The term Deep/Dark Web refers to websites hidden from standard web search and browsing or requiring alternative (usually encrypted and anonymized) tools/methods as opposed to normal web browsing. Deep Web/Dark Web is often associated with platforms where illegal activities are carried out. However, the Deep/Dark Web may also host legitimate platforms or applications. This may be because it is desired to take advantage of the encryption and anonymity provided by DeepWeb/DarkWeb to ensure privacy.
Taking advantage of the anonymity provided by the Deep Web, threat actors carry out activities on underground marketplaces and forums that include selling drugs, weapons, pornographic content, fake currency, personal and financial data, and the development of malware and exploits. Therefore, DeepWeb is a large intelligence pool for possible illegal activities that may be of interest to institutions/organizations.
It is important that institutions/organizations can use the Deep Web as a threat intelligence source to achieve and maintain an effective and proactive security stance. Narrowing the searches performed on the Deep Web is essential to gain meaningful and actionable threat intelligence that will enable the creation or improvement of the intended security posture. This article focuses on the most common platforms on the Deep Web that can provide threat intelligence to security researchers/analysts. The main platforms from which threat intelligence can be obtained on the Deep Web are;
The number of hacking communities on the Deep Web is increasing day by day. Due to the anonymity provided by the Deep Web, many illegal activities such as data theft/sale, fraud, malware distribution, security vulnerability exploitation, and income generation through illegal methods are carried out in the forums, which are the common platform where these communities come together. Therefore, forums are a valuable source of intelligence for security professionals. Monitoring these channels helps uncover actual and potential threats, from physical and digital planned attacks to fraud, data breaches, and more.
Dark Web marketplaces are commercial websites focused on illegal trading. Marketplaces accessible via Tor and I2P may differ in expertise, technology, and supported primary language. Silk Road, the first modern marketplace launched in 2011, limits its sales to drugs, while other marketplaces can allow the trade of guns, fake IDs, and stolen credit cards. Most marketplaces facilitate transactions between buyers and sellers of illegal goods, but some marketplaces act as sellers and sell directly to buyers. Generally, in most marketplaces, Bitcoin is the universally accepted currency.
Leak Sites of Ransomware Groups
From late 2019 and early 2020, operators of various ransomware types started to adopt a new method. To pressure hacked companies to pay ransom demands, ransomware operators hijack unencrypted data from target networks. If targets refuse to pay, ransomware gangs threaten to leak information online, on leak sites created by them, and then publicize the company’s breach of security through different channels. Companies that want sensitive/critical data not to fall into the hands of their competitors and keep the event confidential usually pay the ransom demand.
Leak sites belonging to ransomware operators are often found on the Tor network. The sites in question primarily contain a list of compromised companies. In some cases, it can be observed that a small part of the captured data is leaked to prove that the violation was committed in the first place. However, a time counter is usually created for each of the compromised companies to indicate the time when they should pay the ransom, and the captured data is leaked when the specified time for making the ransom payment is over.
IRC (Internet Relay Chat) is a protocol developed for online messaging. IRC servers are usually hosted on the Tor network. IRC channels serve as an anonymous medium for hackers and hacktivist groups to discuss and share information. Unlike content on website-based platforms such as forums, past conversations on an IRC channel are not archived and therefore need to be collected in real-time.
IRC channels differ from other platforms in the hacker community in that they require real-time data collection and analysis. It is possible to gather intelligence from illegal IRC servers on mIRC, one of the most popular programs that allow chatting by connecting to IRC servers. Keywords such as #carding, #cracks, #anarchy, #hacking, #leak, and #hacker can be used to access an illegal room on an IRC server.
Contextual, actionable threat intelligence is critical to the security of organizations. The Deep Web/Dark Web provides many opportunities to extract intelligence, identify, profile, and mitigate cybersecurity risks. For example, identifying leaked account credentials allows your organization to identify and prevent potential cyberattacks before they happen. In this context, Deep Web/Dark Web strongly contributes to your security ecosystem if used correctly. However, this process must be carried out through the right team or tools, as data collection, remediation, and threat hunting can be time-consuming.