Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/7/2019
02:30 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

The Dark Web Is Smaller Than You Think

The number of live, accessible .onion sites amounts to less than 0.005% of surface web domains, researchers report.

The big, scary Dark Web may not be as big or scary as many believe.

Over the years, the Dark Web has garnered a reputation as a nebulous platform for cybercrime. Highly publicized arrests and news stories have fueled the idea there is a massive network of cybercriminals plotting scams in this corner of the Web. But the actual amount of live, reachable onion sites makes up less than 0.005% of about 200 million surface Web domains.

It's worth noting the Dark Web is defined as any Internet content that requires specific software, configurations, or authorization to access. Oftentimes it's conflated with the Deep Web, which refers to all parts of the Web not indexed by search engines. The Dark Web includes the Tor network, which consists of onion domains and direct links between them.

"The term has a little bit of a life of its own," says Garth Griffin of the Dark Web. Griffin is the director of data science at Recorded Future, where analysts recently set out to characterize the entire Tor network as part of a new study. "Anybody can figure out how to use Tor but most people haven't bothered to do that, so it sort of has this aura of mystique around it."

To provide clarity on the Dark Web, researchers crawled some 260,000 onion pages to estimate the full reachable Tor network from a starting set of onion sites they pulled from public lists and internal content. They found 55,828 onion domains; of these, only 8,400 (15%) were live sites.

"We were not surprised to find the actual extent of the Tor network is not as broad as it's talked about," says Griffin. There are criminal sites where illicit activity happens, he adds, but it's not the massive machine people assume it is. In the report on their findings, Griffin and Recorded Future's Juan Sanchez say the common idea of a hidden, mysterious Dark Web is likely attributable to a tiny portion of unpublicized, invitation-only communities on onion sites.

"There's a set of sites that are kind of obscure, even within the obscurity of the Dark Web," Griffin continues. "These are sites that might be highly respected in the criminal community."

On the surface Web, popular sites attract millions of inbound link counts. Researchers found the most popular Tor site was a market with 3,585. The top eight onion websites most valued in the criminal community had a maximum of 15 inbound link counts, with an average of 8.7 per site. Still, scams abound: one Dark Web typosquatting scheme claims to have defrauded visitors of more than 400 popular onion websites and generated thousands of dollars in Bitcoin.

Dark Web sites are generally unreliable, disorganized, and short-lived as scams and attacks pervade this part of the Internet. When onion servers fall victim to cybercrime, websites follow. Consider Daniel's Hosting, which provided Tor hosting services to about 6,500 onion sites and caused a massive outage when it was hacked in 2018. While it was eventually back up and running, the downtime represents a common pattern in service outages among onion sites.

The gold standard for websites is 99.999% availability, otherwise known as "five nines." Facebook's uptime is about 99.95%, researchers explain for context. Onion sites are typically much lower: even popular markets can have uptime below 90%; one well-known marketplace had 65% uptime at the time the report was published. Some sites simply disappear for good.

It may be smaller than perceived, but the Dark Web is falling under greater scrutiny as law enforcement cracks down on the small slice of cybercrime. Late last week, the world's second-largest Dark Web marketplace was taken down in an international law enforcement operation. "Wall Street Market" had hosted the sale of illegal drugs, stolen data, fake documents, and malicious software. Its shutdown led to the arrested of three German nationals in the US.

In January, another law enforcement operation shut down xDedic, a Russian language site known for selling stolen identity data and access to compromised servers. As officials continue to investigate and dismantle cybercriminal operations, they force operators to rethink their strategies: marketplaces are now being replaced with smaller forums and individual chats. Cybercrime isn't limited to the Dark Web – it's also happening in chat apps and other tools.

Related Content:

 

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/5/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Cybersecurity Spending Hits 'Temporary Pause' Amid Pandemic
Kelly Jackson Higgins, Executive Editor at Dark Reading,  6/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13881
PUBLISHED: 2020-06-06
In support.c in pam_tacplus 1.3.8 through 1.5.1, the TACACS+ shared secret gets logged via syslog if the DEBUG loglevel and journald are used.
CVE-2020-13883
PUBLISHED: 2020-06-06
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.
CVE-2020-13871
PUBLISHED: 2020-06-06
SQLite 3.32.2 has a use-after-free in resetAccumulator in select.c because the parse tree rewrite for window functions is too late.
CVE-2020-13864
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from a stored XSS vulnerability. An author user can create posts that result in a stored XSS by using a crafted payload in custom links.
CVE-2020-13865
PUBLISHED: 2020-06-05
The Elementor Page Builder plugin before 2.9.9 for WordPress suffers from multiple stored XSS vulnerabilities. An author user can create posts that result in stored XSS vulnerabilities, by using a crafted link in the custom URL or by applying custom attributes.