Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Dark Web Is Smaller Than You Think

The number of live, accessible .onion sites amounts to less than 0.005% of surface web domains, researchers report.

The big, scary Dark Web may not be as big or scary as many believe.

Over the years, the Dark Web has garnered a reputation as a nebulous platform for cybercrime. Highly publicized arrests and news stories have fueled the idea there is a massive network of cybercriminals plotting scams in this corner of the Web. But the actual amount of live, reachable onion sites makes up less than 0.005% of about 200 million surface Web domains.

It's worth noting the Dark Web is defined as any Internet content that requires specific software, configurations, or authorization to access. Oftentimes it's conflated with the Deep Web, which refers to all parts of the Web not indexed by search engines. The Dark Web includes the Tor network, which consists of onion domains and direct links between them.

"The term has a little bit of a life of its own," says Garth Griffin of the Dark Web. Griffin is the director of data science at Recorded Future, where analysts recently set out to characterize the entire Tor network as part of a new study. "Anybody can figure out how to use Tor but most people haven't bothered to do that, so it sort of has this aura of mystique around it."

To provide clarity on the Dark Web, researchers crawled some 260,000 onion pages to estimate the full reachable Tor network from a starting set of onion sites they pulled from public lists and internal content. They found 55,828 onion domains; of these, only 8,400 (15%) were live sites.

"We were not surprised to find the actual extent of the Tor network is not as broad as it's talked about," says Griffin. There are criminal sites where illicit activity happens, he adds, but it's not the massive machine people assume it is. In the report on their findings, Griffin and Recorded Future's Juan Sanchez say the common idea of a hidden, mysterious Dark Web is likely attributable to a tiny portion of unpublicized, invitation-only communities on onion sites.

"There's a set of sites that are kind of obscure, even within the obscurity of the Dark Web," Griffin continues. "These are sites that might be highly respected in the criminal community."

On the surface Web, popular sites attract millions of inbound link counts. Researchers found the most popular Tor site was a market with 3,585. The top eight onion websites most valued in the criminal community had a maximum of 15 inbound link counts, with an average of 8.7 per site. Still, scams abound: one Dark Web typosquatting scheme claims to have defrauded visitors of more than 400 popular onion websites and generated thousands of dollars in Bitcoin.

Dark Web sites are generally unreliable, disorganized, and short-lived as scams and attacks pervade this part of the Internet. When onion servers fall victim to cybercrime, websites follow. Consider Daniel's Hosting, which provided Tor hosting services to about 6,500 onion sites and caused a massive outage when it was hacked in 2018. While it was eventually back up and running, the downtime represents a common pattern in service outages among onion sites.

The gold standard for websites is 99.999% availability, otherwise known as "five nines." Facebook's uptime is about 99.95%, researchers explain for context. Onion sites are typically much lower: even popular markets can have uptime below 90%; one well-known marketplace had 65% uptime at the time the report was published. Some sites simply disappear for good.

It may be smaller than perceived, but the Dark Web is falling under greater scrutiny as law enforcement cracks down on the small slice of cybercrime. Late last week, the world's second-largest Dark Web marketplace was taken down in an international law enforcement operation. "Wall Street Market" had hosted the sale of illegal drugs, stolen data, fake documents, and malicious software. Its shutdown led to the arrested of three German nationals in the US.

In January, another law enforcement operation shut down xDedic, a Russian language site known for selling stolen identity data and access to compromised servers. As officials continue to investigate and dismantle cybercriminal operations, they force operators to rethink their strategies: marketplaces are now being replaced with smaller forums and individual chats. Cybercrime isn't limited to the Dark Web – it's also happening in chat apps and other tools.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Windows 10 Migration: Getting It Right
Kevin Alexandra, Principal Solutions Engineer at BeyondTrust,  5/15/2019
Baltimore Ransomware Attack Takes Strange Twist
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/14/2019
When Older Windows Systems Won't Die
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12184
PUBLISHED: 2019-05-19
There is XSS in browser/components/MarkdownPreview.js in BoostIO Boostnote 0.11.15 via a label named flowchart, sequence, gallery, or chart, as demonstrated by a crafted SRC attribute of an IFRAME element, a different vulnerability than CVE-2019-12136.
CVE-2019-12173
PUBLISHED: 2019-05-18
MacDown 0.7.1 (870) allows remote code execution via a file:\\\ URI, with a .app pathname, in the HREF attribute of an A element. This is different from CVE-2019-12138.
CVE-2019-12172
PUBLISHED: 2019-05-17
Typora 0.9.9.21.1 (1913) allows arbitrary code execution via a modified file: URL syntax in the HREF attribute of an AREA element, as demonstrated by file:\\\ on macOS or Linux, or file://C| on Windows. This is different from CVE-2019-12137.
CVE-2019-12168
PUBLISHED: 2019-05-17
Four-Faith Wireless Mobile Router F3x24 v1.0 devices allow remote code execution via the Command Shell (aka Administration > Commands) screen.
CVE-2019-12170
PUBLISHED: 2019-05-17
ATutor through 2.2.4 is vulnerable to arbitrary file uploads via the mods/_core/backups/upload.php (aka backup) component. This may result in remote command execution. An attacker can use the instructor account to fully compromise the system using a crafted backup ZIP archive. This will allow for PH...