Criminal use of, and threats from, the dark net are growing. At the same time, criminals are going darker through direct end-to-end encryption for direct communication with service buyers and potential buyers. But the dark net also has its uses.
Sponsored by threat isolation firm Bromium, Michael McGuire, senior lecturer in criminology at the University of Surrey, spent five months to March 2019 analyzing 15 leading dark net platforms. He and his team of researchers examined 70,000 dark net listings looking at commodities sold, services offered, prices, vendor responses and patterns of trading. They gained membership of three forums to observe, gather intelligence and engage in simulated transactions — the last of which effectively provided 30 interviews with dark net cybercrime vendors.
The results (PDF) show that compared to an earlier study in 2016, there has been a 20% increase in the number of listings. Taking the sale of illicit drugs out of the equation, 60% of the listings provide opportunities for direct harm to enterprises, such as network compromise, disruption, and financial loss. Fifteen percent provide opportunities for indirect harm, such as brand or reputational harm — and a further 25% could do both through the sale of counterfeit goods.
During simulated transactions, 70% of the research team were invited to continue the conversation in the invisible net — a term that is used by VPN providers, but here refers to end-to-end encrypted services. When such conversations related to network access, at least 60% of the vendors offered access to more than 10 enterprise networks, 30% to between five and ten, and 10% offered access to up to five networks.
The most common commodity malware and services for network compromise are malware, DDoS and RATs, representing 25%, 20% and 17% respectively across all network compromise listings. But targeted attacks are also available at an average cost of $4,500 against enterprises and $2,000 against individuals. Forty percent of enquiries for attacks against Fortune 500 or FTSE 100 companies received positive responses with prices ranging between $150 and $10,000 depending on the company concerned.
Several sources on the dark net also provide RDP credentials at prices ranging from $2 to $30 each. This is particularly concerning given the popularity of RDP as the network entry poin for both compromise and ransomware. “The Ultimate Anonymity Services (UAS) platform alone,” writes McGuire, “was found to be selling more than 7,000 credentials from China and 6,000+ from Brazil. RDPs in the US were also available, especially from California, Ohio, Oregon, and Virginia.”
Financial compromise offerings center around credentials, phishing (including phishing kits) and fake receipts. Phishing pages are available for as little as $0.99 with phishing kits tarting at $40. Fake Amazon receipts and invoices can be bought for $52.
Data compromise offerings include consumer account details and bank logins, and business email addresses. Espionage services — such as access to the CEO — are offered for fees ranging from $1,000 to $15,000. The researchers also came across numerous offers of insider trading tips.
The espionage offerings provide a tantalizing glimpse of a frequent question that has never been satisfactorily answered: to what extent — if any — do legitimate businesses use the dark net and its criminal services to gain competitive advantage over rivals? “Posing as representatives of a mid-size enterprise in the business software sector,” writes McGuire, “we contacted 20 vendors to ask whether they could use targeted penetration to provide us with the following ‘items of interest to our company’.”
The items were product trials (10 affirmative replies), employee lists (14 affirmative replies), annual accounts (4 affirmative replies), director salaries (7 affirmative replies), and executive travel plans (3 affirmative replies). Since the researchers were unable to follow through with their enquiries for obvious legal reasons, the veracity of the vendor claims could not be confirmed.
Several of the vendors also offered ‘blacklists’ for sale, from as little as $50 for up to 20,000 names and details. Different retailers compile blacklists of ‘disruptive’ customers who buy and return too many products or are suspected of engaging in non-payment/non-delivery fraud (which, according to the latest IC3 report, cost U.S. business nearly $184 million in 2018). Such lists are useful to HR departments to avoid employing dubious job candidates — but the practice is often illegal.
The question of whether legitimate business uses illegitimate dark net services for competitive advantage remains unconfirmed; but the researchers found enough clues to maintain the suspicion.
The two most worrying features of this analysis of dark net offerings are the sheer size and diversity, and its migration to the invisible net. For law enforcement, McGuire recommends further development of dark net intelligence units, and a greater willingness to share intelligence with potentially impacted enterprises. He also recognizes the ‘going dark’ problem of the invisible net, and while he falls short of supporting LEA backdoors into encryption, he does say, “This is a significant risk, which requires further discussion and research.”
For the enterprise, he recommends a greater awareness of staff behavior (use of Tor, encryption and personal devices) to prevent data from leaking to the dark net by way of insiders, and increased awareness of the ease with which job applicants can obtain false certificates from the dark net. However, he doesn’t recommend that all contact with the dark net — which often simply means Tor — should necessarily be abandoned. There remain many legitimate uses and users of the dark net — even Facebook has an onion site designed to allow access from areas where its use is banned.
Business opportunities, writes McGuire, “include access to a wider, more diverse customer base, more innovative marketing methods, and new ways of building client trust by enhancing anonymity. Enterprises should be prepared to develop resources for using the dark net to their advantage.”
But where he is most clear is that enterprises need to have intelligence into the dark net for their own cybersecurity purposes — this is where new threats and unknown stolen credentials first emerge. “Regular monitoring could also assist in preventing unfettered trading in company IP or in counterfeit versions of its goods. However, expert advice should always be sought to ensure that dark net activity is compliant with current regulatory frameworks and the law.”