Favicon Matching
The second method that is used to uncover a dark web based website on the surface internet (clear internet) is the process of “favicon matching”. A favicon is an icon that has to do with a URL that is shown in the browsers address bar or next to a website name in the bookmark list. In a nutshell they serve as visual branding badge for a website.
Just like TLS certificate matching, the public internet can be indexed to see if any favicons found on sites on the dark web appear on the surface or clear web as well.
Such files are stored in public directories using the standard naming of favicon which makes their discovery obvious. Using Shodan to crawl the surface web the favicon.ico is indexed.
The Quantum Ransomware Gang
The Quantum Ransomware Gang’s website where this type of technique can be used to discover their infrastructure that is exposed to the public internet.
This group has been making headlines as of late due to their high speed ransomware campaigns though they can still make simple operational security failures (OPSEC).
Like other groups they operate a hidden blog about their services on TOR where they post stolen data.
De-Anonymization
Associated Domains
Carrying out a reverse dns lookup (rDNS) of the IP Address we see some of the domains associated with this IP as well as dynamic DNS subdomains.
- quantumleap[.]quest
- iwasruninhome[.]site
- qxv.staceyvicari[.]com
- mtr.ddns[.]mobi
- Ugroza.123ddns[.]com
Leave a Reply