The Dark Web: Marketers’ Trick or Threat Intelligence Treat?
October 31, 2018
At this time of the year, you can’t go anywhere without encountering something dark, spooky and mysterious. It all reminds me of misconceptions about the dark web, the area of the web that everyone is convinced they need to monitor but don’t quite know why.
While the dark web is overhyped, it’s not all a load of hocus pocus. Nevertheless, you shouldn’t be waiting until data is offered for sale on the dark web – there’s plenty you can be doing to prevent sensitive data getting into criminals’ hands.
What is the dark web?
In order to understand the value of the dark web as a source, it’s important to properly define it. The dark web refers to web content that has been intentionally obscured and may only be accessed through the introduction of an overlay network technology. The most common are Tor and i2P, although there are others. This is different to the deep web, which is anything that is not indexed by traditional search engines (such as a forum with a password). Criminal forums are hosted on the open, deep or dark web, so it would be wrong to view the dark web and criminality as synonymous. Similarly, the increased anonymity offered by the dark web can be a positive thing for whistleblowers, journalists, or individuals working under repressive conditions.
Accounts and Credentials for Sale
The trade of accounts and credentials is common across dark web sites and forums. A small number of these are new breaches of organizations, although these are more frequently shared in closed communities away from the dark web due to their high value. Only after a smaller, select group of criminals have leveraged this information will it be sold and shared more widely. More often, the accounts for sale on dark web forums and marketplaces occur from credential stuffing. This involves taking already-exposed credentials and testing them on another site. These can be sold piecemeal (as in Figure 1), or amalgamated into a broader package. These accounts often hold existing balances or loyalty points, which can then be used by fraudsters to pay for goods.
Figure 1: A screenshot from the dark web Empire Market
Payment Card Information
Payment card information is another core commodity traded in the criminal underground, and the dark web is no exception. Some dark web markets breach and sell their own breached payment cards, but it’s more common for them to act as resellers. One such market, Trumps Dumps, is shown in Figure 2. Monitoring these sites for your payment card information is relevant for three reasons:
- Retailers and restaurant chains can gain insight into new breaches on sites like Jokers Stash. By correlating samples of the breached data with store locations and transaction data, you can ascertain if the breach originated from your stores. and take the appropriate actions.
- By monitoring for BIN numbers, banks can combine this exposure with their existing fraud monitoring.
- Organizations can monitor for the payment card details of company cards and VIPs, and detect potential fraudulent use.
Figure 2: A screenshot of the dark web “Trumps Dumps” credit card store
Insiders looking to sell sensitive information or access will turn to a number of online locations, including dark web sites. Figure 3 illustrates an individual selling insider access to a large mortgage company. If you’re looking to protect intellectual property and prevent data breaches, then monitoring the dark web (as well as the open and deep web) for insider threats is a sensible approach.
Figure 3: An individual selling access to a large mortgage company
Detect data loss before it’s sold on the dark web
Why wait until your information is exposed on the dark web? Given the amount of files exposed on misconfigured file sharing services (1.6 billion by our last count), it’s no surprise that criminals are taking this sensitive information and looking to sell it on the dark web. For example, Figure 4 shows an accounting firm’s misconfigured NAS drive containing tax return information of hundreds of their clients. By monitoring for exposed data across S3 buckets, rsync, SMB and FTP, you can prevent this information from getting into malicious hands in the first place.
Figure 4: Tax return information available via a misconfigured NAS drive
See for yourself
The dark web doesn’t have a monopoly of cybercrime but omitting this source from your collection efforts would be remiss.
Want to explore it for yourself? You can search across dark web sources (among many others) for free with a 7-day free Test Drive of our SearchLight service.
To learn more about the latest dark web trends, register for our upcoming webinar: Mitigating the Top 7 Dark Web Threats to Your Enterprise.
To stay up to date with the latest digital risk and threat intelligence news, subscribe to our threat intelligence emails here.