What can the Dark Web teach us about security?

Ever since the law enforcement takedown of the Silk Road underground marketplace in 2013, there has been increasing interest in the depth and breadth of the Dark Web. This portion of the internet has been largely shrouded from the public eye. But it represents an environment in which hackers can converse or share malicious code and strategies. And make a profit from the information stolen during the ever-increasing cyber attacks taking place.


According to gathered statistics, the Deep Web contains an incredible amount of data (7,500 terabytes), which, when compared with the surface web’s 19 terabytes, is almost unbelievable. This shadowy portion of the internet encompasses as much as 550x more public information than that of the surface web. Trend Micro discovered 576,000 unique URLs during a two-year analysis of the Deep Web. It collected details on over 38 million individual events.

While we see the Deep Web as a haven for hacker activity, this isn’t the only purpose it can serve. By studying the Deep Web, the users and what they share, organizations get a better sense of the overall threat. And they can prepare themselves better to guard against emerging vulnerabilities and attacks.

Start at the beginning: What is the Deep Web (or Dark Web)?

Before we delve further into the lessons this internet can teach us, it’s important to understand what the Deep Web is. Much of the public initially learned about the Deep Web after the arrest of Ross Ulbricht. He went by the name Dread Pirate Roberts within the Silk Road underground community. Trend Micro noted that Ulbricht had built a billion-dollar digital marketplace wherein money laundering and illegal drug trade took place. Due to these activities, the government charged Ulbricht with narcotics trafficking and computing hacking conspiracy and received double life sentences.

This headline-grabbing story drew considerable attention to the Deep Web, and many individuals and businesses were quick to learn as much as they could about a growing section of the internet not accessible through traditional means. As Trend Micro noted in the paper “Below the Surface: Exploring the Deep Web,” while the Deep Web (or Dark Web) was initially established to help provide users with a safe space away from censorship that hindered free speech, it eventually became a refuge for cyber crime.

“The Deep Web includes more than 200,000 websites
containing 550 billion individual documents.”

What takes place within the Deep Web?

Drug trafficking like that which occurred through the Silk Road market wasn’t the only example of nefarious activity happening within the Deep Web. After all, with more than 200,000 websites containing 550 billion individual documents, it’s clear people use the Deep Web for more than just trading illegal substances.

Through its analysis, Trend Micro discovered hackers take part in a whole host of other activities, including:

• Selling and purchasing firearms.
• Obtaining stolen identity information for fraudulent purposes.
• Launching cyber crime operations through created malware samples.
• Hiring contract hackers or even killers.

Stolen data finds a home

Today, we’re focusing on activities that can harm the enterprise community, especially the theft and sale of stolen information. When a data breach takes place, the end goal is typically to steal as much information as possible. This can encompass details about the business’s intellectual property, as well as data about its employees and customers. After this data is stolen, hackers seek out underground marketplaces through which to sell the information, and the Deep Web represents the perfect place for those transactions to take place.

What’s more, cyber criminals can choose the ways in which they would like to sell their stolen data. This can include pricing items according to individual files or grouping documents into groups. They can sell stolen credit card numbers, for instance per piece or as a package. In some cases, hackers prefer to gather as much information as possible and create profiles. This is typically preferred with stolen identities, where it’s helpful to have a name, Social Security number, physical and email address alongside other details to complete the profile.

Studying the malware trade

In addition to selling the data gathered through malicious breaches, hackers also sell the infections through which a breach can take place. Learning about these activities is particularly helpful, as it can help researchers and business leaders discover emerging trends in hacking. Finding out the top-selling malware samples currently trending in the Deep Web, for example, can enable an organization to work proactively to guard against the specific risks cyber criminals are currently trading in.

Trend Micro discovered that hackers not only buy and sell malware samples within the Deep Web, some malware even leverage the TOR network underpinning this portion of the internet to support launched attacks. Such was the case with banking malware VAWTRAK, which spread through phishing emails. The malware was able to communicate with certain C&C servers connected to hard-coded TOR sites in order send stolen information.

CryptoLocker represents another major malware family that hinges upon the Deep Web. This ransomware was particularly dangerous due to its ability to adjust the ransom notification page to different languages according to victims’ locations. VAWTRAK and CryptoLocker represent a pattern that is likely to continue into the future.

“Unfortunately, given all the benefits cyber criminals reap by hosting the more permanent parts of their infrastructures on TOR-hidden services, we believe we’ll see more and more malware families shift to the Deep Web in the future,” Trend Micro stated.

The Deep Web includes platforms for the sale and purchase of dangerous malware samples.

No one is off limits

Trend Micro also discovered that no single user or entity is considered prohibited when it comes to cyber attacks. You can buy and launch the malware needed for large-scale enterprise attacks on the Deep Web. But it also offers up the tools necessary to attack prominent persons like celebrities, government leaders and other high-profile people. And the malicious activity doesn’t stop there.

Trend Micro Senior Threat Researcher Marco Balduzzi explained that in order to best study cyber criminal happenings within the Deep Web, researchers simulated a malicious installation within TOR that leveraged an array of honeypots. Hackers created these honeypots to expose certain vulnerabilities and hacker operations taking place within the created environment.

Researchers discovered several important insights. Trend Micro found that hackers had made the honeypot available through search engine queries.

What’s more, cyber criminals began attacking those in their own circle.

Our private marketplace was compromised nine times out of ten,” Balduzzi reported. “The majority of these attacks added web shells to servers, giving attackers the ability to run the system commands. This allowed the addition of other files, such as web mailers, defacement pages and phishing kits. Our key finding is that organizations operating in the Dark Web seem to be attacking each other.

Key takeaways from the Deep Web: Securing the enterprise

Overall, there are numerous insights the Deep Web can teach institutions about security:

• The path from attack to profit. For some, it’s difficult to understand the motivations that drive hackers’ malicious activity. Taking a closer look at the deep web helps show the financial portion of this puzzle. Including how cyber criminals can trade in malware samples, stolen data and a whole host of other items. Here hackers can buy the infectious code needed to launch an attack and a platform to sell the information gathered.

• Trends in malware trade. Because malware marketplaces abound within the Deep Web, studying this activity can help organizations to better protect themselves. A trend in ransomware sample sales can demonstrate a need for improved monitoring to guard against suspicious activity.

• Law enforcement takes notice. The time of unchecked malicious activity with the Deep Web is no more (remember the story of the Silk Road). Law enforcement officials worldwide are working hard to catch the responsible perpetrators for the dangerous activities within the Deep Web.

“From an enterprise standpoint, the Deep Web is a worthy arena for threat intelligence,” says Dark Reading contributor Jason Polancich. “In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses,” Plancich wrote. “Find out what may have been stolen or used against you and improve your overall security posture to close that infiltration hole.” To find out more, contact the security experts at Trend Micro today.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.