The dark web is a part of the deep web that operates in secrecy, containing content that requires special tools to access. As a result, estimating traffic on the dark web is nearly impossible. This also complicates efforts to monitor criminal activity within it. It's challenging to determine if personal data is being sold online, and companies struggle to identify when hackers are coordinating attacks beyond their surveillance capabilities.
By breaking down the layers of the web, we identify two main levels: the Surface Web and the Deep Web. The Deep Web constitutes about 95% of the internet, while the Surface Web, which is easily accessible through standard searches, accounts for only 5% of online content. The Surface Web is often associated with criminal activities, including the trade of stolen data, human trafficking, and drug trafficking. Although the dark web allows for user anonymity, it’s important to recognize the associated risks and exercise caution when navigating it. The dark web serves as a platform for anonymous whistleblowers and offers protection against government censorship and surveillance. It is particularly notorious for illegal activities such as the sale of drugs and child exploitation.
Feature | Surface Web | Deep Web | Dark Web |
Access | Easily accessible with search engines like Google | Not accessible by search engines, requires specific tools or login credentials | Not easily accessible, requires specific tools and knowledge, such as Tor |
Content | Publicly available content | Content that is not indexed by search engines, such as private emails and social media profiles | Illicit content and criminal activities, such as illegal drug trade and human trafficking |
Anonymity | Users are often identifiable | Users may have a degree of anonymity | Strong emphasis on anonymity and privacy |
Security | Security may vary | Strong security measures, such as encryption and access controls | Strong emphasis on security, such as encryption and anonymous communication tools |
Legality | Mostly legal content | Legal and illegal content | Primarily illegal content and activities |
Size | Represents only a small percentage of the internet | Estimated to be several times larger than the surface web | Difficult to estimate, but likely smaller than the deep web |
Purpose | Wide variety of purposes, including commerce, communication. | Includes a wide range of activities, including private communication and research | Primarily used for criminal activities and anonymous communication |
Differences between the Surface Web, Deep Web, and Dark Web
The Dark Web fundamentally differs from both the Surface and Deep Web. The Surface Web comprises a clearly defined set of information, while the Deep Web includes content that isn't indexed by any search engines but can be accessed with the right credentials. In contrast, the Dark Web operates on encrypted networks, designed to remain hidden from the public eye. Users can access it through specific anonymizing tools that make tracking activities nearly impossible. Some areas of the Dark Web serve as platforms for political dissidents and privacy advocates, while others are used for illegal activities such as drug trafficking, human trafficking, and cybercrime.
How does the dark web work?
The public internet, or surface web, consists of visible servers and web content that can be accessed through public IP addresses.
The dark web relies on unique protocols and encryption methods. Browsers like Tor (The Onion Router) implement specialized protocols to create encrypted access points, employing a layered encryption approach that wraps data packets in multiple layers.
Tor also creates intricate paths for data traveling across the dark web. As the data moves between nodes, the layers of encryption are stripped away, similar to peeling an onion. There is no identifiable connection between the entry point and the final destination, ensuring user anonymity as long as Tor is in use.
Creating an Onion Site
Onion service sites operate differently from standard surface web sites. Most websites have a publicly accessible IP address and use Domain Name Servers (DNS) to link domain names (like Google.com) to their IP addresses. When your computer wants to access Google.com, it requests the IP address from a DNS server, connects to the site, and begins communication. In contrast, the Tor network is designed to ensure user anonymity and protect the identities of those publishing information, which necessitates a different method for hiding the server’s IP address. This is achieved through the onion service protocol, which allows onion sites to advertise themselves on the network without revealing their IP addresses.
Popular Browser for Accessing the Dark Web (Tor)
When a new onion site joins the Tor network, it looks for relays to introduce it without disclosing any information about the host. These relays act as anonymizing circuits. Once multiple relays have formed these circuits for a site, the onion service generates an onion service descriptor, which includes a list of the site’s introduction points and is used to create an identity key pair. This pair consists of a private key, which encrypts the onion service descriptor, and a public key, which serves as the onion service address (for example, the Tor Project's onion address is:
http://2gzyxa5ihm7nsgg-fxnu52rck2vv4rvmdlkiu3zzui5du4xyclen53wid[.]onion/). The public key for the service descriptor is part of that address.
If your computer is connected to the Tor network and you want to access the Tor Project website, your browser will use the site address to verify the encryption on the service descriptor and locate the introduction points for the site. Your computer will connect to one of the introduction point relays and request that it act as a rendezvous point. This relay then facilitates communication between your computer and the Tor Project website, ensuring that neither party knows the other’s identity. All communications between your device, the Tor network, the introduction points, and the website are encrypted and anonymized as much as possible.
