Dark web horror stories are quickly becoming the norm. Whenever you start trawling through the web pages, it's not uncommon to find a whole universe of odd interests, dead websites, and miscellaneous data that make up most of the world wide web.
However, anyone familiar with the Tor project will tell you that the deep web is also an anonymous realm where cybercriminals congregate to engage in illegal activities like arms dealing, illicit drug smuggling, human trafficking, engaging in child pornography and even hiring hitmen.
But the people behind the Tor Project didn't develop the browser to enable crime. Instead, the project aims to advance freedoms and human rights with its free and open-source anonymity and privacy browser. For example, getting around China's great firewall.
The Tor browser works by routing all your web traffic through the Tor network, anonymizing it. It does this by connecting randomly to publicly listed entry nodes, bouncing web traffic through a randomly selected middle ray, and then splitting the traffic via a third and final exit node.
But no one really knows how big the dark web is. This subset of the deep web that's hidden can't be accessed through a standard web browser like Firefox or a Chrome browser.
Dark websites only accessible through a Tor browser are estimated to be around 5% of the entire internet. While that might sound like only a tiny part of the internet, it's enormous when you consider the internet as a whole.
Data Breaches and More
In 2020, the onset of the pandemic and work-from-home initiatives helped make cyber-attacks the fifth top-rated risk globally. As our risk exposure evolves and grows, IoT-based cyber-attacks will also double between 2021 and 2025. You can bet that most of these attacks and related bounties will have strong connections to the dark web.
As the risk of data breaches and stolen records is higher than ever before, companies must rise to the challenge and fortify their infrastructure. In fact, cybercrime alone will cost companies an estimated $10.5 trillion globally by 2025 (up from $3 trillion in 2015).
We have already experienced a number of serious data breaches this year affecting the social media giant Facebook, T-Mobile, and Bonobos. So, you can be sure that stolen records on the dark web are bursting at the seams. As we increasingly digitize both operations and processes, we can only expect it to get much worse.
While that's bad news for enterprises and individuals, the dark web will continue to thrive. This is because cryptocurrencies like Bitcoin and privacy coins like Monero enable financial transactions away from the long arm of the law.
Tools of the Dark Trade
For the most part, the dark web is undoubtedly home to the digital black market (remember the Silk Road?). Here, you can easily find tools and hidden services to initiate a cyber-attack.
Some categories of dark web tools and hidden services provide access to:
- Exploits, keyloggers, and remote access Trojans (RATs)
- Stolen data, including customer, financial, and operational data
- Attacks or infections including botnets, distributed denial of service (DDoS) attacks, and malware
- Espionage services including customized targeting
- Hacking tutorials for beginners
- Intellectual property/trade secrets
Cyber-attacks initiated with these tools and services can potentially damage brand value, lead to significant downtime, and even the loss of business relevance through intellectual property theft and espionage.
Threat actors find these services by connecting using dark web search engines they connect to via a Tor browser and a virtual private network (VPN). However, these aren't on par with the likes of Google or Bing, as cybercriminals are constantly on the move in a rapidly changing landscape.
Some of the leading dark web search engines include DuckDuckGo (which is also available on the surface web), SearX, and link lists like Daniel the Hidden Wiki. However, the good news is that cybercriminals must pay their dues. Plenty of results lead to 404 errors and timed-out connections (reminiscent of search engines in the mid to late 1990s).
The Dark Web Economy
Last year, when businesses were struggling to get through the pandemic, illicit marketplaces thrived. According to Chainalysis, 2020 was a record year for darknet markets as customers spent a whopping $1.7 billion. This was the first time that darknet markets were able to top $1.5 billion.
However, a key driver of revenue growth turned out to be one specific dark web marketplace called Hydra. It's one of the largest darknet marketplaces in the world and accounted for as much as 75% of the total revenue. What's more, it only served Russian speakers in Eastern Europe's unique crypto crime landscape.
Eastern Europe also boasts the highest rates of cryptocurrency transactions associated with criminal activity because of Hydra. In fact, it's one of the leading entities that drive cryptocurrency value on the continent.
Whenever Hydra decides to accommodate English-speaking criminals, it could prove to be an enormous challenge for both US and European law enforcement agencies like the FBI. This is because their operations are already highly sophisticated and even have Uber-like systems with anonymous couriers doing drug deliveries. These "drops" are often in hidden out-of-the-way public locations. Once they make the drop, they will inform the buyers of its location. As a result, no physical exchanges ever take place.
While this may not immediately seem horrific, an explosion of illicit substances in neighborhoods and towns across the country can bring society down to its knees. According to Chainalysis, Hydra, which has a built-in crypto ecosystem, primarily hosts illegal content, including drug stores and fraud shops. The latter sells anything from different types of compromised user accounts, stolen credit card numbers, malware, and even money laundering services.
You can also easily find trade secrets, medical records, and research data (especially on new drugs, therapies, and maybe even COVID-19 vaccines). You shouldn't be surprised to find blueprints of buildings (like banks), intelligence reports, internal corporate communications, and just about anything that can be held for ransom or used to blackmail individuals and organizations.
