10 things you should know about navigating the dark web

The dark web refers to web pages that are not indexed by search engines. Under the cloak of anonymity, cybercriminals and threat actors can operate, selling an array of tools and services that can be used to wreak havoc on organizations. There’s a lot for CISOs to come to grips with and here are 10 things to be aware of when navigating the dark web.

New dark web services pop up every day

The number and variety of cybercrime services available on the dark web are growing, according to Ivan Shefrin, cybersecurity expert at Comcast Business. This includes botnets, easy-to-deploy commodities, stolen credentials, simple exploits and sophisticated exploits such as access to privileged systems like Active Directory and unpublished zero-day exploits.

Botnets are cheap and easy to use, so they continue to be among the most common cybercrime commodities sold on the dark web. “These large networks of compromised computers and IoT devices can be used for a variety of malicious cyber activities, including DDoS attacks, e-commerce click fraud, ransomware and crypto mining. Since it’s become relatively easy to repurpose bots across different types of attack vectors, this has led to the creation of a botnet black market,” Shefrin says.

Stolen credentials have replaced exploits as the most common method of gaining initial access to internal environments, impacting what’s in demand on the dark web. “Among the most sought-after are valid credentials for remote desktop access, which saw a large increase during the COVID-19 pandemic,” says Shefrin. “The dark web is everyone’s go-to source for gaining initial access to victims’ networks.”

Some spaces are by invitation only

There’s a whole ecosystem on the dark web for the sale of vulnerabilities and exploits against corporate systems, many of them invitation-only, according to Gareth Owenson, an experienced dark web researcher and Searchlight Cyber CTO.

The way it works is that criminals undertake some reconnaissance on the clients and the target network and will know what systems and networks they’re running when they turn to the dark web. “They go on to these marketplaces looking for vulnerabilities for those particular systems. And when they find them, they pay a price for an exploit which works against that vulnerability,” says Owenson.

A supply chain exists for designing attacks against corporate networks, where criminals will buy different services and technical goods from other actors, some of which are individuals and others are serious, organized criminal groups on the dark web. “The actors behind an attack may not access the organization’s network directly themselves. They may pay someone else to do that because that person has bought a vulnerability on the dark web to gain the access,” he says.

Knowing the right people or paying for access is usually the most common way to gain access to invite-only forums, according to Ryan Estes, intrusion analyst at WatchGuard Technologies. “You could also build trust with members of these groups or forums, but that is usually something that law enforcement officials acting undercover do,” he says.

Rennie Westcott, Intelligence Analyst with Blackbird AI says access to invite-only places is typically done through third-party data providers. “Most organizations will not have a risk tolerance that permits employees to access invite-only deep and dark web forums.”

However, experienced professionals at organizations with a high-risk tolerance can certainly see benefits through trawling deep web forums for things like exposed credentials and TTPs relevant to their organization’s security infrastructure. “Researchers will typically create fake personas tailored to the site they’re looking to access–this is where language skills and the ability to assimilate into fringe communities are essential,” he adds.

There is bad stuff, and crackdowns mean it’s harder to trust

Law enforcement may infiltrate groups and pull together enough detail to identify the group running the site or group members may make a mistake and accidentally post their email address in the real world and be identified and arrested.

However, one of the challenges for law enforcement in taking out these groups is that they rotate their infrastructure. A recent law enforcement crackdown saw a coordinated takedown of many, many servers because if they miss one single server, the whole thing stays running, says Owenson.  “So, if all enforcement goes after one server, they’ve got servers all over the world that automatically fill in and replace when those servers are taken down,” he says.

Law enforcement agencies in many countries, including the Australian Federal Police (AFP), are actively policing the dark web through sophisticated techniques, targeted operations and new policing powers such as network activity and data disruption warrants. They target the illicit sale of personal data, malware and cybercrime tool development and sales, as well as ‘cybercrime-as-a-service’. “The goal is to identify, disrupt and prosecute cybercriminals domestically, and through international law enforcement partnerships,” an AFP spokesperson says.

“Joint domestic and international law enforcement actions have led to significant arrests and seizures of criminal assets and illicit funds and have enhanced the safety and security of the online environment for Australians,” the spokesperson says.

Some of the major operations include the takedown of Genesis Market that offered stolen credentials and access to compromised devices, and the shutdown of ‘DarkMarket,’ which had almost 500,000 users, more than 2,400 sellers and more than 320,000 transactions.

Law enforcement agencies will also need to respond to major breaches with dedicated task forces to monitor and minimize the misuse of sensitive and personally identifiable information (PII). Another example is Operation Guardian, delivered in partnership with state and territory police and the Australian Cyber Security Centre, which was established after major Australian breaches to Optus, Medibank and Latitude. “Operation Guardian works to disrupt criminal conduct, including the potential sale of PII on the dark web, and prosecute those responsible,” the spokesperson says.

There is a lot for sale on the dark web

Maybe not everything, but just about everything is available in the way of illicit and illegal goods including drugs, firearms, and poisons as well as exploits, vulnerabilities, access, tools, techniques and stolen data are commodities sold on the dark web.

Data is the most common commodity sold on the dark web, according to Nirmit Biswas, senior research analyst at Market Research Future. “Account credentials, credit card information, addresses and social security numbers have all been hacked. Someone might not even realize they’ve been hacked, yet their company and employee information could be sold,” Biswas says.

According to the Privacy Affairs Dark Web Price Index, attackers can make a lot of money from stolen personal information on anything from credit cards to Netflix accounts. Currently, the going rate for stolen credit card information with a balance of up to $1,000 is only $70, while cards with a balance of up to $5,000 cost $110. “The index shows how cheap it is to get data on the dark web,” says Biswas.

