The dark web is more vast and more dynamic than ever before. Full underground forums and criminal marketplaces spin up and spin down at the snap of the finger, while hacker groups take increasing precautions to vet new and existing members. While the existence of the dark web is no secret, fewer than 1 percent of internet users have actually visited it. In fact, even in the IT security field, usership is low – only 1 in 7 IT security professionals have ever ventured to a dark web forum or site.
This lack of experience helps explain why there is so much uncertainty, fear, and misinformation surrounding the dark web. But it also suggests that many in the security field are missing out on a crucial source of information that could help them get inside the mind of a cybercriminal and protect their enterprises. Hackers and other threat actors use dark web forums and marketplaces to scout targets and collaborate with like-minded individuals, seeking tools and information they can leverage to bolster their attacks.
Information security professionals tasked with protecting their organizations can leverage the dark web through “dark web monitoring”. This is a formal process of seeking out and monitoring the dark web for signs or signals of an impending attack. But what, exactly, should you be looking for amidst the sea of potential threats found on cybercriminal hangouts? The following are the top 5 dark web threats we’ve observed:
1. Strategic Data and Asset Exposure
There are numerous black markets on the dark web where cybercriminals buy, sell, and trade corporate data, personally identifiable information (PII), and other digital assets (as well as other illegal goods). Threat actors sift through massive data dumps, looking for credit card numbers, email addresses, login credentials, and more. Large-scale data dumps can provide cybercriminals with a jumping-off point as they begin to strategize and scale a new attack.
It is vital for security teams to map and actively monitor their key assets and internal activities to identify data dumps affecting their organizations. Next, they must scrutinize the claims and contents of a data dump to verify if the data is new or recycled, what the potential scope of the leak might be, and the threat actors involved. Gathering and analyzing this intel can help teams decide how to proceed to mitigate the threats they find.
2. Compromised Credentials, at Scale
In January 2019, the largest leaked credential database in history showed up on hacker hub RaidForums. Referred to as “Collection #1” to reflect the file name, the database contained 773 million records, and was followed by Collections #2-5, which brought the total number of leaked records over 2.2 billion. Needless to say, this presented some unprecedented challenges for security teams looking to ensure their corporate networks remained unbreached.
Between October 2018 and February 2019, we saw the average number of leaked credential incidents per company rise from fewer than 20 to 80. Now, this is not necessarily the new norm – massive data breaches like Collections #1-5 won’t happen every month, after all. However, this dramatic spike does demonstrate the need to constantly monitor for leaked credentials. It’s impossible to know exactly when and where the next “Collection #1” will occur, but it’s imperative to be prepared.
After discovering a new database, security teams should immediately mobilize to assess the risk at hand. First, determine who might be impacted – employees, customers, corporate systems, etc. Next, consider the effects of immediately locking down the network, as opposed to implementing escalated authentication. Then validate whether the data is active or if it’s old to inform how you proceed.
3. Malware-as-a-Service and Phishing Kits
In recent years, threat actors have commodified malware and phishing, developing tools that lower the hacker barrier to entry. Scammers don’t need advanced programming skills to carry out malware or phishing campaigns anymore; these attacks can be performed using “as-a-service” kits that streamline the process. This enables novice hackers to easily run attack campaigns and rapidly change domains to diversify their attacks.
First, attackers clone the legitimate site they want to spoof and change the login form to point to a simple PHP script. The script collects credentials and either emails them to the attacker or logs them to a text file. After stealing the credentials, the script redirects to the login page of the legitimate site where victims assume they simply entered their credentials incorrectly.
To avoid detection, cybercriminals frequently add a .htaccess file to the phishing kit that blocks connections based on HTTP request attributes. Many phishing kits we analyzed used .htaccess files that blocked IP ranges for threat intelligence services and included a PHP shell in the phishing kit which gives the ability to execute system commands on the server.
Once the content of the phishing site is created, it is bundled into a .zip file for reuse across multiple servers and phishing campaigns. This is helpful for attackers, since phishing sites are often quickly shut down. This form of mass credential phishing is all about quantity, not quality.
Security teams need to be proactive to effectively nullify a phishing attack in this streamlined environment, shutting down the phishing attack early in the cyber kill chain. They should monitor suspicious domains before they become weaponized, and use tools to automate the takedown process.
4. Stolen and Counterfeit Products
A rule of thumb for the dark web: Everything is for sale. Black markets have a variety of different stolen or fraudulently purchased retail goods, compromised corporate or personal credentials, stolen credit cards, phishing kits, and much, much more. Availability only appears to be increasing – our recent Banking & Financial Services Cyber Threat Landscape Report (April 2019) found a 212 percent increase in stolen credit cards available for purchase.
With an ever-growing and evolving black market landscape, security teams have to be resourceful to stop this flow of stolen and counterfeit goods. By applying advanced analytics to detect visual content violations – fake logos, impersonating profiles, etc. – they can take down potential scams before they escalate. Determining enforcement options – like DMCA and UDRP – for associated publicly-facing content can enable security teams to move quickly and decisively when a threat is validated and needs to be taken down.
5. Doxxing and Digital Extortion
New privacy policies and regulations have given rise to more extortion attacks against organizations. Most have data backup tools and processes in place, so ransomware is less effective. However, public disclosure of a breach can be far more damaging due to substantial regulatory fines imposed by governments and irreversible hits to the organization’s brand reputation.
Cybercriminals know this, and they use it as leverage to demand more money. For a specific example of this kind of extortion attack, read about last year’s Bank of Montreal and Simplii Financial breach. A hacker infiltrated their network and demanded a ransom to not release the information to the public.
The burden of preventing this kind of extortion attack falls on security teams, who must prepare digital extortion decision-trees to run scenario analyses:
- Are there instances where paying the ransom/extortion is the best option?
- How will you assess the reliability of the threat actor to ensure they end the extortion attack after payment?
- Can you set other mitigating controls?
Part of this doomsday scenario preparedness includes setting aside resources in the event that paying a ransom is necessary.
These are but a few of the many threats security teams face in today’s dynamic threat landscape. There are many tools and tactics they can use to mitigate the risk of an attack, but the most important component is a shift in mindset from preventing an attack to detecting and remediating it before it even gets launched. This can be done through continuous, strategic monitoring of threat actor activity across the dark web.
Learn all the terms, slang, and basic concepts you may encounter when monitoring dark web markets with our Complete Dark Web Black Market Glossary.