The Blog

New Release: Webhose Cyber API

Posted on October 24, 2018 by

Webhose’s New Cyber API Helps Stop Criminals and Hackers in their Tracks

We’ve been working very hard at Webhose on a new and improved solution for our customers. Today we’re thrilled to announce our new Cyber API, which includes coverage of new networks of the Dark Net and the extraction of many different exciting entities on the Dark Web. Best of all, it allows you to search all cyber and open and deep web sources at once, all from a single endpoint.

In this post we cover a few new ways both businesses and organizations can use Webhose’s new Cyber API to help stop criminals and hackers in their tracks. We’ve included a number of examples relevant to law enforcement and security officials, such as the ability to run searches in the Dark Web by networks other than TOR in addition to a wide range of enriched entities and filters. That means an expanded search with greater coverage and even more granular filtering. For example, it’s now possible to find a cybercriminal’s communications in Telegram or Discord and filter posts according to their location or organization (and even wallet ID!).

Filtering by Network

The Dark Web, with its many webs of networks, can be difficult to navigate even for seasoned security analysts. For example, a criminal might hatch a plan to breach data on a centralized network such as TOR and at a later point discuss his plans on peer-to-peer networks such as I2P or ZeroNet, or encrypted platforms such as Telegram, believing that they are harder to trace.

Webhose’s new Cyber API allows you to expand your search of the darknet beyond that of TOR to six additional networks, including:

●       I2P

●       ZeroNet

●       IRC

 

●       Telegram

●       OpenBazaar

●       Discord


For instance, a security analyst might want to limit his or her search to only Telegram chats mentioning the words “DDOS,” “hacker,” and “ransomware.”No need to go jumping around from network to network: you can now search both cyber, deep and open web sources at once,
from a single endpoint.

Query: extended.network:telegram AND “DDOS” “hacker” “ransomware”

Or let’s say a law enforcement official wants to search for all posts leaking emails and passwords from the most recent Twitter leak. The goal of the search is to gather data from as many different sources as possible.

Searching through each network at a time, a Pastebin leak was found from July 23rd, with the first 100 emails and passwords immediately available as Proof of Concept (POC).

Query: enriched.email.count:>20 AND “twitter” “leak”

When we extend the search to cover Telegram results, we discover a group of hackers offering to sell 1,000 Twitter accounts (the term “twitter egg” refers to Twitter profiles without photos). Without the ability to search on multiple networks at once, a security analyst might have easily missed this important post!

In addition to providing an extensive search of the darknets for security analysts, this feature also provides an excellent tool for brand protection.

Enriched Entity Search

Through its enriched entity capability, Webhose’s Cyber API can extract a wide range of important data from posts all across the darknet, including:

  • Names
  • Email
  • Phone numbers
  • Locations
  • Keywords
  • Credit card information
  • Social security numbers
  • Wallet ID (including the wallet IDs of over 60 types of mainstream cryptocurrencies)

When executing searches for specific entities, it is worth taking into consideration the resulting count per entity, as it can demonstrate whether or not these documents are a good target for hackers. In other words: The larger the count entity, the greater the potential for criminals — and greater the need for analysts to keep track of them.

See it in Action: Searching for Phone Numbers

Say a cybersecurity organization wants to keep his or her customers safe from hackers trying to hack their phone. How can they go about searching the massive contents of the Dark Web to find this information?

Using Webhose’s new Cyber API, we can search for posts according to the following specifications:

  • the first or last digits of a phone number
  • a specific phone number
  • a group of multiple phone numbers
  • finding both small and large dumps of hacked/leaked phone numbers with or without additional search conditions

A search of phone numbers starting with +1 and the registrant’s name might result in the following leak in Pastebin:

Query:  enriched.phone.value:\+1* AND enriched.phone.count:5 AND enriched.person.count:5

See it in Action: Searching for Credit Card Numbers

Alternatively,  a search for credit card numbers could reveal dumps of hacked or leaked credit cards. This is extremely valuable for organizations wanting to protect their customers from financial fraud and stolen IDs.