The money paid to these criminals is quickly transferred through encrypted accounts and is often impossible to trace. Some popular methods used by threat actors include:
- Chain hopping (or the rapid exchange of one crypto coin for another to lose any potential online footprint)
- Coin cleaning (to mix and launder their illicit gain with legitimate crypto before distribution)
- Privacy wallets
You also get hackers like ShinyHunters, who claimed that they had made enough money and leaked sensitive information for free. When you consider all this, the stakes are higher than ever before, and the potential for disaster is very real.
For example, an anonymous hacker released stolen data from Amazon's Twitch. The hacker released not only the platform creators' payout details but also the source code. The hacker also leaked an unreleased application dubbed Vapor, Amazon's potential competitor for Steam. While a conglomerate like Amazon can survive such a massive data breach, others probably wouldn't.
Cost of Personal Data on the Dark Web
How much is your data worth on the dark web?
While our personally identifiable information (PII) might be priceless to us, it really doesn't cost much on the dark web. According to a recent study by Privacy Affairs, your data is worth about $1,010 on the dark web. This reflects a full range of documents that enable identity theft.
Other personal data doesn't cost that much. For example, your credit card details with related information cost as little as $14-$30 in a darknet marketplace. Hackers can sell your online banking login credentials for about $40.
The affordability of your information is unsettling. For example, according to Privacy Affairs, a forged US driver's license of average quality costs just $70. Stolen PayPal account details go for about $198.56. Even worse, a DDoS attack with 10,000 to 50,000 requests per second costs just $10 for one hour.
Is your data on the dark web?
If you haven't been religiously following good cybersecurity practices, there's a good chance that your information is on sale somewhere on the deep web. But how would you know for sure?
Google will inform you of a data leak if you save your password on the Chrome browser. Or you might have noticed strange login behavior, data breach alerts and requests to change your password from different platforms, and so on.
If none of the above has occurred yet, you can swing by Have I Been Pwned? All you have to do is type in your email address or phone number, and you'll find out if you were a victim of a data breach within seconds. If your account or accounts were compromised, you must immediately change your password.
Have I been Pwned hosts information on approximately 11,596,113,394 compromised accounts. If that number doesn't scare you, it should. If you haven't already, there's no better time than right now to adopt good cybersecurity hygiene and best practices.
You can also hire a company to perform a dark web scan. In this scenario, they will comb the deep web and related criminal databases to determine if your sensitive data is on sale.
Dark Web Stories
Finding out that your information was compromised isn't a rare or isolated occurrence. For example, CNET blogger Dan Patterson found his colleague's information in a "fullz" dump where everything from SNN to addresses was on sale with thousands of others for just $69.
Patterson's exposure was far worse as his information included his current phone number and more. Neither Patterson nor his colleague had any idea that their PII was available on the dark web until they went looking for it.
While industries like healthcare and pharmaceutical companies with less than 250 employees are highly attractive targets for threat actors, just about anyone can be attacked at any time. Even tech giants with deep pockets to properly secure their enterprise infrastructure aren't immune to such security events. For example, Facebook, Microsoft, US Cellular, T-Mobile, and, unfortunately, many more fell victim to data breaches in 2021.
Here’s what happened:
The Facebook hack resulted in a public leak where the details of 530 million users were made publicly available in an unsecured database.
In this case, threat actors scraped data from user profiles using software that mimicked Facebook's contact importer, a feature designed to help users find their friends.
Facebook may have been able to identify the vulnerability before the attack through a security audit or bug-bounty program. However, it's unclear what security protocols and best practices were in place at that time.
As many as 38 million records containing sensitive user data were exposed accidentally by Microsoft Power Apps. According to UpGuard, this security event impacted 47 organizations across industries and some public health agencies.
The data breach occurred because the open data protocols (OData) API for an organization's Power Apps portal had an anonymously accessible list of data. The exposed list included names, social security numbers, employee IDs, COVID-19 contact tracing information, vaccination appointments, and email addresses. As the vulnerability was in the design, you have to wonder if Microsoft engaged in ethical hacking to identify potential vulnerabilities before the breach.
Mobile network operator USCellular fell victim to a data breach exposing personally identifiable user data in the company's customer relationship management (CRM) system. This was the result of a successful social engineering campaign where retail store employees ended up downloading malicious software.
Once downloaded, the attacker was able to remotely access the computer and gain access to the CRM system. This security event reaffirms the need for regular cybersecurity awareness training.
T-Mobile disclosed a data breach where an undisclosed number of customers fell victim to SIM swap attacks. In this scenario, scammers took control of multiple phone numbers and easily bypassed SMS-based multi-factor authentication (MFA). This approach helped threat actors steal user credentials and passwords for online services accounts. They could even lock the victims out of their accounts.
As such, individuals and organizations alike must deploy critical safety measures into everyday technology and engage in cybersecurity assessments often to identify potential vulnerabilities. It's also vital to conduct regular cybersecurity awareness workshops to keep staff alert to social engineering campaigns. This approach will also help create a security culture within the company where everyone follows security best practices.