Dark Web Monitoring
Surface, Deep and Dark Web Explained
Dark Web monitoring enables organizations to stay ahead of cybercriminals with proactive intelligence on
data breaches impacting their internal systems and trusted third-parties, to timely respond to phishing,
fraud, Business Email Compromise (BEC) attacks and Intellectual Property infringements.
What is Dark Web
Gartner’s most recent “Market Guide for Security Threat Intelligence Products and Services” urges security leaders to implement a continuous Dark Web monitoring solution to outpace attackers and mitigate third-party risks. The recommendation will likely persist, even with a stronger emphasis, in 2020.
Want to have an in-depth understanding of all modern aspects of Dark Web Monitoring? Read carefully this article and bookmark it to get back later, we regularly update this page.
Dark Web is commonly defined as a part of the Internet that can be accessed only with a specific software such as Tor browser for example. Its users enjoy high level of anonymity as physical location of their servers and devices is untraceable by design of the underlying network protocol. For obvious reasons, Dark Web and its marketplaces magnetically attract cybercriminals and con artists from all over the world. They are buying and selling a wide spectrum of stolen data, illegal or contrabanded goods, enjoying namelessness and impunity.
The main focus of Dark Web monitoring is, however, set on the misappropriated data available there for fun and for profit. To better illustrate the scope and importance of the problem, it is sufficient to mention that over 21 million of corporate accounts belonging to Fortune 500 companies were breached and put for sale in Dark Web in 2019.
What is Deep Web
Most of the unlawful offerings at Dark Web involve corporate data illicitly extracted from the so-called “Deep Web”. This relatively novel term is commonly denoted as a large segment of the Internet that requires some form of authentication to get in, spreading from password-protected websites to ultra-secure corporate datacenters storing invaluable data and intellectual property. Vast majority of the data residing in Deep Web is of a legitimate and lawful nature. Moreover, its exposure in the Dark Web is a tenable indicator of a data breach or accidental data leak.
A tangible part of the Deep Web is, however, leveraged by professional cyber mercenaries and their clandestine clients to trade stolen data and governmental secrets in a fully stealth mode. The most valuable goods are inconspicuously sold on secret marketplaces, discreetly hosted in AWS cloud and offering 2FA access with a client-side SSL certificate only to a narrow circle of privileged and trusted participants. Thus, contemporary Dark Web monitoring shall include continuous search for exposed corporate data coming from the Deep Web, and likewise attempt to cover its dark segment.
What is Surface Web
One more term you should probably know within the context of Dark Web monitoring is “Surface Web” or just “Surface”. It means the publicly visible and openly accessible part of the Internet, such as public posts in social networks or main pages of websites. Since years, cybercriminals outsmart various security mechanisms and abuse legitimate functionality of many well-known Surface Web resources to host there stolen data, including such web resources as:
- Pastebin and similar sharing websites
- Dropbox and other file sharing websites
- GitHub and other public code repositories
- Web forums, bulletin boards and chats
- IRC and Telegram channels
- Social Networks
Third Party Risk, Spear Phishing and Social Engineering
Nowadays, a steadily growing number of organizations become victims of third-party breaches, ranging from trivial compromises of their suppliers, consultants and local online services to targeted Advanced Persistent Threats (APT) exploiting the weakest link to get victim’s crown jewels. Dark Web monitoring can help timely detect some of those breaches, minimize financial losses and long-lasting reputational damages.
Routinely, cybercriminals offer dumps of records with names, addresses, phones, emails and passwords stolen from websites and exposed databases. Such records and credentials have no big value per se, however, they greatly facilitate and accelerate password reuse attacks, credential bruteforcing and targeted spear phishing campaigns.
In light of the skyrocketing Business Email Compromise (BEC) attacks, also known as a “CEO fraud” or “whaling attack”, stolen records in evil hands derive into multi-million losses when unwitting employees duly execute a wire money transfer following a fake order from the CEO or other senior executive. Sometimes, exposed records also reveal secret questions used to restore forgotten passwords, providing a fertile ground and great wealth of ideas for Social Engineering attacks.
At ImmuniWeb, every day we crawl millions of new files and entries on the Dark Web to rapidly detect data leaks and exposed credentials of your employees compromised in third-party breaches that would otherwise be invisible and unknow.
