Discover how cybercriminals behave in Dark Web forums- what services they buy and sell, what motivates them, and even how they scam each other.
Clear Web vs. Deep Web vs. Dark Web
Threat intelligence professionals divide the internet into three main components:
- Clear Web - Web assets that can be viewed through public search engines, including media, blogs, and other pages and sites.
- Deep Web - Websites and forums that are unindexed by search engines. For example, webmail, online banking, corporate intranets, walled gardens, etc. Some of the hacker forums exist in the Deep Web, requiring credentials to enter.
- Dark Web - Web sources that require specific software to gain access. These sources are anonymous and closed, and include Telegram groups and invite-only forums. The Dark Web contains Tor, P2P, hacker forums, criminal marketplaces, etc.
According to Etay Maor, Chief Security Strategist at Cato Networks, "We've been seeing a shift in how criminals communicate and conduct their business, moving from the top of the glacier to its lower parts. The lower parts allow more security."
Spotlight: What is Tor?
Tor is a free network, built upon open-source, that allows for anonymous communication. While Tor was originally developed by the United States Naval Research Laboratory, it has become an increasingly popular solution for illegal activities.
Conducting these activities on the Clear Web can lead to law enforcement monitoring and allow tracing back to the criminal. But through Tor, communication is encrypted across three layers that are peeled off at every node jump until exiting the network. Law enforcement agencies monitoring Tor will not see the criminal's IP, but the Tor exit node, making it harder to trace back to the original criminal.
Tor communication architecture:
Etay Maor adds "In the 2000s, a celestial alignment of digital capabilities boosted criminal efforts. First, the Dark Web emerged. Then, hidden and secure services through Tor. Finally, cryptocurrency allowed for secure transactions."
Criminal Services Available on the Dark Web
Here are a few examples of services that were available on the dark web in the past. Today, many of these have been taken down. Instead, criminals are moving towards the Telegram messaging platform, due to its privacy and security features.
Example include -
Drug selling:
Fake identity services:
Marketplace for vendor search, including a warning about phishing attempts:
How are Criminal Forums Managed? Creating Trust in an Untrusted Environment
Attackers attempt to exploit vulnerabilities and break into systems as a way to turn a profit. Just like any other commercial ecosystem, they use online forums to buy and sell hacking services. However, these forums need to create trust among members, while they themselves are built on crime.
Generally speaking, such forums were initially designed as follows:
- Admin - Moderates the forum
- Escrow - Facilitating payments among members
- Black-list - An arbitrator for settling issues like payments and service quality
- Forum Support - Various forms of assistance to encourage community engagement
- Moderators - Group leads for different topics
- Verified Vendors - Vendors that were vouched for, unlike some vendors who are scammers
- Regular Forum Members - The members of the group. They were verified before being allowed to enter the forum to filter out scammers, law enforcement agencies and other irrelevant or risky members.
The Path from Malware Infection To Corporate Data Leak in the Dark Web
Let's see how the different stages of attack are represented in the Dark Web, through an example of malware used to steal information for ransomware purposes:
Pre-incident phases:
1. Data Collection - Threat actors run worldwide infostealer malware campaigns and steal logs of compromised credentials and device fingerprints.
2. Data Suppliers - Threat actors supply data to Dark Web markets specializing in credentials and device fingerprinting from malware-infected computers.
3. Fresh Supply - The logs become available for purchase in the Dark Web market. The price of a log typically ranges from a few dollars to $20.
Active incident phases:
4. Purchase - A threat actor specializing in initial network access purchases the logs and infiltrates the network to elevate access. Many times the information purchased includes more than credentials. It includes cookie sessions, device fingerprinting and more. This allows mimicking the victim's behavior to circumvent security mechanisms like MFA, making the attacks harder to detect.
5. Auction - The access is auctioned in a Dark Web forum and purchased by a skilled threat group.
Etay Maor notes, "Auctions can be run as a competition or as "Flash", meaning a threat actor can purchase immediately without the competition. Serious threat groups, especially if they are backed by nation states or are large criminal gangs, can use this option to invest in their business."
6. Extortion - The group executes the attack, placing ransomware in the organization and extorting it.
This path highlights the various areas of expertise within the criminal ecosystem. As a result, a multi-layered approach fueled by operationalizing threat data can alert and possibly prevent future incidents.
The Role of HUMINT
Automated solutions are indispensable for fighting cyber crime, but to fully understand this realm, human intelligence (HUMINT) is required as well. These are cyber crime officers, the actors from the law enforcement agencies who log into forums and act like trade actors. Engagement is an art, and also has to be an ART - Actionable, Reliable and Timely.
Let's see some examples of the forums tracked by cyber crime officers and how they respond.
In this example, an attacker is selling VPN logins:
The cyber-criminal officer will try to engage and understand which VPN or client this belongs to.
In another example, an attacker is selling Citrix access to an IT infrastructure Solutions and Services Provider in the UK.
A cyber crime officer might reach out as a potential buyer and ask for samples. Since the seller is acting from an economic point of view, and might not be in a good financial situation (coming from former-USSR countries), they will be willing to send samples to promote a sale.
Protecting Against Network Attacks
The Dark Web operates as an economic ecosystem, with buyers, sellers, supply and demand. Therefore, effective protection against network attacks requires a multi-layered approach for each stage of the attack, both pre-incident and throughout the incident itself. Such an approach includes the use of automated tools as well as HUMINT - the art of engaging with cyber criminals online to gather intelligence by mimicking the way they operate.
To see more fascinating examples and hear more details about HUMINT and Dark Web forums, watch the entire masterclass here.