Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Keeping it on the Down Low on the Dark Web

Sites on the Dark Web Have Several Motivations to Unmask Their Visitors

Sites on the Dark Web Have Several Motivations to Unmask Their Visitors

So, there you are, finally on the private sections of a dark market. You have established reputation and credibility with your targets. Suddenly, you get exposed as a “rat” and banned for life. They grab your escrowed cryptocurrency, and you are back at square one with a foe who is even more alert than before… How did this happen?

The dark web is an active area for online investigations and research. Because you need to use the Tor anonymity service to access dark web sites, also known as Tor hidden services, many people assume that makes them robustly anonymous. Unfortunately, there are still many ways you can be exposed and have your activities compromised if you don’t take the right precautions.

Sites on the dark web have several motivations to unmask their visitors. Obviously, they want to spot any members of law enforcement who might be visiting. Additionally, they might want to gain some sort of leverage over their visitors, who may be using the site for a number of questionable activities. 

Dark WebThere are several known attacks against the Tor network and other similar low-latency anonymity networks. One class of attacks, called traffic confirmation attacks, is based on having control of a significant fraction of the most popular Tor nodes. If the attacker controls the first hop in a chain (the guard node) as well as the last (the exit node), then creates a pattern in the data at one end of the chain, it can be recognized coming out at the other. Fortunately, it is not easy for an attacker to get control of enough nodes to carry out this type of attack, likely because there are thousands of active nodes a given user could choose.

The situation is different with a dark web site. If the site wants to identify a visitor, the site owner only needs to have you use a guard node they control. Because they control the web servers, they always have the ability to inject patterns of activity. Requiring only a single controlled Tor node makes the odds of this attack working much higher.

Bitcoin provides another method of identity exposure. Contrary to popular belief, Bitcoin is not anonymous at all. Every single Bitcoin transaction is recorded in the public blockchain and can be seen and analyzed by anyone. Bitcoin is a dominant payment mechanism on dark web marketplaces. When you buy or sell something on these sites it creates an opportunity for tracking and identification. All coins that were mined by the same server or purchased into the same wallet can be followed. This can easily tie investigations together and reveal odd patterns of activity. With access to information in the bitcoin exchanges, it can even lead to real names or IP addresses.

Dark web sites are also a likely source of malware that can unmask you. Unless your entire operating environment is isolated from your real desktop, the malware may leak your real IP address and other identifies. Of course, it can also directly steal data off your computer and do all the other things malware normally does.

Non-technical errors can trip you up as well. While not specific to exposure on the dark web, things like your writing style and choice of account names can reveal your true identity. Site operators can also pass you beacons and canary traps. Beacons are active content that try to phone home with identification when they are opened. Viewing these documents and files on a normal desktop will immediately expose you. Canary traps are more subtle. A website can provide slightly different versions of certain content to each visitor. Any time that content shows up somewhere else, the site knows who shared it.

Advertisement. Scroll to continue reading.

The rate at which dark web markets are being compromised, in one way or another, has gotten high enough that much of the online criminal activity has moved to new platforms. Rather than communicating in forums on dark web sites, there has been a shift toward one-to-one communication applications that provide end-to-end encryption. This may make investigations more difficult, because there is no central location for discussions. Establishing trust and communication will be much more difficult. 

Hiding your true identity is always important whenever you are conducting investigations online. The fact that you are visiting a Tor hidden service / dark web site does not mean you are safe or hidden. It is critical to take additional steps to protect yourself when conducting these operations.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.