Integrating the Anonymous Web
For those interested in setting up an onion service, the process can be simplified into a few steps. First, install a web service application like Apache or Nginx and upload your website content. Next, install the Tor onion service software on the same server and configure it to access your website’s content. After configuration, simply restart the Tor service software to launch your site on the Tor network. Additional steps can enhance security and privacy.
The Tor network requires that relays manage a minimum of 100 GB of incoming and outgoing traffic each month. A public IP address is necessary, and ideally, it should be static rather than dynamic. A dynamic IP would lead to frequent changes in the publicly advertised address, complicating routing and requiring constant updates to relay databases. While a static IP is not mandatory, it is highly recommended to minimize the need for frequent adjustments. Additionally, servers running Tor relay software should meet certain minimum requirements, such as:
At least 512 MB of RAM (1.5 GB for exit relays).
200–300 MB of disk storage.
Categories of Dark Web Activities
Most activities on the Dark Web are typically criminal in nature. One of the most prevalent categories is drug trafficking, where various illicit substances are sold anonymously in online marketplaces. These transactions often use bitcoins, making them difficult to trace. Similarly, the Dark Web is involved in the trade of firearms, explosives, and other illegal weapons. Additionally, numerous illegal services are available, including identity theft, credit card fraud, and document forgery. This also encompasses malware, tools for cyber-attacks, and hired hackers, among others. On a darker note, human trafficking, organ trafficking, material exploitation, and the sale of stolen data are also prominent illicit activities.
Classifying Crimes on the Dark Web
Types of Threats on the Dark Web
Illegal Activity: Accessing the dark web can easily lead users into criminal activities. Marketplaces often sell illicit drugs, firearms, and stolen information such as medical and legal documents. Purchasing these items carries the risk of legal repercussions.
Malicious Software: The dark web is unregulated, which means visiting certain forums can expose users to malware that compromises their devices. There is also a risk of being directed to illegal content without any prior warning.
Hacking: Dark web sites attract data thieves and hackers who are eager to target both customers and casual visitors.
Ransomware-as-a-Service: Vendors on the dark web offer ready-made ransomware kits that enable almost anyone to conduct cyber-attacks. Groups like REvil and GandCrab provide specialized software that exploits stolen data.
Webcam Attacks: One of the most alarming threats is webcam hijacking, where attackers target users with unsecured cameras. They may use remote administration tools for blackmail or to gather sensitive information.
Data Breaches: The dark web is a central hub for initiating and executing data breaches. No one is safe; for instance, in March 2024, AT&T reported a data breach affecting 73 million records, with stolen data available on the dark web since 2019. AT&T is merely a small example of a larger issue.
Law Enforcement: While criminal activities are rampant on the dark web, law enforcement is also present. Users engaging in illegal behaviour risk detection and prosecution, and they should never assume that their contacts are who they claim to be.
Case Study: UnitedHealth’s $872 Million Cyberattack
Change Healthcare is a key player in the complex landscape of healthcare financing. Their services cater to providers, payers, and pharmacies, encompassing all aspects of the claims process, data analytics, and network security solutions. This foundational role facilitates efficient healthcare operations and manages insurance claims, enabling secure medical data exchange and robust cybersecurity measures. However, this dependence on a centralized platform also creates a vulnerability to a single point of failure, increasing the potential attack surface for cybercriminals.
The report indicates: "In the first quarter of 2024, cash flows from operations reached $1.1 billion, but were negatively impacted by approximately $3 billion due to the company's response to the cyberattack, which included accelerated funding for care providers. Additionally, the timing of public sector cash receipts also affected cash flows."
The ChangeHealthcare platform of UnitedHealth was impacted by the attack. This payment system manages transactions between doctors, pharmacies, and healthcare professionals across the United States. The attack led to the suspension of the ChangeHealthcare platform, with the BlackCat/ALPHV group claiming responsibility for stealing 6 TB of data.
Timeline of the Attack
Initial Breach:
The exact method used to infiltrate Change Healthcare's network is still being investigated. Three possible attack vectors are being considered:
Phishing Attack: BlackCat may have sent harmful emails with ransomware attachments or links to employees at Change Healthcare. If employees clicked on these emails, it could have unintentionally allowed the attacker’s malware to gain access.
