There is a lot for sale on the dark web
Maybe not everything, but just about everything is available in the way of illicit and illegal goods including drugs, firearms, and poisons as well as exploits, vulnerabilities, access, tools, techniques and stolen data are commodities sold on the dark web.
Data is the most common commodity sold on the dark web, according to Nirmit Biswas, senior research analyst at Market Research Future. “Account credentials, credit card information, addresses and social security numbers have all been hacked. Someone might not even realize they’ve been hacked, yet their company and employee information could be sold,” Biswas says.
According to the Privacy Affairs Dark Web Price Index, attackers can make a lot of money from stolen personal information on anything from credit cards to Netflix accounts. Currently, the going rate for stolen credit card information with a balance of up to $1,000 is only $70, while cards with a balance of up to $5,000 cost $110. “The index shows how cheap it is to get data on the dark web,” says Biswas.
Specific niches are in
What was once a small, unknown area of the internet has grown into a formidable power, according to Biswas, and attackers are innovating to stay ahead of defenders in the cat-and-mouse game.
It’s become more diversified and more comprehensive, and one area that is seeing growing interest is ransomware attacks that are spurring criminal activity on the dark web.
Cybercriminal syndicates will publish the stolen data if a ransom isn’t paid. They will also make it easier for other criminals to search that data for staff and customer emails. This is intended to increase the reputational harm to an organization, thereby increasing the possibility they will pay the ransom.
“And because ransomware material is so popular, hackers are taking photographs from ransomware collections and botnet log files and publishing them in the hopes of increasing their reputation and renown,” Biswas says. Many marketplace sellers also provide zero-day exploits that have yet to be found or publicized. “In other cases, when companies reveal software vulnerabilities, the operational exploits become accessible on darknet forums and markets,” he says.
Another area on the up is marketing lead databases, which have been available on the dark web for some time, but the aggregate amount has increased dramatically in recent years, according to Biswas. Although the data may be publicly available on social media or in business directories, it’s scraped and reposted. And it may not even be 100% accurate. “But it still exposes a vast number of individuals to phishing scams, corporate fraud, and social engineering,” he says.
Data breach standardization is becoming the norm, explains Sarah Boutboul, intelligence analyst at Blackbird AI, helping bad actors engage in more targeted searches for the particular information they’re seeking on the dark web. It means that data breach activity has become more organized in hacking forums, chat apps, and paste sites. “Threat actors increasingly request and share data that fit specific categories, leading to a more structured landscape for illicit data trading,” Boutboul says.
And you can use the dark web to buy more dark web
Not surprisingly, the dark web also sells the technical tools and information to set up another dark web. “There are many dark webs already,” says Douglas Lubhan, VP of threat intelligence at BlackFog. “Basically, any network that is shielded from internet search engines and restricts access to it is a dark web. You could layer upon layer if you choose to,” he says.
Dark web usage is going up
The number of users across relays has increased in 2023, and the number of relays themselves has increased, according to Tor metrics, suggesting dark web usage is on the rise.
There are a few well-known forums offering vulnerability and exploit auctioning, bartering or selling, according to WatchGuard’s Estes, which include the Russian Anonymous Marketplace (RAMP), exploit[.]in and xss[.]is.
Estes says these forums are also vectors for recruitment efforts by ransomware groups and offer hacking tips for sale. “In some cases, users will sell access information to organizations in what are called IABs (initial access brokers). The dark web is a hodgepodge of cybercriminal commerce,” he says.
And there are new domains coming online all the time. “We observe a handful of new ransomware double extortion pages a month; in some cases, these are rebrands of previously known ransomware groups. So, as some websites go down, others arise (rebrand). The volume of dark web domains has remained stagnant, even though the overall traffic has increased recently,” Estes says.
Many are perfectly innocent
Estes agrees that there are legitimate purposes for using anonymizing tools like Tor. In some cases, some organizations create both a clear web and a dark web domain. “The most obvious reason for this is to allow users who don’t use Tor to access their website,” says Estes, citing FBI and X (formerly Twitter) as two examples.
In terms of malicious sites, there have been cases where a ransomware group creates a typo-squatted domain or dark web domain that mirrors a victim’s website. “They then provide instructions or more blackmail attempts to further coerce victims into paying. ALPHV/BlackCat and Lorenz are examples of these,” Estes says.
Some of the legitimate uses of anonymizing technology like Tor, include when journalists, activists and others need to host content anonymously and protect their communications from governments or oppressive regimes. Owenson acknowledges Tor has legitimate uses for privacy and circumventing censorship; however, his research suggests the vast majority of activity is criminal in nature.
Owenson believes the problem is that those who run the Tor network, despite hosting illicit activities, do not actively police sites due to its ideological commitment to anonymity. “They’ve expressed that they have no interest in censoring any part of the dark web.”
It’s still mimicking the corporate world
The dark web is increasingly becoming corporate in various areas, such as hacking, recruitment and technology services. Cybercriminals will create look-a-like mobile applications, websites and social media profiles of executives and companies that appear exactly like the real thing.
“It could be a banking app that looks like your bank but isn’t. If you download it or visit a site and submit your username and password, you will be impacted. If it’s a fake social media profile, cybercriminals may share manipulated information that impacts the company brand and stock price,” says Blackbird AI’s Boutboul.
In addition, dark web forums are adopting enterprise-style stricter access controls due to heightened law enforcement actions. “Admins scrutinize newcomers more carefully, demanding references and verification tokens. Some platforms require significant cryptocurrency payments upfront,” Boutboul says. “Cybercriminals are responding to increased law enforcement activities by enhancing their own security measures.”
How can organizations combat the threats the dark web poses?
There are a range of tools and services that scan the dark web looking for organizational threats and vulnerabilities but it’s a constantly moving target. “Dark web surveillance is a constantly changing field that requires continual updates and tweaks to stay successful,” Biswas says.
An effective dark web monitoring system should provide broad visibility into the dark web without having to enter it. “This keeps admin users from placing themselves in danger or being exposed to provocative content. Keywords relevant to your organization should be highlighted by the solutions. You may then watch the threat as it evolves in order to respond accordingly,” he says.
“There is no one dark web monitoring solution for all use cases; some are entirely automated, others require a team of specialists to manage, and some rely on machine learning and artificial intelligence to give accurate and relevant information,” Biswas says.
