Ever since the law enforcement takedown of the Silk Road underground marketplace in 2013, there has been increasing interest in the depth and breadth of the Deep Web. This portion of the internet has been largely shrouded from the public eye, representing an environment in which hackers can converse, share malicious code and strategies and make a profit from the information stolen during the ever-increasing cyber attacks taking place.
According to gathered statistics, the Deep Web contains an incredible amount of data – 7,500 terabytes, which, when compared with the surface web's 19 terabytes, is almost unbelievable. Thanks to a sharp increase in cyber criminal activity in recent years, this shadowy portion of the internet encompasses as much as 550 times more public information than that of the surface web. Trend Micro discovered 576,000 unique URLs during a two-year analysis of the Deep Web, collecting details on over 38 million individual events.
While the Deep Web is known as a haven for hacker activity, this isn't the only purpose it can serve. By studying the Deep Web, the types of users that leverage it and the processes and information they share, organizations can get a better sense of the overall threat environment – and be more prepared to guard against emerging vulnerabilities and attacks.
Start at the beginning: What is the Deep Web?
Before we delve any further into the lessons this section of the internet can teach us, it's important to understand what, exactly, the Deep Web is. Much of the public initially learned about the Deep Web after the arrest of Ross Ulbricht, who went by the name Dread Pirate Roberts within the Silk Road underground community. Trend Micro noted that Ulbricht had built a billion-dollar digital marketplace wherein money laundering and illegal drug trade took place. Due to these activities, Ulbricht was charged with narcotics trafficking and computing hacking conspiracy – among other things – and received double life sentences.
This headline-grabbing story drew considerable attention to the Deep Web, and many individuals and businesses were quick to learn as much as they could about a growing section of the internet not accessible through traditional means. As Trend Micro noted in the paper "Below the Surface: Exploring the Deep Web," while the Deep Web – or Dark Web, as it is sometimes called – was initially established to help provide users with a safe space away from censorship that hindered free speech, it eventually became a refuge for cyber crime.
"The Deep Web includes more than 200,000 websites containing 550 billion individual documents."
What takes place within the Deep Web?
Drug trafficking like that which occurred through the Silk Road market wasn't the only example of nefarious activity happening within the Deep Web. After all, with more than 200,000 websites containing 550 billion individual documents, it's clear the Deep Web is used for more than just trading illegal substances.
Through its analysis, Trend Micro discovered hackers take part in a whole host of other activities, including:
- Selling and purchasing firearms.
- Obtaining stolen identity information for fraudulent purposes.
- Launching cyber crime operations through created malware samples.
- Hiring contract hackers or even killers.
In this way, while activities and transactions range, all are considered very dangerous pursuits.
Stolen data finds a home
Today, we're focusing on activities that can harm the enterprise community, especially the theft and sale of stolen information. When a data breach takes place within a company's infrastructure, the end goal is typically to steal as much information as possible. This can encompass details about the business's intellectual and playical property, as well as data about its employees and customers, such as their banking, health and other credentials. After this data is stolen, hackers seek out underground marketplaces through which to sell the information, and the Deep Web represents the perfect place for those transactions to take place.
What's more, cyber criminals can choose the ways in which they'd like to sell their stolen data. This can include pricing items according to individual files or grouping documents into groups – stolen credit card numbers, for instance, can be sold per piece or as a package. In some cases, hackers prefer to gather as much information as possible and create profiles. This is typically preferred with stolen identities, where it's helpful to have a name, Social Security number, physical and email address alongside other details to complete the profile.
Studying the malware trade
In addition to selling the data gathered through malicious breaches, hackers also sell the infections through which a breach can take place. Learning about these activities is particularly helpful, as it can help researchers and business leaders discover emerging trends in hacking. Finding out the top-selling malware samples currently trending in the Deep Web, for example, can enable an organization to work proactively to guard against the specific risks cyber criminals are currently trading in.
Trend Micro discovered that not only are malware samples being bought and sold within the Deep Web, some even leverage the TOR network underpinning this portion of the internet to support launched attacks. Such was the case with banking malware VAWTRAK, which spread through phishing emails. The malware was able to communicate with certain C&C servers connected to hard-coded TOR sites in order send stolen information.
CryptoLocker represents another major malware family that hinges upon the Deep Web. This ransomware was particularly dangerous due to its ability to adjust the ransom notification page to different languages according to victims' locations.
As Trend Micro pointed out, VAWTRAK and CryptoLocker represent a pattern that is likely to continue into the future.
"Unfortunately, given all the benefits cyber criminals reap by hosting the more permanent parts of their infrastructures on TOR-hidden services, we believe we'll see more and more malware families shift to the Deep Web in the future," Trend Micro stated.
No one is off limits
Through its extensive research, Trend Micro also discovered that no single user or entity is considered prohibited when it comes to cyber attacks. In addition to selling and launching the malware needed for large-scale enterprise attacks, the Deep Web also offers up the tools necessary to attack prominent persons like celebrities, government leaders and other high-profile people. And the malicious activity doesn't stop there.
Trend Micro Senior Threat Researcher Marco Balduzzi explained that in order to best study cyber criminal happenings within the Deep Web, researchers simulated a malicious installation within TOR that leveraged an array of honeypots. These honeypots were created to expose certain vulnerabilities and hacker operations taking place within the created environment.
Researchers discovered several important insights, including that the Deep Web wasn't as guarded as some may believe – despite setting up a simulated environment only available to invited members, Trend Micro found that hackers had made the honeypot available through search engine queries.
What's more, cyber criminals began attacking those in their own circle.
"Our private marketplace was compromised nine times out of ten," Balduzzi reported. "The majority of these attacks added web shells to the server, giving the attacker the ability to run the system commands on our honeypot. This allowed the addition of other files, such as web mailers, defacement pages and phishing kits. Our key finding is that organizations operating in the Dark Web seem to be attacking each other."
Key takeaways from the Deep Web: Securing the enterprise
Overall, there are numerous insights the Deep Web can teach institutions about security:
- The path from attack to profit: For some, it's difficult to understand the motivations that drive hackers' malicious activity. Taking a closer, yet safe look at the deep web helps show the financial portion of this puzzle, including how cyber criminals are able to trade in malware samples, stolen data and a whole host of other items. The Deep Web provides a place for hackers to buy up the infectious code needed to launch an attack, as well as a platform to sell the information gathered from that event.
- Trends in malware trade: Because malware marketplaces abound within the Deep Web, studying this activity can help organizations be better prepared to protect themselves. A trend in ransomware sample sales, for instance, can demonstrate a need for improved monitoring to guard against the kind of suspicious activity that can point to an attack.
- Law enforcement takes notice: Circling back to the story of the Silk Road, the time of unchecked malicious activity with the Deep Web is no more. Now, law enforcement officials across the globe are working harder than ever to catch the perpetrators responsible for the illicit and dangerous activities within the Deep Web.
From an enterprise standpoint, the Deep Web is a worthy arena for threat intelligence, as Dark Reading contributor Jason Polancich pointed out.
"In other words, the Dark Web can be thought of as a small pond rich with prized game fish for an organization trying to bolster its defenses," Plancich wrote. "Find out what may have been stolen or used against you and improve your overall security posture to close that infiltration hole."
To find out more, contact the security experts at Trend Micro today.