Mobile

10/26/2017
04:15 PM
Connect Directly
Twitter
Twitter
RSS
E-Mail
100%
0%

Dark Web Marketplaces' New Home: Mobile Messaging Apps

Telegram, Discord, Whatsapp grow in popularity as criminals look for more alternatives to fly under the radar.

In the wake of government shake-ups and high-profile compromises of several very popular marketplaces on the Dark Web, criminals are continuing to pivot, looking for easy but under-the-radar alternatives for connecting buyers and sellers on the cyber black market.

According to several new research reports out this week, mobile messaging apps are rising in favor as the newest Dark Web alternatives that crooks have landed upon to do business with one another. Researchers posit that increased popularity in these tools can at least partially be attributed to market disruption due to government action to take down AlphaBay's $500,000 per day marketplace and infiltrate the other heavy-hitting Hansa Marketplace in the aftermath of that takedown.

"With all this turmoil, the dark net community is clearly now looking for different platforms to continue promoting their business," write security researchers with threat intelligence firm Sixgill in a recent report on next-generation Dark Web markets. Their analysis shows that criminals may be trending toward some of the more decentralized peer-to-peer marketplaces that were once the mainstay of the Dark Web at its inception, depending once again upon IRC channels and individual vendor sites more heavily. Where things may be changing compared to bygone days is an increased reliance on mobile venues. Sixgill specifically cited the increased use of the messaging app Telegram as an example of this.

"With the promise of end to end encryption and secrecy, the instant messaging platform is flourishing with illegal trade," they write. "Regional and international groups across the world are using the application to spread their merchandise with P2P sales. Users can find illegal drugs that can be delivered within hours all the way to stolen credit card information for sale." 

Another report from IntSights confirms Telegram's surge in popularity and offers up evidence that it is just one of several mobile messaging apps being co-opted by the criminal element to facilitate stealthy communication and commerce. Overall, IntSights says that it has witnessed a 30x increase in mobile dark web activity over the last year and it believes that as many as several hundred thousand users are taking advantage of these channels for illegal purposes.

IntSights researchers say the app rising most quickly in popularity is Discord, which is signing up Dark Web users nine times as fast as other apps such as Telegram and Whatsapp. They say that these trends in mobile apps is part of an ongoing push that has the Deep Web going shallower but which presents challenges to the security community in monitoring activity due to the use of a more distributed system of communication.

"As hackers seek distributed networks over the existing more centralized platforms, more advanced solutions are required for collecting and analyzing the abundance of data," they write.

Of course, all of this is part of the ongoing evolution of the very organic cybercrime economy. Regardless of the takedown of AlphaBay and Hansa and regardless of the shift to mobile, the Dark Web itself is still a thriving and chaotic miasma of illegal activity. One estimate from Trend Micro research earlier this year pegged the Dark Web--a subset of which is referred to as the Deep Web--as containing 550 times as much data as the Surface Web.  And another piece of research earlier this month from Carbon Black's Threat Analysis Unit (TAU) found that the Dark Web marketplace for ransomware alone is growing at an annual rate of more than 2,500%.

"The availability of these services has allowed underground ransomware to hide effectively, making attribution and takedowns by law enforcement extremely difficult," wrote Rick McElroy and Sean Blanton of Carbon Black. "If takedowns do happen, they happen over months or years of hard work."

Related Content:

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Australian Teen Hacked Apple Network
Dark Reading Staff 8/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15504
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. The server mishandles some HTTP request fields associated with time, which results in a NULL pointer dereference, as demonstrated by If-Modified-Since or If-Unmodified-Since with a month greater than 11.
CVE-2018-15505
PUBLISHED: 2018-08-18
An issue was discovered in Embedthis GoAhead before 4.0.1 and Appweb before 7.0.2. An HTTP POST request with a specially crafted "Host" header field may cause a NULL pointer dereference and thus cause a denial of service, as demonstrated by the lack of a trailing ']' character in an IPv6 a...
CVE-2018-15492
PUBLISHED: 2018-08-18
A vulnerability in the lservnt.exe component of Sentinel License Manager version 8.5.3.35 (fixed in 8.5.3.2403) causes UDP amplification.
CVE-2018-15494
PUBLISHED: 2018-08-18
In Dojo Toolkit before 1.14, there is unescaped string injection in dojox/Grid/DataGrid.
CVE-2018-15495
PUBLISHED: 2018-08-18
/filemanager/upload.php in Responsive FileManager before 9.13.3 allows Directory Traversal and SSRF because the url parameter is used directly in a curl_exec call, as demonstrated by a file:///etc/passwd value.