Discover how cybercriminals operate in Dark Web forums—what services they buy and sell, their motivations, and even how they scam each other.
Clear Web vs. Deep Web vs. Dark Web
Threat intelligence professionals categorize the internet into three main components:
– Clear Web: Web assets that can be accessed through public search engines, including media, blogs, and other websites.
– Deep Web: Websites and forums not indexed by search engines, such as webmail, online banking, and corporate intranets. Some hacker forums also exist here, requiring credentials to enter.
– Dark Web: Web sources that require specific software for access. These sources are anonymous and closed, including Telegram groups and invite-only forums. The Dark Web hosts Tor, P2P, hacker forums, criminal marketplaces, etc.
According to Etay Maor, Chief Security Strategist at Cato Networks, “We’ve been seeing a shift in how criminals communicate and conduct their business, moving from the top of the glacier to its lower parts. The lower parts allow more security.”
Spotlight: What is Tor?
Tor is a free network, built on open-source software, that allows for anonymous communication. Initially developed by the United States Naval Research Laboratory, it has become popular for illegal activities.
Conducting activities on the Clear Web can lead to law enforcement monitoring and tracing back to the criminal. However, with Tor, communication is encrypted across three layers that are peeled off at every node jump until exiting the network. Law enforcement monitoring Tor will only see the Tor exit node, making it harder to trace back to the original criminal.
Etay Maor adds, “In the 2000s, a celestial alignment of digital capabilities boosted criminal efforts. First, the Dark Web emerged. Then, hidden and secure services through Tor. Finally, cryptocurrency allowed for secure transactions.”
Criminal Services Available on the Dark Web
Here are a few examples of services that were available on the Dark Web in the past. Many of these have been taken down, with criminals now moving towards the Telegram messaging platform for its privacy and security features.
– Drug Selling
– Fake Identity Services
– Marketplace for Vendor Search, Including Warnings About Phishing Attempts
How are Criminal Forums Managed? Creating Trust in an Untrusted Environment
Attackers use online forums to buy and sell hacking services, needing to create trust among members despite being built on crime.
Generally, these forums are structured as follows:
– Admin: Moderates the forum
– Escrow: Facilitates payments among members
– Black-list: Arbitrates issues like payments and service quality
– Forum Support: Provides various forms of assistance to encourage community engagement
– Moderators: Group leads for different topics
– Verified Vendors: Vetted vendors, unlike some who are scammers
– Regular Forum Members: Verified before being allowed to enter the forum to filter out scammers, law enforcement, and other risky members
The Path from Malware Infection to Corporate Data Leak on the Dark Web
Here’s how the different stages of an attack are represented on the Dark Web, using malware to steal information for ransomware purposes:
Pre-incident Phases:
1. Data Collection: Threat actors run global infostealer malware campaigns to steal logs of compromised credentials and device fingerprints.
2. Data Suppliers: Threat actors supply data to Dark Web markets specializing in credentials and device fingerprints from malware-infected computers.
3. Fresh Supply: The logs become available for purchase in the Dark Web market, typically priced from a few dollars to $20.
Active Incident Phases:
4. Purchase: A threat actor specializing in initial network access buys the logs and infiltrates the network to elevate access, often bypassing security mechanisms like MFA.
5. Auction: The access is auctioned on a Dark Web forum and bought by a skilled threat group. Auctions can be competitive or “Flash,” allowing immediate purchase without competition.
6. Extortion: The group executes the attack, placing ransomware in the organization and extorting it.
This path highlights various areas of expertise within the criminal ecosystem. A multi-layered approach using operational threat data can alert and possibly prevent future incidents.
The Role of HUMINT
Automated solutions are essential for fighting cybercrime, but human intelligence (HUMINT) is also needed. These are cybercrime officers from law enforcement who log into forums and act like trade actors, engaging with criminals to gather actionable, reliable, and timely intelligence.
For example, an attacker selling VPN logins will be engaged by a cybercrime officer to determine which VPN or client it belongs to. Another attacker selling Citrix access to an IT infrastructure provider in the UK might send samples to promote a sale due to economic motivations.
Protecting Against Network Attacks
The Dark Web operates as an economic ecosystem, with buyers, sellers, and supply and demand. Effective protection against network attacks requires a multi-layered approach at each attack stage, both pre-incident and throughout the incident. This includes using automated tools and HUMINT to engage with cybercriminals online and gather intelligence by mimicking their operations.
To see more fascinating examples and hear more about HUMINT and Dark Web forums, watch the entire masterclass here.
