Technology helping malicious business on the dark web grow
Technology helping malicious business on the dark web grow

The “dark web” has long had an ominous appeal to Netizens with more illicit leanings and interests. But given a broadening reach and new technologies to access this part of the web and obfuscate dealings here, the base of dark web buyers and sellers is likely growing.

True to its moniker, since the dark web emerged more than 20 years ago – after the U.S. Naval Research Lab developed onion routing to secure its own communications – it has been seen as a murky underbelly of electronic commerce, an online black market populated by the likes of Silk Road, the notorious marketplace shut down in 2014 after less than three years of operation. But the pull of the dark web, the promise of accessing drugs and pharmaceuticals, highly illegal pornography, or even the exploits to start one's own home hacking business (without ever leaving their keyboard), has emboldened more people to strike out here.

“The dark web is a moving target, and motivated parties can effectively work across information networks to accomplish their goals,” says Dr. Chris White, principal researcher in Microsoft's Special Projects division. Among the latest concerns emerging from the dark web, White says he is seeing the “creation and dissemination of false or out-of-context information intended to confuse, promote bias, and radicalize at-risk people toward violence.” Another issue is how popular the dark web is becoming to distribute pirated software or exploits for penetrating operating systems, browsers, and other corporate, consumer, and device networks, he adds.  

Vitali Kremez, senior analyst with Flashpoint's cybercrime intelligence unit, has spent time working his way into the active groups on the dark web in order to research their illegal work. “These criminals police themselves very well, and they are attuned to [those] who would try to hack the vetting process [to join the group],” Kremez says. Like other industry insiders, Kremez is seeing many criminal efforts and exchanges moving from the “clear” web to the dark web, where their dealings can be more easily kept anonymous and untraceable.

In recent years, more international and domestic terrorist groups like ISIS and the Chinese underground have emerged or expanded their rhetoric on the dark web, in effort to spread their message and recruit more members to their causes. “The level of censorship you have on the rest of the web is just not there,” Kremez says.

But despite its obvious and well-earned reputation for its more sinister side, at least one researcher says that as the dark web expands, the majority of what's there is actually legal. In its recent study, intelligence firm Terbium Labs found that nearly 55 percent of all the content on the dark web is legal in nature, meaning that it may be legal pornography, or controversial discussions, but it's not explicitly illegal by U.S. law.

“There is a pre-conceived notion that being anonymous means you are associated with criminality,” says Emily Wilson, director of analysis at Terbium Labs. “But there are plenty of reasons that people might want to do something anonymously. And just because something is legal does not mean it could not be considered dangerous or damaging.” Terbium Labs used an automated internet crawling tool to scrape information and feed it into a database, sampling 400 randomly selected URLs which were then reviewed by a team of analysts who classified each page of content into one of 15 predefined categories, including exploits, pornography, drugs, fraud and falsified documents. The analysis is based on both URL and domain counts.

Of the illegal content on the dark web, the sale of illegal drugs and pharmaceuticals is still by far the most popular – with the sale of recreational drugs accounting for 45 percent and pharmaceuticals accounting for 11 percent of the illicit content, according to Wilson. “The dark web more recently has become more popular for a number of people who see this as a better or safer place to purchase their drugs,” she says.

‘Supply and Demand'

While drug sales are arguably still the main illegal commercial venue on the dark web, many industry experts still see the reach and the pull of this online arena broadening in other illicit or criminal activities as more people the world over see this as an easy way to get their foot in the door as a newbie hacker or to explore the world of underground extremism. “More of these activities you used to see happening on the above-board web are slowly moving to the dark web,” says Dr. Johannes Ullrich, chief technology officer (CTO) at the SANS Internet Storm Center.

Kremez says he is seeing the dark web's own “supply and demand model” emerge as would-be hackers seek out exploits or advice or even stolen information itself. “As we see more breach exploits available, more available to cyber-criminals, the demand here is rising,” Kremez says. “It's becoming more of a buyer's market.” He traces the rise in ransomware and Internet of Things attacks on hospitals in particular and breaches on point-of-sale and banking systems to information shared and sold on the dark web. “Criminals are using the information there to develop new exploits and change their tradecraft... Or to find other talented hackers, it's a good hiring ground,” he adds. 

But, Kremez says that it's not just the abstract commerce, sales of malware or stolen data, that is getting bigger. “Weapons sales are becoming a larger portion, growing and becoming more of a norm, for some time now,” Kremez says, who adds there are more dark web forums and site dedicating to instructing readers how to make bombs, or where to buy ingredients. The more restricted the community on the dark web, the more dangerous and illicit the content and commerce will be, Kremez adds, since “not too many researchers or law enforcement officials” are able to access these forums due to more stringent vetting by community administrators.

“Within Tor hidden services, it's challenging to discover ephemeral sites and new sites. Once found, it's challenging to determine what content is on a site or what function the site serves,” White says. “Then, there's a challenge in assessing the validity of what the site claims.” Hence, White claims that statistics about dark web commerce “should be viewed as partial observations. With such caveats, examples can be found of sites offering revenge porn, murder for hire, propaganda, remote access tools, child pornography and other child exploitation (which deserve their own category as possession of and viewing content online is itself a crime), stolen or forged documents, weapons, drugs, ransomware, endangered species, state secrets, corporate secrets, hackers for hire, and more.”

Out of the Darkness?

In the face of likely increasing and worsening threats on the dark web, the task of law enforcement officials trying to break in and find the criminal purveyors and buyers here is also becoming more of an uphill climb. Dark web users have begun embracing Tails, a Linux-based operating system that blocks virtually all non-anonymous communication to or from the user's computer. According to research from Carnegie Mellon University, the share of dark web vendors using PGP encryption rocketed from just about 25 percent in July 2013, to more than 90 percent of vendors in January 2015. And the growing popularity of “bitcoin-tumblers” are making transactions using the notoriously popular and difficult-to-trace online currency even harder to pin down.

“The bitcoin tumblers alone are a big problem,” Ullrich says. “Bitcoin can be traceable, though not always to an individual.” In the past, the best way to ensure a cybercrime conviction was to be able to “follow the money” and show the participants' intent through their payment for illegal goods or exploits, Ullrich says. “But with bitcoin and the tumblers, that gets a lot more difficult.”

White points out that changing networks, ephemeral sites, reputation-based assessment, activities spanning jurisdictional boundaries, scams, and honey pots are all contributing to making law enforcement difficult. “And in addition to the technology challenges, law enforcement has human resources challenges in recruiting and retaining the tech talent needed to be effective,” White says. “Computer science experts with these skills are rare, can get paid well elsewhere, and may not have a lifestyle conducive to working for a law enforcement organization.”

Kremez points out the growing availability and popularity of “bulletproof host providers” – online Internet services providers, typically based outside of the United States' jurisdiction, which are committed to not responding to U.S. subpoenas and will host any kind of activity on their servers. With access to host providers like this, even if law enforcement is aware of a particular group's or community's illegal activities on the dark web, it becomes much more difficult to legally obtain access to the information they need to indict or prosecute them.

In general, he says, the dark web communities are becoming much more sophisticated in how they manage and conduct their own security, route their commerce and transactions, launder their money, and generally obfuscate dealings from law enforcement. “When cybercriminals talk, we need to listen more and look at things from their perspective,” Kremez says. “Agencies and companies should consider them as they would any competitor and calculate them into business equations, because they are competitors for [corporate] data. Organizations should listen to the chatter and bring that exposure risk into their modeling.”