Illicit Networks

the illicit networks category includes different subcategories related to the criminal underground, also known as dark web or darknet certain websites have areas of expertise, such as drugs, fraud and hacking, or focus on specific geographical areas others are more generic and contain all types of items most of them have a certain set of rules describing what they allow or refuse on their platform we do not send data to dark web platforms we do not send any information about the identifiers you create to any of the dark web platforms we crawl we collect the entirety of the data daily, and query our databases directly for sources in the criminal underground, flare collects and stores the entirety of the data on the source when you run a search on dark web sources, it is run locally only on the database that flare has collected the search terms or identifiers are never disclosed to the external sources source types markets the market subcategory includes events collected from underground markets, also called crypto markets on these markets, actors put up listings for different items they have for sale this includes products and services related to drugs, fraud, hacking, etc transactions typically take place in cryptocurrency, mainly in bitcoin and monero account shops account shops are underground markets where malicious actors list and sell accounts to specific services and websites infected devices (stealer logs) the infected devices search type covers data originating from infostealer malware infections on end user machines when a device is compromised, the malware collects browser stored credentials, cookies, session tokens, and other environment details in flare, this exposure appears in two main forms under the same category listings for sale on markets and fully ingested stealer logs stealer log listings (devices for sale) some events in infected devices come from marketplace listings, where threat actors advertise access to compromised machines rather than sharing the raw logs these listings typically include partial metadata about the infection, such as date and time the device was infected a partial ip address, isp, and country of the victim high level information about what was found (e g number of logins, presence of email accounts) a list of services or domains for which credentials are believed to exist, without exposing the full credential set even without full credential details, they provide a strong signal that one of your users, customers, or employees may be compromised and monetized full stealer logs (parsed infections) other events in infected devices are generated from full stealer logs that flare has obtained and parsed in these cases, we have access to the raw output of the malware, which can include complete credential pairs (usernames, emails, and passwords) cookies and session tokens browser history, autofill data, and sometimes wallet or application data detailed device information (os, browser, ip, and more) from these full logs, flare extracts credentials and exposes them in the https //docs flare io/credentials browser , and raises events anywhere your identifiers (domains, emails, infrastructure, etc ) appear forum posts forums are spaces in the criminal underground where actors discuss and collaborate together they are similar to clearweb social media, with the difference that they offer anonymity to their users they usually have a defined target audience and conversations are centered around certain subjects, such as hacking and fraud but also on politics, opinions, etc profiles profiles include pages collected on markets and forums that represent actor profiles chats the chats subcategory includes events collected on various chat rooms where cybercriminals tend to discuss or advertise specifically, we monitor many icq chat rooms and telegram chat rooms ransom leaks this subcategory includes pages collected on the public websites of ransomware groups since 2019, many ransomware groups have started to list their victims publicly on their websites they often share proof that they have access to the data, such as a windows explorer screenshot and often put up the payment deadline and cryptocurrency ransom address certain websites even host auctions for the leaked data blog posts illicit blogs not to be confused with ransomware blogs are websites onto which actors publish "article" type content, in the same way blogs operate on the clear web we collect blog posts from a few illicit blogs, mostly related to the cybercrime ecosystem and cyber threat intel news some blogs operate as "lone wolves", where the owner of the blog is also the author, whilst others are a platform onto which people can publish articles (think something like medium), for example, https //telegram org/blog/instant view#telegraph financial data this source type will show you events from credit card autoshops these are sites where criminals can purchase stolen credit card information authentication, crawling and scraping most websites require the creation of accounts, sometimes with valid email addresses, to access the listings and conversations flare’s crawlers automatically create these accounts and connect to the platforms crawlers also use various approaches to appear human like in terms of navigation speed and behavior to bypass any bot detection mechanism present on most websites most relevant data points are scraped from the html webpage these include actor names, item names, dates and times, descriptions, ratings and reviews data enrichment the following steps are applied on collected events regroupment if items are identical, they are merged in a single card for events to be considered identical, they must have the same title, the same content and be on the same website they can have different website categories (fraud vs carding) and posting dates actor intelligence each actor posting on markets or forums has a profile built in flare simply click on an actors' name to reach their profile more details can be found in the https //docs flare io/actor intelligence section of these docs severity scoring most events originating on the criminal underground have a severity of at least medium due to the location where they were found certain events may have a lower severity if they are identified as noise by the analyzers related articles