection with drug trafficking at Entebbe airport.

Maurice Henrick Martin, 48, was on his way to Italy when he was intercepted with narcotics hidden in craft shoes he was traveling with.
Kampala Metropolitan Police spokesperson Patrick Onyango confirmed the arrested.

Onyango said charges of possession of narcotics have been preferred against Hendrick.

“We are going to charge Maurice with possession of narcotics and trafficking of narcotics which is punishable by a fine of shillings 1 million or life imprisonment," he said.

Onyango however requested that court grants a custody sentence so that drug trafficking can be ruled out of Uganda.

He however warned the public against any involvement in drug trafficking.

Ed alcantara,the chief of cyber intelligence had this to write on E2EE

End-to-end Encrypted (E2EE) Messaging has become the latest craze, but what does it really offer? The principle behind E2EE is that no one, not even the messaging app provider, should have access to the messages between two individuals. This has created an explosion of E2EE messaging apps which has not gone unnoticed by criminal networks. In fact, criminals seem to be progressing from darknet forums to apps such as Telegram at an alarming rate.

Extremist propaganda, cryptocurrency scams, human trafficking, child exploit, illegal narcotics, cyber-crime, animal poaching, arms trafficking, counterfeit documents, counterfeit merchandise and more… In just under 24 months, we have observed the trend of illicit offerings migrating from darknet black market places (hosted on Tor, I2P, Freenet) to encrypted messaging apps. This is incredibly important since criminals were formerly restricted to the limited anonymity and obfuscated features of the darknet, and it is more secure to hide criminal activity inside an E2EE system.

The Telegram messaging app was built with 256-bit encryption encoding and can handle larger chats and channels of up to 50,000 users. To show how much traffic is going through just this one app, according to Wikipedia, in March 2018, Telegram stated that it had 200 million monthly active users. Additionally, according to Telegrams’ CEO Pavel Durov, a year ago Telegram was growing at a rate of over 50% annually. Conversely, TOR started out this year with over 4 million daily users and as of the end of March was running closer to 2 million daily users (see chart from metrics.torproject.org below).

Of late, Telegram has come under such scrutiny, that iTunes had banned the app due to it being a safe haven for pedophiles and terrorist organizations. Telegram has since allegedly re-mediated the reasons for being banned and is once again available in the iTunes store for download.

However, Telegram isn’t just a breed ground for illicit activities; it has also been used as a voice for protest groups in countries under state oppression. The most recent example of this is Iran, where during anti-government protests, the app was banned. There are other countries who have banned the app for various reasons, but the most prevalent seems to be to prevent the large amount of nefarious activity.

Is everything that runs through a system claiming to be E2EE encrypted? Not necessarily… Each company decides:  how secure they want to be, which messages are E2EE, or even allowing the users to toggle their own level of encryption.

During the last 7 days we have observed 12,907 links shared in criminal and terrorist group channels on Telegram.

Check back

After March 7, 2019, notifications for Google web products will no longer be accessible from the navigation bar. If you'd like to receive similar notifications in the future, you can update the notification settings for your individual Google products.