The Cyber-Crime Superhighway: A Tour of the Dark Web

In its 2015 U.S. State of Cybercrime Survey, Pricewaterhouse Coopers calls 2015, “a watershed year for cybercrime,”[1] a conclusion echoed in many studies which found that cybercrime has now outpaced insider theft, mishandling of records, and other sources of a data breach. The PwC study showed that hackers, hacktivists, organized crime, and foreign nation-states accounted for 61 percent of data security threats in 2014, and if the headlines are any indication, the trend is continuing. The study found 76 percent of US executives expressing growing concern about cyber threats, which is encouraging if it leads their organizations to a higher state of readiness to deal with these threats.

If forewarned is indeed forearmed, then every information security, risk, privacy, and compliance professional needs to become intimately familiar with emerging threats and threat actors.

What is the Dark Web?

Most people navigate the World Wide Web via well-known search engines such as Google or Bing. But that part of the web is just the tip of a metaphorical iceberg. Underneath the publicly accessible web is the “Deep Web,” the part of the web that is not indexed by common search engines. The Deep Web is estimated to be at least 400 times the size of the “Surface Web” or “Clearnet,” as it is called by Dark Web denizens, and it is the fastest-growing category of new information on the Internet.[2] Over half of the Deep Web is made up of hidden, topic-specific databases that can be only be queried through direct links, and some of it is detritus such as old web pages that no longer have public links. But it also hosts the “Dark Web,” a series of networks called “darknets” that overlay the public Internet but require specific software or authorization to access. Darknets were created to allow users to operate anonymously, so it’s no surprise that a lot of the Dark Web is devoted to criminal activities. A recent study[3] found that the most commonly requested information on one of the top darknets, Tor (an acronym for “The Onion Router”), is child pornography, followed by black markets for drugs, stolen information, weapons, counterfeit currency, and more.

Who’s Who on the Dark Web

Like the public web, the Dark Web community has its social media, ecommerce sites, and news sources. Tor runs on free software that allows people to communicate anonymously on the Internet. “Onion routing” was originally conceived at the U.S. Naval Research Laboratory and developed by DARPA (Defense Advanced Research Projects Agency),[4] and it has been praised for protecting the privacy of political activists, whistleblowers, and vulnerable political minorities, and for helping combat censorship and oppression, but it also provides the anonymity needed for illicit buying and selling. Today, Tor directs Internet traffic through a free, worldwide, volunteer network consisting of more than six thousand relays used to conceal a user’s location and usage from anyone conducting network surveillance or traffic analysis. Tor browsers can be downloaded free for Windows, Mac OS X, and Linux.

The Dark Web hosts a worldwide marketplace of illicit goods and services, most of which are paid for in Bitcoin, the preferred currency of the black market. The first and best known of the Dark Web ecommerce sites was the Silk Road, a black market that traded mostly in illegal drugs and was shut down by the FBI in 2013. For the time being, Agora has taken Silk Road’s place as a major market for drugs and stolen goods and information. Some of the other major markets today include AlphaBay Market, which offers thousands of sets of stolen information to fuel large fraud operations; Cyber-Arms Bazaar, a crimeware and hacking tool company based in Eastern Europe; and Amazon Dark, a site that mimics the look and function of Amazon, and where vendors sell everything from drugs to hacking software. (Most dark markets even feature online customer reviews and rates, à la Amazon and eBay.) In part 1 of this series on cyber-crime, we discussed the prices of stolen personal information on the Dark Web, but sites such as Agora sell all kinds of stolen information: for example, a recent article by Norse blogger Bev Robb reported that Agora currently lists over 4,100 pirated books.

Deepdotweb is the Dark Web’s equivalent of the New York Times and Wall Street Journal, rolled into one. It features market reports on the major black markets, from Agora to London Underground and East India Company and Bitcoin price analyses that read like the Dow Jones report. With its slick design and professional journalism, it features straight news articles, everything from investigations on opioid use and culture to new advancements in hacking software; news of law enforcement programs targeting the Dark Web; opinion pieces by notable hackers; cyber-crime how-to articles; “celebrity” stories on whistleblowers and hackers like Dread Pirate Roberts (aka, Ross Ulbricht, creator of Silk Road); advertisements for hacking education, tools and Bitcoin “cleaners” (the Bitcoin equivalent of money laundering); and even reports on darknet scams such as Bitcoin “multipliers” and hacks of dark markets, because the criminal inhabitants of the Dark Web are also wont to turn on each other.

A Dark Web Lexicon

If you read DeepDotWeb, you quickly realize that the Dark Web has a language of its own. Here are just a few of the Dark Web practices that could be targeting your business right now:

• Carding schemes are whole programs for monetizing stolen credit card information. Dark Web users can join carding forums where they learn how to steal card numbers and clone cards, how to cash out the card’s credit limit, how to sell card numbers, how to get personal information to fully exploit a card (card numbers with complete information are known as “fullz”), and how to set up as a vendor of stolen card information. According to a DeepDotWeb report, Russians have been the innovators in carding schemes.
• Doxxing is stealing and publishing private or personal information about someone, usually with malicious intent. The information is often obtained through social media or social engineering, and the tactic is often used by “hacktivists” to shame public figures or companies, although the threat of exposing information can also be used for coercion or extortion. For example, executive emails were “doxxed” in the recent Sony breach.
• Dumping is the practice of posting large sets of private information on the Dark Web. For example, after the recent Office of Personnel Management breach, databases containing personal information and email addresses of thousands of federal employees were dumped. Data dumps may be put up for sale or exposed publicly to embarrass or damage the organization that was breached.
• DNM is an acronym for darknet markets.
• Darknet vendors use exit scams to get out of a black market business, for example, if law enforcement gets too close, while still pocketing money from customers. Sellers simply continue to advertise and accept payment while not delivering product, and when the online customer reviews turn negative, the vendor simply posts that he or she has been scamming and has skipped town, so sorry, better luck next time. A recent article in Motherboard described exit scams as “the Darknet’s perfect crime.”

Stay Informed and See Them Coming

The first step to defend against all these threats is to know what they are and where they’re coming from. For example, social engineering attacks are often the first step in wholesale attacks on an organization’s internal systems. By tracking new social engineering scams, your information security/privacy team can warn employees and customers about phishing attacks ahead of time and help keep them from revealing information that could lead to the introduction of malware and massive breaches.

Some good sources to read are Brian Krebs’ excellent column on cybersecurity, the Norse Dark Matters newsletter, DeepDotWeb for the buzz in the cybercrime community, and, of course, this blog for perspectives and best practices on breach prevention and response. Our next installment in this series will be about one of the newest and most surprising cyber-threats against businesses: the methods and motivations behind cyber-espionage and cyber-attacks by nation-states.