By now, the vast majority of consumers have heard of the dark web. Even if they aren’t exactly sure how it works, they know that it’s the deep corner of the internet where “bad things happen.” Ever since the highly publicized seizure of large dark markets like AlphaBay and Hansa, It’s become common to see ads for identity theft protection services that claim to “scan the dark web” for a mysterious hooded figure writing code to hack into your life.
The reality of the dark web is a little different. For one, the original dark web networks from the 90s weren’t necessarily developed to aid and obscure criminal activity so much as just to be truly anonymous – a characteristic that unfortunately makes dark web networks perfect platforms for buying and selling illegal goods and services, including your personal information. And that’s the second big difference, it’s not just one “hooded figure,” but thousands of cybercriminals who make a day job of trading your personal information with their peers, cracking accounts and sharing (or selling) knowledge of how they did it. The recent successful take down of several high-volume markets by law enforcement might have slowed this daily trade and ended the careers of some novice and expert criminals, but it also forced cybercriminals to get more creative in how they operate in the shadows.
Innovation is typically a word reserved for positive advancements in ideas, technology and strategy, but we cannot pretend that innovative thinking is unattainable by cybercriminals. Understanding how bad actors recovered from the major network takedowns and are shifting their operations to evolve with the current state of the dark web will help consumers and businesses protect themselves from becoming victims and allow law enforcement to stay ahead of the curve.
Here are some ways that criminals have adapted to develop the next generation of dark markets and operations.
Innovative New Venues
The complex coordinated effort between multiple countries and agencies around the world to take down AlphaBay, Hansa and subsequently other markets like the r/DarkNetMarkets subReddit sent a message to dark web criminals that they are not untouchable.
To avoid getting caught in any carefully planned law enforcement snares, many experienced criminals with established networks have resorted to strictly selling direct to trusted buyers rather than through potentially exposed marketplaces. IRC protocol, often considered the “instant messenger of the dark net” allows for private conversations and transactions. In addition, the inception of darknet forums like Dread, the Reddit of the dark net, means criminals can network and form new relationships with potential customers, building trust and creating an opportunity for more direct sales.
While new dark markets continue to spin up, their administrators are always looking over their virtual shoulders for law enforcement, so they often shut down just as quickly. Those that stick around are much more rigid about how business is conducted on their markets, and so are their users. Empire Market, for example, is essentially an exact design replica of Alphabay, but there are strong security features in place to prevent scams. Users often rely on third-party crypto-wallets to pay for goods, because many believe Empire’s accounts are a trap. The Dread forum takes a different approach to stay in business, allowing users to promote their illicit goods and services all they want, but open trades and transactions are forbidden.
Cybercriminals need to protect their businesses too. In a perhaps ironic turn, many of these new dark markets are employing some of the same security measures that were designed to work against them. For example, one new market called Cryptonia Market, includes several new security features unprecedented on other dark net markets. According to Cryptonia’s main page, it features a ⅔ Bitcoin Multisig implementation for payments, a transparent wallet-less escrow system for direct deposits, two factor authentication, anti-phishing (a common problem on AlphaBay) features with OpenPGP, and an automatic EXIF metadata stripper to ensure photo metadata doesn’t give away GPS coordinates.
In addition to new markets and their reinforced security focus, new and improved tools for obtaining and utilizing stolen information, PII specifically, have also come to light.
Credential stuffing tools have become more powerful and more specialized, allowing simultaneous execution across multiple domains. These are often called “account checkers” and exist in a few different forms, but all operate the same way – criminals leverage lists of usernames and passwords and check if they can successfully log into different types of accounts.
Stuffing is a volume game, checking credentials against as many accounts as possible, as fast as possible. However today, the huge variety of security tools designed to prevent unauthorized access require criminals to use a little finesse before launching full-bore credential stuffing assaults. Today’s account checkers are often specialized for different categories such as gaming accounts (Fortnite is popular), payment accounts or even pizza delivery accounts, and threat actors will work their way through different available checkers to find the one that best counteracts the specific security measures preventing their account takeover attempts.
One of the newer security measures criminals will encounter is multi-factor authentication (MFA). MFA has long been touted as a way to keep customer information extra secure, but sometimes there are vulnerabilities in the ways websites set up two-factor authentication (2FA) that can allow attackers to bypass it without much extra effort. If the attacker has access to their target’s email account, password resets often skip 2FA. The attacker can request a password reset, change the password and will be automatically logged in after successfully changing the password – no text code needed.
SIM swapping is another increasingly common MFA workaround where a criminal convinces a service provider to assign a new SIM card to a target’s mobile account. This can generally be accomplished through relatively easy social engineering supported with key personal information that’s not too hard to find about people, especially for practiced criminals. If an attacker successfully reassigns a target account to their own SIM, they now receive all texts, calls, etc. coming in and have access to stored data like text messages and security keys used through the mobile account.
The abundance and low price point for these tools and the fact that some more seasoned criminals will offer them as “dark web weapons-as-a-service” means that even the inexperienced bad actors who are new to the dark web scene can begin operating quite lucrative credential stuffing operations.
Just like in any organized business environment, criminal or not, strategy and approach need to evolve with the operating environment. Criminals are pivoting and approaching business in different ways every day to become more efficient, make more money and keep law enforcement guessing.
Even with the global crackdown on cybercrime networks, the underground is as active as ever and estimates project that cybercrime will cost the world $6 trillion by the end of next year. While eradicating cybercrime is a futile goal – criminals will always evolve and adapt – staying aware of the ways criminals make their money and the tools they use to do so will help businesses watch for vulnerabilities, prepare for attacks and invest in the right defenses.