The Dark Web is something like the speakeasy of the internet. Anyone who likes to ensure anonymity in days when literally every activity online is tracked can use it. It’s also a safe place for whistleblowers or dissidents in repressive countries. And, just like the speakeasys during the prohibition, it is also the meeting point for organized cyberattacks. But – how much so? A question that researchers from cloud security company Bitglass tried to answer with an experiment in 2015 – which they re-ran this year, with some interesting results.
What did they do? Essentially, they posted some fake data – credentials mostly – on the dark web and implemented some data tracking technology, which enabled them to see where the data was going, how often it was views and other statistics. In this years’ experiment, they additionally categorized their data as coming from retailers, government accounts, pirated content or gaming.
The results were intriguing. If you have never heard of the Dark Web before, it seems like you have been living in a cave, as the major finding suggests that more people are accessing the dark web than ever. On the other hand, this is not really surprising, given that the discussion around privacy and tracking has picked up recently, with even Apple building tracking prevention technology right into their operating systems. For criminals, however, the dark web becomes more and more attractive – which is backed by the fact that compared to 2015 data was moving a lot faster in the dark web. In 2015, it took about 12 days until the fake data was viewed more than 1,000 times – in 2021 this milestone was reached after less than 24 hours.
The Dark Side of the Cloud
The problem with that increased velocity, however, is that users on the dark net have gone darker, so to speak. Obviously, the dark web can only be accessed through the Tor network in the first place. Tor stands for “The onion router” and the reference to onions pretty much describes how it works: just like the layers of an onion, data are encrypted with each new router they pass through. This already provides for a high level of anonymity, but as there has to be an exit node at some point, that anonymity is not complete. Which is why more and more users access the dark web through a VPN tunnel – further obscuring their true identity. 93% of users were using this additional layer compared to 67% in 2015.
In addition, users are often not using their own computer to access the dark web. Instead, they are using virtual machines in cloud instances to download stolen data. This development mirrors the general development of web technology, as everyone is using the cloud in one way or the other today. What’s a bit more worrying is that other tools such as AI or machine learning are also used by cybercriminals these days.
The Money is in Retailing
New to the 2021 experiment was the classification of the fake data. The resulting findings are not particular surprising, but show very well how cybercriminals actually work. Data which pretended to originate from some of the major retailers, for example, proved to be the most popular category. Which seems obvious, since using that data allows for a range of other activities, such as dropshipping or installing ransomware. Data with fake government accounts, on the other hand, were also in high demand, but were probably either bought by state-sponsored hackers or sold to nation-states.
In summary, the report gives a valuable insight into how cyber criminals operate and what sort of information is most valuable today. Cyber Protection Magazine discussed the experiment with Mike Schuricht, SVP of Product Management at Bitglass, in a video interview – with some noteworthy insights into the report.