Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

5/28/2019
03:00 PM
Ian W. Gray
Ian W. Gray
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Cybercrime: Looking Beyond the Dark Web

Fighting cybercrime requires visibility into much more than just the Dark Web. Here's where to look and a glimpse of what you'll find.

The now-shuttered DeepDotWeb, which was a uniquely centralized and trusted repository of Dark Web links and information, had long made it easier for threat actors — and consequently, law enforcement and other defenders — to keep track of which Dark Web sites are active, and where. The repository's takedown left a void that no comparable alternative seems to be able to fill, at least for the near future.

There are other sites, known as hidden wikis, that can appear to be comprehensive directories and are often referred to as such by defenders. In reality, they tend to be little more than human-assembled catalogs that harken back to the early days of the Internet. All this volatility is largely why threat actors who operate on the Dark Web also typically frequent a number of other channels.

It's also why fighting cybercrime requires visibility into much more than just the Dark Web. Contrary to popular belief, the Dark Web accounts for just a minor subset of the many online venues that facilitate cybercrime. Even if the Dark Web were somehow to be eliminated, its absence would simply cause threat actors to rely more heavily on the various other online venues in which many, if not most, already operate.

Encrypted chat platforms are one such venue — and in fact, they support far more illicit activity than any other, including the Dark Web. Threat actors are increasingly using platforms such as Telegram and Discord, among many others, to communicate more securely and to share mirrors, which are sites that contain nearly identical information but are hosted on different URLs. If one URL faces downtime for any reason, the secondary URL acts as a backup to help minimize operational disruption and consequential profit losses.

Mirrors, Services, and Uptime
It's important to note that threat actors generally aren't using mirrors to attract new clients but to provide services and additional uptime to existing clients in the event that the original site is down for reasons such as a distributed denial-of-service (DDoS) attack or law enforcement action through the often-enhanced security and privacy afforded by encrypted chat platforms. In most cases, mirrors are only distributed to select clients or groups. While this practice doesn't typically present material issues for more-tenured threat actors, it does — and is intended to — make it more difficult for law enforcement and other defenders to locate and monitor these sites.

Another venue popular among attackers is the Deep Web, which refers to the broad swath of sites conventional search engines cannot access, including, but not limited to, the entirety of the Dark Web. But unlike much of the Dark Web, the myriad illicit communities that exist elsewhere on the Deep Web are password-protected and highly exclusive. A number of these communities, including popular platforms for fraud, are located on Deep Web forums supported by bulletproof hosting services in countries unlikely to respond to law enforcement subpoenas.

Other online venues for cybercrime include decentralized marketplaces such as Joker's Stash, a longtime fixture of the stolen payment card ecosystem. Rather than using the Dark Web's Tor network, these types of marketplaces rely on blockchain-DNS (BDNS), which is a peer-to-peer network that helps administrators keep their sites online during attempted takedowns or DDoS attacks. And because there are technical barriers to entry that may deter novice threat actors, BDNS-hosted sites tend to be more popular among tenured threat actors.

The Geography Factor
The online venues in which threat actors operate are also heavily influenced by geography. Cybercrime is global and while the Dark Web is viable for most threat actors based in Western countries, Internet infrastructure in certain other regions is less conducive to accessing the Dark Web. For example, mobile networking has a high adoption rate in countries such as Brazil, largely because of the relatively low costs of mobile phones compared with computers. Usage of mobile applications for daily communication is also high throughout the region, as is the availability and uptime of major applications, including encrypted chat platforms frequented by threat actors around the world.

For defenders, an obvious challenge in combating cybercrime is figuring out where, if not solely the Dark Web, threat actors are operating. But just as most people, in general, use different communication channels for different interactions, so do threat actors. Much of it comes down to what a threat actor is seeking to accomplish. For example, threat actors who operate decentralized marketplaces outside the Dark Web often run targeted advertisements on the Dark Web in order to attract new customers. Threat actors seeking guidance on carrying out fraud, meanwhile, may be more likely to visit the various Deep Web forums that offer fraud tutorials.

Above all else, it's important to recognize that while the Dark Web is integral to facilitating cybercrime and other illicit activity, much more of the threat landscape exists elsewhere on the Internet. While the recent Dark Web takedowns shine additional light on threat actor behavior and will likely have a sizable impact on the underground drug trade, they are unlikely to curb the plethora of other illicit activities that occur online — particularly the development of new malware. Combating such activity requires defenders to be agile and realistic about the many ways and venues in which threat actors operate.

Related Content:

Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
watsson
50%
50%
watsson,
User Rank: Apprentice
6/11/2019 | 3:03:23 AM
Cybercrime
As the technology is growing gradually, the number, as well as the chance of the cybercrime, has also been increased randomly. We have to take immediate action for it so that it can be stopped. The cyberhackers are also concern about this. They are also inventing new things for it. To get all these updates, keep your eyes on epson printer error code 0xf3 and be careful. 
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13272
PUBLISHED: 2019-07-17
In the Linux kernel before 5.1.17, ptrace_link in kernel/ptrace.c mishandles the recording of the credentials of a process that wants to create a ptrace relationship, which allows local users to obtain root access by leveraging certain scenarios with a parent-child process relationship, where a pare...
CVE-2019-13446
PUBLISHED: 2019-07-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2019-9848
PUBLISHED: 2019-07-17
LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary p...
CVE-2019-9849
PUBLISHED: 2019-07-17
LibreOffice has a 'stealth mode' in which only documents from locations deemed 'trusted' are allowed to retrieve remote resources. This mode is not the default mode, but can be enabled by users who want to disable LibreOffice's ability to include remote resources within a document. A flaw existed wh...
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...