SoS Musings #28 - The Dark Web

SoS Musings #27
The Dark Web

The threat landscape faced by organizations has been significantly expanded by an elusive part of the World Wide Web known as the dark web. The term “dark web” refers to the collection of websites and networks that cannot be accessed via regular search engines such as Google and Yahoo. Access to the dark web requires the use of special tools and software, including peer-to-peer (P2P) browsers or the Onion Router (Tor). The dark web is often used as the grounds for a marketplace of illicit services and tools since this part of the internet provides anonymity through encryption. Some examples of crimes that can be committed via the use of the dark web include extortion, sex trafficking, terrorism, selling illegal drugs, and hiring assassins. In pertinence to the realm of cybercrime, the dark web allows cybercriminals to collaborate with each other, purchase or sell stolen credentials to online accounts, advertise hacking tools, and more. The dark web has made many headlines in recent years and raised concern about cybercriminal activity.
 
Researchers and law enforcement have made many discoveries surrounding the dark web. A report published by Deloitte, titled “Black Market Ecosystem: Estimating the Cost of ‘Pwnership’” emphasizes that cybercriminals do not need a high level of technical expertise to carry out cybercriminal operations as they can purchase tools and services on the dark web to conduct such operations for them, increasing the chances of cybercrime. A study conducted by researchers from Georgia State University and the University of Surrey revealed the availability of Secure Sockets Layer (SSL) and Transport Layer Security (TSL) certificates in the dark web, which are packaged with crimeware to enable the delivery of machine identities to cybercriminals. These machine identities can then be used to spoof websites, intercept encrypted traffic, steal sensitive data, and perform other attacks. Cybercriminals have automated social engineering services available to them in the dark web as discovered by security researchers. Security researchers also discovered an automated phone calling service being offered to cybercriminals in the dark web for $250 per month that allows them to deceive victims into giving them their credit card pins or other sensitive information. This service was expected to garner much attention from cybercriminals as the stolen credit card and debit card numbers often exchanged between them within the dark web would be useless without victims’ ATM pins if the aim was just to steal cash. A traffic distribution system (TDS), called BlackTDS, was also discovered being offered on the dark web as a service that would allow low-skilled cybercriminals to execute malicious sophisticated drive-by attacks. According to researchers, BlackTDS, would simply the launch of large-scale malware campaigns by performing social engineering, redirecting victims to exploit kits, and preventing the detection of such attacks by researchers and sandboxes. Recent observations made by researchers at IBM X-Force have brought further attention to the increasing shift of the dark web marketplace towards cybercrime services such as malware-as-a-service (MaaS) and infrastructure-as-a-service (IaaS) in which prepackaged malware and access to compromised devices are sold to threat actors. The dark web must continue to be examined for changes in available products and services, as well as shifts in business approaches. 
 
As the dark web provides a platform for cyberattack-as-a-service (CAaaS) marketplaces and forums at which hackers could buy services and tools aimed at facilitating the development and launch of attacks, it is important for the cyber defense community to understand how the dark web ecosystem works in order to develop more effective defenses. MIT researchers conducted a study in which they analyzed services available on the dark web, examined literature about cyberattacks, and interviewed cybersecurity professionals to better understand how cybercriminals advance and operate on the dark web. The study revealed a CAaaS value chain of activities required to create and support cyberattacks, which include discovering vulnerabilities, selecting targets, recruiting new hackers, developing a marketplace for trading, and more. Researchers used the CAaaS value chain to identify 24 primary and supporting services being sold on the dark web such as Exploit-as-a-Service, Payload-as-a-Service, Target Selection-as-a-Service, Hacker-Recruiting-as-a-Service, and more, that could be combined by hackers in the development and escalation of attacks. By understanding the dark web’s cybercrime ecosystem in which these services are available, organizations can improve their approaches to combating cyber attacks. Organizations are encouraged to employ dark web monitoring solutions and dedicate some of their threat intelligence processes to collecting data about the services provided in dark web marketplaces in order to gain insight into potential attacks, attack trends, attacker motivations, indicators of compromise, as well as cybercriminals’ techniques, tactics, and procedures (TTPs). In addition, intelligence collected from the dark web could be used by organizations to develop advanced defense mechanisms.