Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Dark Web Is Smaller Than You Think

The number of live, accessible .onion sites amounts to less than 0.005% of surface web domains, researchers report.

The big, scary Dark Web may not be as big or scary as many believe.

Over the years, the Dark Web has garnered a reputation as a nebulous platform for cybercrime. Highly publicized arrests and news stories have fueled the idea there is a massive network of cybercriminals plotting scams in this corner of the Web. But the actual amount of live, reachable onion sites makes up less than 0.005% of about 200 million surface Web domains.

It's worth noting the Dark Web is defined as any Internet content that requires specific software, configurations, or authorization to access. Oftentimes it's conflated with the Deep Web, which refers to all parts of the Web not indexed by search engines. The Dark Web includes the Tor network, which consists of onion domains and direct links between them.

"The term has a little bit of a life of its own," says Garth Griffin of the Dark Web. Griffin is the director of data science at Recorded Future, where analysts recently set out to characterize the entire Tor network as part of a new study. "Anybody can figure out how to use Tor but most people haven't bothered to do that, so it sort of has this aura of mystique around it."

To provide clarity on the Dark Web, researchers crawled some 260,000 onion pages to estimate the full reachable Tor network from a starting set of onion sites they pulled from public lists and internal content. They found 55,828 onion domains; of these, only 8,400 (15%) were live sites.

"We were not surprised to find the actual extent of the Tor network is not as broad as it's talked about," says Griffin. There are criminal sites where illicit activity happens, he adds, but it's not the massive machine people assume it is. In the report on their findings, Griffin and Recorded Future's Juan Sanchez say the common idea of a hidden, mysterious Dark Web is likely attributable to a tiny portion of unpublicized, invitation-only communities on onion sites.

"There's a set of sites that are kind of obscure, even within the obscurity of the Dark Web," Griffin continues. "These are sites that might be highly respected in the criminal community."

On the surface Web, popular sites attract millions of inbound link counts. Researchers found the most popular Tor site was a market with 3,585. The top eight onion websites most valued in the criminal community had a maximum of 15 inbound link counts, with an average of 8.7 per site. Still, scams abound: one Dark Web typosquatting scheme claims to have defrauded visitors of more than 400 popular onion websites and generated thousands of dollars in Bitcoin.

Dark Web sites are generally unreliable, disorganized, and short-lived as scams and attacks pervade this part of the Internet. When onion servers fall victim to cybercrime, websites follow. Consider Daniel's Hosting, which provided Tor hosting services to about 6,500 onion sites and caused a massive outage when it was hacked in 2018. While it was eventually back up and running, the downtime represents a common pattern in service outages among onion sites.

The gold standard for websites is 99.999% availability, otherwise known as "five nines." Facebook's uptime is about 99.95%, researchers explain for context. Onion sites are typically much lower: even popular markets can have uptime below 90%; one well-known marketplace had 65% uptime at the time the report was published. Some sites simply disappear for good.

It may be smaller than perceived, but the Dark Web is falling under greater scrutiny as law enforcement cracks down on the small slice of cybercrime. Late last week, the world's second-largest Dark Web marketplace was taken down in an international law enforcement operation. "Wall Street Market" had hosted the sale of illegal drugs, stolen data, fake documents, and malicious software. Its shutdown led to the arrested of three German nationals in the US.

In January, another law enforcement operation shut down xDedic, a Russian language site known for selling stolen identity data and access to compromised servers. As officials continue to investigate and dismantle cybercriminal operations, they force operators to rethink their strategies: marketplaces are now being replaced with smaller forums and individual chats. Cybercrime isn't limited to the Dark Web – it's also happening in chat apps and other tools.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16349
PUBLISHED: 2019-09-16
Bento4 1.5.1-628 has a NULL pointer dereference in AP4_ByteStream::ReadUI32 in Core/Ap4ByteStream.cpp when called from the AP4_TrunAtom class.
CVE-2019-16350
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in idct2d8x8() at dct.c.
CVE-2019-16351
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-18 has a NULL pointer dereference in huffman_decode_step() at huffman.c.
CVE-2019-16352
PUBLISHED: 2019-09-16
ffjpeg before 2019-08-21 has a heap-based buffer overflow in jfif_load() at jfif.c.
CVE-2016-10967
PUBLISHED: 2019-09-16
The real3d-flipbook-lite plugin 1.0 for WordPress has XSS via the wp-content/plugins/real3d-flipbook/includes/flipbooks.php bookId parameter.