Supply Chain Attack: Change Healthcare depends on various third-party vendors. If BlackCat gained access to the systems of one of these vendors, it could have enabled them to infiltrate Change Healthcare's network.
Unpatched Software: Out-dated software with known vulnerabilities can serve as an entry point for attackers. Neglecting to keep software patches up to date may have played a role in this issue.
Lateral Movement and Data Exfiltration:
After breaching the network, the attackers likely conducted lateral movement, navigating the system to locate critical infrastructure and valuable data. BlackCat has claimed to have exfiltrated an astonishing 6 terabytes of data, although this has not been independently confirmed. The potentially leaked data may include patient information, financial records, and internal documents.
How to Keep Your Company Data Off the Dark Web
Dark web criminals are resourceful and relentless, but robust cybersecurity measures can deter even the most skilled data thieves. Unfortunately, many companies neglect to implement these safeguards, allowing dark web markets to flourish—this doesn’t have to be the case.
Here are some strategies to secure your data and undermine the profitability of dark web vendors:
Use a Business VPN: A Virtual Private Network (VPN) encrypts your internet traffic and protects your data during transmission. Ensure that every endpoint has VPN coverage to block data theft.
Protect Your Credentials: Credential theft through tactics like brute force attacks can give criminals access to your network. Enforce strong, frequently updated passwords and implement multi-factor authentication for all logins. Adopt Zero Trust principles to limit access to sensitive information.
Be Cautious with Phishing: Phishing attempts can trick users into clicking harmful links, leading to malware infections and data loss. Implement advanced DNS filtering to block access to phishing sites, and educate employees on how to recognize phishing emails, emphasizing the importance of phishing awareness in data protection.
Utilize Dark Web Monitoring: Monitoring the dark web is essential for companies handling sensitive data. Consider the AT&T case, which took five years to uncover a significant data breach. Monitoring allows for immediate alerts on data exposure and helps refine security measures to prevent future attacks.
Adopt Comprehensive Dark Web Protection: Integrate your security measures—such as password security, VPN coverage, and access controls—into a holistic system like threat protection setup. This approach enables you to anticipate and address threats proactively.
The above tips will help protect companies that do not intend to access the dark web. However, if you need to use the dark web safely, additional security measures are necessary:
Be Cautious with Confidential Information: Avoid disclosing personal details on dark web forums, such as your name, employer, phone number, or address.
Don’t Trust Dark Websites: Dark web sites lack SSL encryption and certification for safety. Always remember this when engaging in discussions or making purchases.
Avoid Clicking Links: Links on dark web forums can be malicious or lead to illegal content. Generally, it’s best to avoid clicking unknown links whenever possible.
Disable Java and ActiveX: Make sure these frameworks are disabled before using Tor. They are known to be vulnerable to exploits, particularly on the dark web.
Isolate Dark Web Browsing from Critical Assets: Ideally, use Tor within a well-secured network segment. Create a secure zone with limited internal movement to minimize potential damage if an incident occurs.
Conclusion:
The dark web, a hidden segment of the internet, presents a complex landscape that blends anonymity with significant risks. While it offers a refuge for privacy advocates and whistleblowers, it is predominantly a hub for illicit activities, including drug trafficking, human exploitation, and data breaches. Navigating this space requires specialized tools like Tor, which ensure user anonymity but also complicate the monitoring of criminal behavior.
Understanding the distinctions between the Surface Web, Deep Web, and Dark Web is crucial for comprehending the challenges and threats associated with each layer. The dark web's unique infrastructure, while designed to protect user identity, simultaneously provides opportunities for cybercriminals to exploit vulnerabilities, such as unpatched software and phishing attacks.
As exemplified by incidents like the cyberattack on Change Healthcare, the implications of dark web activities can be severe, impacting organizations and individuals alike. Implementing robust cybersecurity measures, conducting dark web monitoring, and exercising caution are essential strategies for companies to safeguard their data and mitigate the risks associated with this shadowy part of the internet. Ultimately, while the dark web can serve legitimate purposes, it demands a high level of awareness and preparedness to navigate its treacherous waters safely.
References:
https://privacysavvy.com/security/safe-browsing/best-dark-web-sites/
https://webz.io/blog/dark-web-api/the-top-dark-web-trends-in-2021/
https://www.techradar.com/pro/top-data-breaches-and-cyber-attacks-in-2024
https://www.sec.gov/Archives/edgar/data/731766/000073176624000146/a2024q1exhibit991.htm
https://nordlayer.com/blog/dark-web/
Comentarios