On the Deep Web, users can anonymously buy U.S. citizenship, accept ransomware payments, have their Bitcoins laundered, and even hire and pay assassins, according to a report from the Trend Micro Forward-Looking Threat Research Team.
Trend Micro global threat communications manager Christopher Budd describes it as a "census report" of the Deep Web, based upon data gathered over the past two years by the company's Deep Web Analyzer. The tool essentially acts like a webcrawler, collecting URLs linked to TOR- and I2P-hidden sites, Freenet resource identifiers, and domains with nonstandard TLDs, and extracting content, links, email addresses, and HTTP headers from them.
Simply put, the "Surface Web" is the part of the Web that is indexed and reachable with search engines, and the "Deep Web" is the part of the Internet that is unindexed. The "Dark Web" is a subset of the Deep Web that can only be accessed with specialized equipment, where connections are made between trusted peers -- including TOR, Freenet, or the Invisible Internet Project.
The Deep Web, says Budd, is like the speakeasies of the 1920s. "You could find what you wanted, but you had to know where to go looking," he says.
"The Dark Web is kind of Mos Eisley," he says, referring to the land in Star Wars that Obi-Wan Kenobi described by saying 'You will never find a more wretched hive of scum and villainy.'
One of the most gruesome things the researchers came across on the Dark Web: assassins. One assassin group calling itself C'thulhu advertises for a variety of services, including rape, "underage rape," maiming, bombing, crippling, and murder. The group even included a base price sheet ranging from $3,000 for "simple beating" of a "low-rank" target to $300,000 for murdering a high-ranking or political target and making it look like an accident.
More common than murder, though, were cybercrime and child exploitation. Trend Micro identified 8,707 pages they dubbed "suspicious," examined the "Surface Web" sites that those sites linked to, and found that most fell into three main categories: 33.7 percent were disease vector (drive-by download) sites, 31.7 percent were proxy avoidance sites (to help attackers duck around firewalls, for example), and a striking 26 percent were child exploitation sites.
"We haven't really seen a lot of people talking a lot about Deep Web/Dark Web and child exploitation," Budd says. "And I think that is a much more tangible problem" than assassins, for example.
The researchers also found cybercriminals using anonymization tools in novel ways. Attackers are beginning to use TOR for hosting their command-and-control infrastructure, bundling the TOR client with their installation package. The Vawtrak banking Trojan has used it for this purpose.
TorrentLocker, a CryptoLocker variant, uses TOR to host payment sites and accepts payment in Bitcoins.
This is striking to Budd, because while TOR used to be "the province of experts building their own tools," the fact that ransomware operators are actually getting regular, unsophisticated users onto the Tor network to make payments means that the tools are getting more usable and that the ransomware operators are doing a better job with their documentation and support.
"I think it stands to reason," he says, "we'll see the Deep Web and Dark Web be further integrated into malware operations."