Using Webhose’s new Cyber API, we can search for posts according to the following specifications:

  • the first or last digits of a credit card
  • a specific credit card
  • a group of multiple credit cards
  • finding both small and large dumps of hacked/leaked credit card numbers with or without additional search conditions

This search feature is particularly valuable since it can distinguish between credit card information and other types of numbers such as phone numbers or numbers with similar templates.

For example, a search for American Express (AMEX) credit card numbers reveals a list in a Telegram chat (with the first 28 exposed to the public as a POC). After doing a bit of simple research on the open web, we discovered that AMEX customers usually have cards that began with 37, with three different permutations of the first 4-digits, depending on the type of account they have. The basic variations are: 3710, 3712 and 3728.

Query: enriched.credit_card.count:>10 AND (enriched.credit_card.value:3712* OR enriched.credit_card.value:3710* OR enriched.credit_card.value:3728*) AND FULLZ

See it in Action: Searching for Names of Organizations

What if you’re a brand that has put a lot of time and effort into building your products and reputation, and you want to protect your brand at all costs from counterfeit products? Analysts can now search the darknet to discover mentions of specific organizations or brand names lurking in the Dark Web.

Using the Cyber API, we can search for posts according to the following specifications:

  • finding posts by a particular organization name
  • finding posts that contain many or a few mentions of organizations, with or without additional search conditions
  • finding chatter about specific companies in the Dark Web

Here are the search results for a vendor selling counterfeit Gucci, Givenchy, Rolen and other products on the Rapture Forums in TOR:

See it in Action: Searching for Site Names

The many networks of the darknet are changing or being shut down all the time to avoid intelligence operations. To prevent their content from disappearing forever, most domains on the darknet are replicated to allow for the content to be available to as many users for as long as possible. But this content cannot be found by most users.  

Webhose’s new Cyber API now allows analysts to connect the results of the various domain names in each marketplace, making sure they appear under one result. In simple terms, this means that analysts can now search and receive all the different results of domain names in darknets such as Dream Market or AlphaBay Market.

Say an analyst wants to find all posts on Tochka Market. With a simple query of  the Onion ttochka3evlj3sxdv.onion they can find hundreds of search results.

Query: site.domain:tochka3evlj3sxdv.onion

But by expanding the query to include the sites’ names, we can receive thousands of results. This is helpful for analysts who don’t know the domain names they are searching for, but want to include domain names in their search.

Query: site.name:tochka

See it in Action: Searching for Wallet IDs

With the anonymity of cryptocurrencies, it’s become difficult, if not impossible to track criminals and hackers receiving payment via the blockchain. But now analysts can start to trace these criminals by their wallet ID.

Using the Cyber API, we can search for posts according to the following specifications:

  • by a particular wallet ID
  • by multiple wallet IDs with the same first or last digitals
  • by multiple wallet IDs while defining at least one in the search
  • by large or small dumps of hacked/leaked wallet IDs, with or without additional search conditions

An example from a search for hacked wallet IDs brings us to the Bitcoin Address market, where a user offers the purchase of Private Keys of wallets in order to gain access to the bitcoins containing those wallets.

Query: “hack” AND “wallet” AND enriched.wallet_id.count:>5

Simplifying the Complex Task of Analysts

Preventing and catching criminals and hackers can be an extensive and exhausting search, even with the collaboration of many different worldwide national security agencies. It requires a lot of research, time, patience, and often, a lucky break.

To expedite this process, Webhose now offers enhanced monitoring of threats with its ability to trace cryptocurrency and track the identities of criminals and hackers more easily. In addition, its improved threat intelligence enables optimized identification and profiling of criminals and hackers.

By joining together different data points from all over the Dark Web, Webhose’s additional filters help analysts slice and dice data in a more effective way, allowing them the opportunity to help prevent crime and security breaches long  before they occur.

This entry was posted in Dark Web. Bookmark the permalink.