I Saw Your Data on the Dark Web

In September, I wrote about credential stuffing, the kind of attack that depends on the collection of huge amounts of data (lists of user/password pairs), which usually are sold on the Dark Web. But, what is the Dark Web? How could we have access to it? Perhaps many of us immediately associate the term Dark Web with criminal activity. But is that a place intended only for criminals? If you don't know what the Dark Web is or want to learn more about it, this post can give you useful information.

Let's start by mentioning what is known to everyone reading this text: the Clear Web. Yes, even if you don't know it by this name, it is the part of the internet that we handle daily and that we can find as public content in the usual search engines such as Google and Bing. However, and to some people's surprise, it's estimated that more than 90% of the internet's total content is not part of the Clear Web but the Deep Web. The latter includes all websites protected by a paywall or requiring sign-in credentials. Here we have file hosting spaces, membership websites, email accounts and corporate web pages used temporarily to fill out forms, just to mention a few examples. Of course, we also use some of these services almost every day. This is not the case with the Dark Web, to which some mistakenly allude as if it were the same as the Deep Web. Actually, the Dark Web is a tiny portion of the Deep Web (less than 5% of the internet).

I've never used the Dark Web, maybe you haven't either, but both of us may have already appeared there. Let's understand better what this dark side of the internet is. According to the above, with the Dark Web being part of the Deep Web, you will not find its material on Google. Additionally, and as a distinctive feature, you can only access it through a particular web browser, such as Tor, I2P or Freenet. Curiously, you can get all these browsers for free. So, the Dark Web is something intentionally hidden but not inaccessible for any of us.

Perhaps the most popular browser used on the Dark Web is The Onion Routing (Tor) project. Tor started in the 1990s at the US Naval Research Lab with some of its members looking for "a way to create internet connections that [didn't] reveal who [was] talking to whom, even to someone monitoring the network." In the beginning, this project was designed and used only to hide espionage communications, but later ended up being open to any public wishing to surf the internet and share information anonymously. Tor's technology is able to route your website requests through random paths of encrypted proxy servers worldwide, making your IP address unidentifiable and your activity unexposed.

Most Dark Web sites have the particular characteristic that they don't end in .com or similars but .onion. Besides, their URLs' structures are often not easy to remember (e.g., 'grams7enufi7jmdl.onion'). Through different layers of encryption (i.e., onion routing technique), they "remain anonymous, meaning you won't be able to find out who's running them or where they're being hosted," according to Kaspersky's team.

One problem is that this environment is somewhat chaotic and websites are slow. Although some search engines have been created to facilitate navigation, they are still inaccurate, and the experience remains complicated. (Another option is the lists of URLs, such as the Hidden Wiki.) Still and all, what can we find inside the Dark Web?

The privacy of this dark sector, for instance, has served as a shelter for activists and journalists (and their readers) in various countries to maintain their communication and avoid censorship or condemnation by drastic governments. Even Facebook, a few years ago, opened an onion address for users interested in accessing the network through the Tor protocol in favor of their privacy. On the other hand, many individuals have been offering illicit products and services, with transactions mainly in bitcoin, while taking advantage of anonymity.

The act of browsing the Dark Web is not an illegal exercise but can represent some risks. These include the constant flow of malware that can affect unsuspecting users and the offering of supposed services that end up being merely scams. While several myths seem to have been forged about the content of this subset of the Deep Web (e.g., there are rumors about sites broadcasting live torture and murder), the atrocities that may appear there are still real. As Joseph Cox said in 2015, "if violent child pornography is not 'dark' enough for you, perhaps no one can provide whatever it is you're looking for."

In response to this situation, although it is something complex, looking for weaknesses in systems and processes that seem unbreakable, law enforcement officials have managed to identify, follow and arrest criminals of the Dark Web on several occasions. Such was precisely a relatively recent case in which police in the UK arrested pedophile Richard Huckle by secretly taking control of a website focused on child abuse. Another famous case is that of Ross Ulbricht, who was captured by the FBI in 2013 for running a vast market for illegal drugs, money laundering and other illicit activities on the Dark Web, called Silk Road.

The Dark Web is an ideal site for malicious hackers, including newcomers, who can find lots of learning material and even software ready to perform attacks. When I said that we could have already appeared on the Dark Web, I was referring to the fact that cybercriminals could have introduced some of our sensitive information after achieving a data breach. Passwords, credit card numbers, physical addresses, social security numbers and other personal data circulate every day on the Dark Web. All this information, to which access is usually limited, is often sold and useful to many other attackers to commit theft or fraud. After some time, this data can even be leaked for free, as the ShinyHunters group apparently did in the middle of this year by sharing more than 386 million user records in a hacker forum.

At Fluid Attacks, we can help you and your company against cyberattacks. Click here to contact us.