Credentials, PII and PHI Records in the Dark Web
The following Personally Identifying Information (PII), Sensitive Personal Information (SPI) and Protected Health Information (PHI) previously stolen from your organization or your trusted third-parties can be discovered with Dark Web Monitoring:
- Logins and passwords of employees
- Private messages and online communications
- Medical records and identification numbers
- Social Security numbers and records
- Background check and clearance
- Phone calls and SMS history
- Law enforcement records
- ID cards and passports
- Driving licenses
Financial and Banking Data in the Dark Web
Fraud, money theft and related financial crimes predominate in the modern cybercrime landscape. Dark Web monitoring likewise sheds some light on the following data available for sale by threat actors on mushrooming underground marketplaces:
- Tax records and statements
- Invoices and billing documents
- Records on loans, mortgages and credits
- E-payment and e-banking accounts
- Credit cards and debit cards
- Cryptocurrency wallets
- PayPal accounts
Backdoored and Breached Systems in the Dark Web
On top of this, Dark Web monitoring can also encompass attackers who don’t want to mess around time-consuming attack execution and rather sell easily-consumable digital goods or backdoored system, occasionally belonging to your organization. Not that infrequently such systems are actively exploited for aggressive crypto-mining, consuming immense volume of CPU and electricity at the victim’s expense. These items habitually include the following:
- Logins and passwords to FTP, SSH and VPN servers
- Logins and passwords from corporate SalesForce, Web Email, CRM, HRM or ERP
- SQL injections and Remote Command Execution (RCE) vulnerabilities on live websites
- Web shells, file manages and other backdoors on live websites
- Email servers suitable to send large volume of spam
- Remote Admin (AD) access to Windows servers
In light of insufficient knowledge of their Attack Surface and missing Attack Surface Management program, many large organizations systematically lose and expose their internal data. Such incidents are often caused by careless data storage in unprotected or misconfigured AWS S3 buckets and other widespread forms of cloud storage. Improperly configured websites, mobile APIs and third-party systems processing data is an inexhaustible source of sellable data for cybercriminals.
Organized Cybercrime in the Dark Web
To combat the spiraling growth of digital crime and fraud, organization should not delay Dark Web monitoring strategy and keep the wrongdoers under a close surveillance. Modern-day world of cybercrime is well-organized and may serve a decent example of discipline, maturity and overall effectiveness. Cyber gangs usually have a focus on a particular activity that they master the best to attain high efficiency and profitability.
For example, some groups conduct 24/7 monitoring of all the websites belonging to banks and financial institutions for outdated commercial and Open Source Software (OSS). Once they get a notification about existing and exploitable security flaw, they sell this information to the next group in the crime chain. The subsequent team will exploit the vulnerability, backdoor the website and even patch the vulnerability in question to preclude competitive gangs from breaking in.
The backdoored website will be then sold to a group specialized in data exfiltration that will attempt to take control over the server and surrounding infrastructure to extract as much valuable data as possible. Finally, customer data is acquired by fraudsters skilled in the aforementioned BEC attacks, spear phishing campaigns, ransomware, banking malware and Remote Access Trojans (RAT) distribution aimed to steal money from the accounts of victim banks’ clientele.
At ImmuniWeb, every day we analyze gigabytes of data on the Dark Web to rapidly detect mentions of your digital assets that are compromised, contain known vulnerabilities or have otherwise attracted attention of motivated threat actors.
Malicious and Rogue Digital Assets in the Dark Web
Dark Web monitoring also helps detect so-called rogue, or malicious, digital assets created and operated by basely cybercriminals with intent to defraud your organization, clients or partners. Cybersquatted or typosquatted domains serve a good example of such assets that aim to steal your website visitors and impersonate your brand. Phishing websites and pages represent even a higher risk trying to infect your employees or clients with sophisticated malware or ransomware, steal their credentials or get access to your business secrets.
Fake accounts in social networks is another facet of the problem, ranging from fake premium support to overt scam solely purported to steal funds. Last but not least, rogue mobile applications can cause a serious havoc amid your clients once they realize that the recently installed mobile app, granted with generous access permissions, has no nexus with your organization and merely steals their data or sends SMS spam.
At ImmuniWeb, every day we parse millions of newly created domains and issued SSL certificates, mobile apps in public stores and accounts in social networks to rapidly inform your about any suspicious or malicious activities.
Trojans, Malware and Spyware in the Dark Web
Finally, one can find samples, binaries or source codes of malware being sold on the Dark Web, from omnipresent Remote Access Trojans to invisible banking malware capable to takeover and disembowel e-banking accounts of their victims.
While general-purpose spyware and ransomware is not of a considerable importance within the scope of Dark Web monitoring, pieces of malicious software fashioned particularly to target your organization, or its clients, should undoubtedly get under your radar.
Caveats and Conclusion
Dark Web monitoring is not without its drawbacks and has an important pitfall that deserves a bold caveat. The data being openly sold, or aggressively advertised, in various Dark Web forums and public marketplaces is frequently nothing but disguised collections of credentials coming from ancient breaches or evident fakes.
Most of the credentials from such lousy compilations do not work, nor represent any material value to the buyer. Therefore, it is essential to possess Dark Web monitoring technology capable to reliably distinguish garbage and duplicates from genuine data. At ImmuniWeb, we leverage our award-winning Machine Learning and AI technology to purify petabytes of processes data and deliver actionable insights to our clientele.