The Dark Web provides the one thing threat actors crave more than anything: complete anonymity. The ability to disconnect online identities from the real-world creates a digital wild west. In the Dark Web, threat actors (can and do) hang out freely and buy and sell anything they want - without any fear of consequences. From drugs to firearms and credit card numbers, anything is up for sell. Credit cards are a common Dark Web barter with 23,319,701 compromised credit cards offered for sale in the first half of 2019 alone.
The truth is, accessing the Dark Web is just a little bit more complicated than accessing the Internet. Anyone with some basic computer literacy can figure it out, and for most newbies, the Dark Web is only a simple Google search away. Online, there are hundreds of tutorials, videos, and how-to articles on how to set up a TOR browser and a VPN to access the Dark Web while maintaining complete anonymity.
Not all activities in the Dark Web are illegal, but due to their ability to provide a perfect cover, crime of all sorts is flourishing. Once you are in, the Dark Web offers plenty of forums and marketplaces where threat actors hang out and any type of crime is openly discussed.
The participants are unafraid of consequences as the users can't be tracked physically and can't be tied to their offline identity. The complete anonymity combined with BitCoin or other cryptocurrencies, completely anonymous means of payment, means that markets for illegal goods and services prosper here.
2019 has indeed been the year of credential dumps. Billions of passwords and login combinations have been leaked, and new credential dumps make headline news regularly. Many of these leaked credentials end up for sale on the Dark Web.
Credential dumps fuel credential stuffing attacks. Threat actors purchase credentials and then test password/login combinations on hundreds of sites until they find a match. This is very dangerous because password reuse among users is rampant. Over 62% of users admit to reusing the same passwords across a variety of apps and services.
However, even the strongest credentials are susceptible to phishing attacks. When plotting an attack on a big organization, spear phishing an employee is a much easier way to get into the system than a brute-force attack.
For example, the notorious Yahoo data breach that exposed over a three billion user records originated from a single compromised user account in Yahoo’s corporate headquarters. Several Yahoo employees were targeted with a spear-phishing email campaign that contained a malicious link. As soon as one of the employees clicked on the link, a malware was downloaded to the employee’s computer, assisting the threat actors in access to the corporate network. Once the threat actor access to the network, the mega-breach unraveled as the threat actor copied and exported a backup of Yahoo’s User Database. The whole database shortly thereafter appeared for sale on the Dark Web.
Most threat actors are driven by profit, and the rise of eCommerce credit card fraud is one of the most straightforward and profitable scams.
Every year, millions of credit card info is stolen and then sold on Dark Web forums. Researchers at Sixgill have recently examined underground markets on the Dark Web for stolen credit card information and found over 23 million stolen credit card and debit card numbers offered for sale in the first half of 2019 alone.
These cards are then used for trade. For example, credit card numbers can be converted into cash by purchasing digital gift cards. These gift cards can then be used as anonymous means of payment to buy popular items to resell through online marketplaces such as eBay. This easy process of converting stolen credit identities into cash flow provides not only profit but also the ability to launder illicit gains into cash.
Hacking used to be a highly-skilled occupation that required in-depth technical expertise and the ability to gain access to exclusive insights shared only in closed communities not accessible to any beginner threat actor. This is not the case anymore.
Within just a few weeks of reading up on Dark Web forums, anyone can learn just enough to cause significant damage. Any high-schooler can go on the Dark Web, purchase Malware files, read tutorials about 'How to Hack Computers,' and turn into a threat actor in a matter of days.
Threat actors are opportunists who look for the low hanging fruit, and there is plenty of that to go around. Most hackers would not attempt breaking into the Pentagon, but will gladly go after a municipal government or a small business since their defences are so much easier to break, as the recent slew of ransomware attacks on local governments demonstrates.
Ransomware is a common malware type offered for sale on the Dark Web forums. In 2019, municipal governments, small businesses and healthcare providers were prime targets. For example, the Baltimore City government was hit with a massive ransomware attack that left it crippled for over a month, with a loss valued at over $18 million. The FBI suggests ransomware payments this year are totaling around $1 billion,but this number is likely to be much higher.
One of the reasons that ransomware proliferates so quickly, is the fact that the barrier to entry into cybercrime is at an all time low. More and more people are gaining access to exploits and attack tools, regardless of their level of technical knowledge. SamSam, the strand of ransomware that was used in multiple recent attacks including the one on the city of Atlanta has been offered for sale on the Dark Web forums for as little as $750.
Amateur threat actors now don’t even have to come up with an attack method. All they need to do is purchase a Ransomware package or a Virus or Trojan and follow the instructions. Orchestrating malware attacks got so easy, it's like running any other computer program at this point.
Just like the Internet, the Dark Web provides means for like-minded people to connect and share their worldviews online. There is one significant difference though, the surface web is moderated, the Dark Web is not. Complete anonymity that the Tor browser brings with it is another big difference, as users can post nearly anything without the fear of consequences.
The 8chan case is a good example of how difficult it is to track down cyber criminals. The forum describes itself as, "the darkest reaches of the Internet," and indeed, this is the case. The controversial online message board has been linked to at least three deadly attacks in the last year alone - the shooting that claimed the lives of at least 22 people in El Paso, Texas, attacks on Muslims at mosques in Christchurch, New Zealand, and on Jewish people at a synagogue in Poway, Calif.
The direct connection between these attacks and the forum has caused the security company Cloudflare to stop providing services to 8chan which initially caused some downtime to the forum. However, 8chan managed to find alternative solutions and is still alive and kicking.
The Dark Web holds potential threats for every business and data type, and is growing exponentially.
The good news is that with a comprehensive Cyber Threat Intelligence (CTI) tool in place, the threats that are being planned against your organization can be detected and proactively controlled. Threat actors do not expect to get caught and often share their plans on the forums or simply post crime-as-a-service schemes for sale.
There is a tremendous value to proactively monitoring the Dark Web to prevent online and real-world attacks, find stolen data and stay alert to new schemes in the making. While CTI may not reveal the identities of the hackers hiding in the Dark Web or enable justice, it can analyze patterns and characteristics of the criminals, enabling with automation tools to predict potential attacks. Sixgill is a leading CTI platform that provides clear visibility into the Dark Web, in real-time.