Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Ian W. Gray
Ian W. Gray
Connect Directly
E-Mail vvv

Cybercrime: Looking Beyond the Dark Web

Fighting cybercrime requires visibility into much more than just the Dark Web. Here's where to look and a glimpse of what you'll find.

The now-shuttered DeepDotWeb, which was a uniquely centralized and trusted repository of Dark Web links and information, had long made it easier for threat actors — and consequently, law enforcement and other defenders — to keep track of which Dark Web sites are active, and where. The repository's takedown left a void that no comparable alternative seems to be able to fill, at least for the near future.

There are other sites, known as hidden wikis, that can appear to be comprehensive directories and are often referred to as such by defenders. In reality, they tend to be little more than human-assembled catalogs that harken back to the early days of the Internet. All this volatility is largely why threat actors who operate on the Dark Web also typically frequent a number of other channels.

It's also why fighting cybercrime requires visibility into much more than just the Dark Web. Contrary to popular belief, the Dark Web accounts for just a minor subset of the many online venues that facilitate cybercrime. Even if the Dark Web were somehow to be eliminated, its absence would simply cause threat actors to rely more heavily on the various other online venues in which many, if not most, already operate.

Encrypted chat platforms are one such venue — and in fact, they support far more illicit activity than any other, including the Dark Web. Threat actors are increasingly using platforms such as Telegram and Discord, among many others, to communicate more securely and to share mirrors, which are sites that contain nearly identical information but are hosted on different URLs. If one URL faces downtime for any reason, the secondary URL acts as a backup to help minimize operational disruption and consequential profit losses.

Mirrors, Services, and Uptime
It's important to note that threat actors generally aren't using mirrors to attract new clients but to provide services and additional uptime to existing clients in the event that the original site is down for reasons such as a distributed denial-of-service (DDoS) attack or law enforcement action through the often-enhanced security and privacy afforded by encrypted chat platforms. In most cases, mirrors are only distributed to select clients or groups. While this practice doesn't typically present material issues for more-tenured threat actors, it does — and is intended to — make it more difficult for law enforcement and other defenders to locate and monitor these sites.

Another venue popular among attackers is the Deep Web, which refers to the broad swath of sites conventional search engines cannot access, including, but not limited to, the entirety of the Dark Web. But unlike much of the Dark Web, the myriad illicit communities that exist elsewhere on the Deep Web are password-protected and highly exclusive. A number of these communities, including popular platforms for fraud, are located on Deep Web forums supported by bulletproof hosting services in countries unlikely to respond to law enforcement subpoenas.

Other online venues for cybercrime include decentralized marketplaces such as Joker's Stash, a longtime fixture of the stolen payment card ecosystem. Rather than using the Dark Web's Tor network, these types of marketplaces rely on blockchain-DNS (BDNS), which is a peer-to-peer network that helps administrators keep their sites online during attempted takedowns or DDoS attacks. And because there are technical barriers to entry that may deter novice threat actors, BDNS-hosted sites tend to be more popular among tenured threat actors.

The Geography Factor
The online venues in which threat actors operate are also heavily influenced by geography. Cybercrime is global and while the Dark Web is viable for most threat actors based in Western countries, Internet infrastructure in certain other regions is less conducive to accessing the Dark Web. For example, mobile networking has a high adoption rate in countries such as Brazil, largely because of the relatively low costs of mobile phones compared with computers. Usage of mobile applications for daily communication is also high throughout the region, as is the availability and uptime of major applications, including encrypted chat platforms frequented by threat actors around the world.

For defenders, an obvious challenge in combating cybercrime is figuring out where, if not solely the Dark Web, threat actors are operating. But just as most people, in general, use different communication channels for different interactions, so do threat actors. Much of it comes down to what a threat actor is seeking to accomplish. For example, threat actors who operate decentralized marketplaces outside the Dark Web often run targeted advertisements on the Dark Web in order to attract new customers. Threat actors seeking guidance on carrying out fraud, meanwhile, may be more likely to visit the various Deep Web forums that offer fraud tutorials.

Above all else, it's important to recognize that while the Dark Web is integral to facilitating cybercrime and other illicit activity, much more of the threat landscape exists elsewhere on the Internet. While the recent Dark Web takedowns shine additional light on threat actor behavior and will likely have a sizable impact on the underground drug trade, they are unlikely to curb the plethora of other illicit activities that occur online — particularly the development of new malware. Combating such activity requires defenders to be agile and realistic about the many ways and venues in which threat actors operate.

Related Content:

Ian W. Gray is Director of Americas, Research and Analysis, at Flashpoint, where he focuses on producing strategic and business risk intelligence reports on emerging cybercrime and hacktivist threats. Ian is also a military reservist with extensive knowledge of the maritime ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
6/11/2019 | 3:03:23 AM
As the technology is growing gradually, the number, as well as the chance of the cybercrime, has also been increased randomly. We have to take immediate action for it so that it can be stopped. The cyberhackers are also concern about this. They are also inventing new things for it. To get all these updates, keep your eyes on epson printer error code 0xf3 and be careful. 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/13/2020
Where Are the 'Great Exits' in the Data Security Market?
Dave Cole, Cofounder and CEO, Open Raven,  10/13/2020
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-19
A prototype pollution vulnerability has been found in `object-path` <= 0.11.4 affecting the `set()` method. The vulnerability is limited to the `includeInheritedProps` mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of `object-path` and settin...
PUBLISHED: 2020-10-19
On Windows the Veyon Service before version 4.4.2 contains an unquoted service path vulnerability, allowing locally authenticated users with administrative privileges to run malicious executables with LocalSystem privileges. Since Veyon users (both students and teachers) usually don't have administr...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
An exploitable denial of service vulnerability exists in the ENIP Request Path Logical Segment functionality of Allen-Bradley Flex IO 1794-AENT/B 4.003. A specially crafted network request can cause a loss of communications with the device resulting in denial-of-service. An attacker can send a malic...
PUBLISHED: 2020-10-19
A flaw was found in Infinispan version 10, where it permits local access to controls via both REST and HotRod APIs. This flaw allows a user authenticated to the local machine to perform all operations on the caches, including the creation, update, deletion, and shutdown of the entire server.