Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/28/2019
03:00 PM
Ian W. Gray
Ian W. Gray
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybercrime: Looking Beyond the Dark Web

Fighting cybercrime requires visibility into much more than just the Dark Web. Here's where to look and a glimpse of what you'll find.

The now-shuttered DeepDotWeb, which was a uniquely centralized and trusted repository of Dark Web links and information, had long made it easier for threat actors — and consequently, law enforcement and other defenders — to keep track of which Dark Web sites are active, and where. The repository's takedown left a void that no comparable alternative seems to be able to fill, at least for the near future.

There are other sites, known as hidden wikis, that can appear to be comprehensive directories and are often referred to as such by defenders. In reality, they tend to be little more than human-assembled catalogs that harken back to the early days of the Internet. All this volatility is largely why threat actors who operate on the Dark Web also typically frequent a number of other channels.

It's also why fighting cybercrime requires visibility into much more than just the Dark Web. Contrary to popular belief, the Dark Web accounts for just a minor subset of the many online venues that facilitate cybercrime. Even if the Dark Web were somehow to be eliminated, its absence would simply cause threat actors to rely more heavily on the various other online venues in which many, if not most, already operate.

Encrypted chat platforms are one such venue — and in fact, they support far more illicit activity than any other, including the Dark Web. Threat actors are increasingly using platforms such as Telegram and Discord, among many others, to communicate more securely and to share mirrors, which are sites that contain nearly identical information but are hosted on different URLs. If one URL faces downtime for any reason, the secondary URL acts as a backup to help minimize operational disruption and consequential profit losses.

Mirrors, Services, and Uptime
It's important to note that threat actors generally aren't using mirrors to attract new clients but to provide services and additional uptime to existing clients in the event that the original site is down for reasons such as a distributed denial-of-service (DDoS) attack or law enforcement action through the often-enhanced security and privacy afforded by encrypted chat platforms. In most cases, mirrors are only distributed to select clients or groups. While this practice doesn't typically present material issues for more-tenured threat actors, it does — and is intended to — make it more difficult for law enforcement and other defenders to locate and monitor these sites.

Another venue popular among attackers is the Deep Web, which refers to the broad swath of sites conventional search engines cannot access, including, but not limited to, the entirety of the Dark Web. But unlike much of the Dark Web, the myriad illicit communities that exist elsewhere on the Deep Web are password-protected and highly exclusive. A number of these communities, including popular platforms for fraud, are located on Deep Web forums supported by bulletproof hosting services in countries unlikely to respond to law enforcement subpoenas.

Other online venues for cybercrime include decentralized marketplaces such as Joker's Stash, a longtime fixture of the stolen payment card ecosystem. Rather than using the Dark Web's Tor network, these types of marketplaces rely on blockchain-DNS (BDNS), which is a peer-to-peer network that helps administrators keep their sites online during attempted takedowns or DDoS attacks. And because there are technical barriers to entry that may deter novice threat actors, BDNS-hosted sites tend to be more popular among tenured threat actors.

The Geography Factor
The online venues in which threat actors operate are also heavily influenced by geography. Cybercrime is global and while the Dark Web is viable for most threat actors based in Western countries, Internet infrastructure in certain other regions is less conducive to accessing the Dark Web. For example, mobile networking has a high adoption rate in countries such as Brazil, largely because of the relatively low costs of mobile phones compared with computers. Usage of mobile applications for daily communication is also high throughout the region, as is the availability and uptime of major applications, including encrypted chat platforms frequented by threat actors around the world.

For defenders, an obvious challenge in combating cybercrime is figuring out where, if not solely the Dark Web, threat actors are operating. But just as most people, in general, use different communication channels for different interactions, so do threat actors. Much of it comes down to what a threat actor is seeking to accomplish. For example, threat actors who operate decentralized marketplaces outside the Dark Web often run targeted advertisements on the Dark Web in order to attract new customers. Threat actors seeking guidance on carrying out fraud, meanwhile, may be more likely to visit the various Deep Web forums that offer fraud tutorials.

Above all else, it's important to recognize that while the Dark Web is integral to facilitating cybercrime and other illicit activity, much more of the threat landscape exists elsewhere on the Internet. While the recent Dark Web takedowns shine additional light on threat actor behavior and will likely have a sizable impact on the underground drug trade, they are unlikely to curb the plethora of other illicit activities that occur online — particularly the development of new malware. Combating such activity requires defenders to be agile and realistic about the many ways and venues in which threat actors operate.

Related Content:

Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
watsson
50%
50%
watsson,
User Rank: Apprentice
6/11/2019 | 3:03:23 AM
Cybercrime
As the technology is growing gradually, the number, as well as the chance of the cybercrime, has also been increased randomly. We have to take immediate action for it so that it can be stopped. The cyberhackers are also concern about this. They are also inventing new things for it. To get all these updates, keep your eyes on epson printer error code 0xf3 and be careful. 
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12453
PUBLISHED: 2019-07-19
In MicroStrategy Web before 10.1 patch 10, stored XSS is possible in the FLTB parameter due to missing input validation.
CVE-2019-12945
PUBLISHED: 2019-07-19
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2018-17792
PUBLISHED: 2019-07-19
MDaemon Webmail (formerly WorldClient) has CSRF.
CVE-2019-10102
PUBLISHED: 2019-07-19
Gnome Pango 1.42 and later is affected by: Buffer Overflow. The impact is: The heap based buffer overflow can be used to get code execution. The component is: function name: pango_log2vis_get_embedding_levels, assignment of nchars and the loop condition. The attack vector is: Bug can be used when ap...
CVE-2019-10102
PUBLISHED: 2019-07-19
DaveGamble/cJSON cJSON 1.7.8 is affected by: Improper Check for Unusual or Exceptional Conditions. The impact is: Null dereference, so attack can cause denial of service. The component is: cJSON_GetObjectItemCaseSensitive() function. The attack vector is: crafted json file. The fixed version is: 1.7...