Specific niches are in 

What was once a small, unknown area of the internet has grown into a formidable power, according to Biswas, and attackers are innovating to stay ahead of defenders in the cat-and-mouse game.

It’s become more diversified and more comprehensive, and one area that is seeing growing interest is ransomware attacks that are spurring criminal activity on the dark web.

Cybercriminal syndicates will publish the stolen data if a ransom isn’t paid. They will also make it easier for other criminals to search that data for staff and customer emails. This is intended to increase the reputational harm to an organization, thereby increasing the possibility they will pay the ransom.

“And because ransomware material is so popular, hackers are taking photographs from ransomware collections and botnet log files and publishing them in the hopes of increasing their reputation and renown,” Biswas says. Many marketplace sellers also provide zero-day exploits that have yet to be found or publicized. “In other cases, when companies reveal software vulnerabilities, the operational exploits become accessible on darknet forums and markets,” he says.

Another area on the up is marketing lead databases, which have been available on the dark web for some time, but the aggregate amount has increased dramatically in recent years, according to Biswas. Although the data may be publicly available on social media or in business directories, it’s scraped and reposted. And it may not even be 100% accurate. “But it still exposes a vast number of individuals to phishing scams, corporate fraud, and social engineering,” he says.

Data breach standardization is becoming the norm, explains Sarah Boutboul, intelligence analyst at Blackbird AI, helping bad actors engage in more targeted searches for the particular information they’re seeking on the dark web. It means that data breach activity has become more organized in hacking forums, chat apps, and paste sites. “Threat actors increasingly request and share data that fit specific categories, leading to a more structured landscape for illicit data trading,” Boutboul says.

And you can use the dark web to buy more dark web

Not surprisingly, the dark web also sells the technical tools and information to set up another dark web. “There are many dark webs already,” says Douglas Lubhan, VP of threat intelligence at BlackFog. “Basically, any network that is shielded from internet search engines and restricts access to it is a dark web. You could layer upon layer if you choose to,” he says.

Dark web usage is going up

The number of users across relays has increased in 2023, and the number of relays themselves has increased, according to Tor metrics, suggesting dark web usage is on the rise.

There are a few well-known forums offering vulnerability and exploit auctioning, bartering or selling, according to WatchGuard’s Estes, which include the Russian Anonymous Marketplace (RAMP), exploit[.]in and xss[.]is.

Estes says these forums are also vectors for recruitment efforts by ransomware groups and offer hacking tips for sale. “In some cases, users will sell access information to organizations in what are called IABs (initial access brokers). The dark web is a hodgepodge of cybercriminal commerce,” he says.

And there are new domains coming online all the time. “We observe a handful of new ransomware double extortion pages a month; in some cases, these are rebrands of previously known ransomware groups. So, as some websites go down, others arise (rebrand). The volume of dark web domains has remained stagnant, even though the overall traffic has increased recently,” Estes says.

Many are perfectly innocent

Estes agrees that there are legitimate purposes for using anonymizing tools like Tor. In some cases, some organizations create both a clear web and a dark web domain. “The most obvious reason for this is to allow users who don’t use Tor to access their website,” says Estes, citing FBI and X (formerly Twitter) as two examples.

In terms of malicious sites, there have been cases where a ransomware group creates a typo-squatted domain or dark web domain that mirrors a victim’s website. “They then provide instructions or more blackmail attempts to further coerce victims into paying. ALPHV/BlackCat and Lorenz are examples of these,” Estes says.

Some of the legitimate uses of anonymizing technology like Tor, include when journalists, activists and others need to host content anonymously and protect their communications from governments or oppressive regimes. Owenson acknowledges Tor has legitimate uses for privacy and circumventing censorship; however, his research suggests the vast majority of activity is criminal in nature.

Owenson believes the problem is that those who run the Tor network, despite hosting illicit activities, do not actively police sites due to its ideological commitment to anonymity. “They’ve expressed that they have no interest in censoring any part of the dark web.”

It’s still mimicking the corporate world

The dark web is increasingly becoming corporate in various areas, such as hacking, recruitment and technology services. Cybercriminals will create look-a-like mobile applications, websites and social media profiles of executives and companies that appear exactly like the real thing.

“It could be a banking app that looks like your bank but isn’t. If you download it or visit a site and submit your username and password, you will be impacted. If it’s a fake social media profile, cybercriminals may share manipulated information that impacts the company brand and stock price,” says Blackbird AI’s Boutboul.

In addition, dark web forums are adopting enterprise-style stricter access controls due to heightened law enforcement actions. “Admins scrutinize newcomers more carefully, demanding references and verification tokens. Some platforms require significant cryptocurrency payments upfront,” Boutboul says. “Cybercriminals are responding to increased law enforcement activities by enhancing their own security measures.”

How can organizations combat the threats the dark web poses?

There are a range of tools and services that scan the dark web looking for organizational threats and vulnerabilities but it’s a constantly moving target. “Dark web surveillance is a constantly changing field that requires continual updates and tweaks to stay successful,” Biswas says.

An effective dark web monitoring system should provide broad visibility into the dark web without having to enter it. “This keeps admin users from placing themselves in danger or being exposed to provocative content. Keywords relevant to your organization should be highlighted by the solutions. You may then watch the threat as it evolves in order to respond accordingly,” he says.

“There is no one dark web monitoring solution for all use cases; some are entirely automated, others require a team of specialists to manage, and some rely on machine learning and artificial intelligence to give accurate and relevant information,” Biswas says.

Cybercrime, Security

Go to Source