Dark web tour: A “sneak peak” into the dark web

In this blog and video a Cyberint cybersecurity expert explains how the ‘dark web’ operates and shows real live examples of actors and their criminal activity. Learn how to access the dark web and what are some of the most common behaviors that companies should be watching out for.

Warning: Do not try to attempt going into the dark web without any type of preparation, downloading the Thor browser, which we’ll talk about in a few seconds, and just going to a link that you have is very bad practice. 

If you do want to try some of these things, and I definitely don’t recommend trying them without proper preparation, make sure that you have a dedicated machine, that you have a VPN, that you’re using a virtual machine, that you’re not using any of your real information. Keep your machine, you know, your red machine as clean as possible without any personal information. So nothing can be traced back to you by the threat actors that, you know, if they feel that something is suspicious, they can maybe try to attack you. 

Everybody has seen this type of iceberg illustration (Figure 1) in the past, where the clear web is the top part of the iceberg. And we usually see. And then underneath that we have the deep web and the dark web. 

The Clear Web vs. Deep Web vs. Dark Web

What is the Clear Web? 

The clear web is the surface, where we can go with our browser and everything that’s indexable by search engines. So if I click, if I go cnn.com, I’ll get to cnn.com. It’s available for everybody. It’s indexed in Google, I can search it in Google. On amazon.com everything is accessible. All the different items that are being sold, all the links are accessible from the clear web. 

What is the Deep Web?  

The Deep Web is the majority of what we call the Internet today, it’s everything that’s hidden behind some sort of login page, or anything not indexed by Google e.g. all of your email is considered Deep Web because they are behind the login page for your email account. It’s not accessible for everybody, only for a certain set of people that have credentials. It also includes domains with more exotic top level domains like.pw or.cm, which is dot Cameroon, these things are usually not indexed by Google. 

And this is where we already start seeing some “shady business. We already see some markets that are operating in the Deep Web, like credit card shops or personal information shops. There, people sell credit cards, stolen credit cards and stolen PII (personal identifiable information).  

What is the Dark Web? 

The Dark Web is a subset of the Deep Web and it’s only accessible via a special browser. Because the dark web is usually used for criminal activity, people usually use “bulletproof hosts” or “bulletproof servers”. The threat actors host their own servers with their own networks to maintain control and to reduce the potential of being traced. It’s not something that everybody can access.   

The main tool used to access the dark web, the Tor browser, was originally created by the US Navy in 2002. It was created as an anonymous communications tool for intelligence agencies to use internally. 

It was then opened up, and since then has been used by threat actors, criminals, researchers, law enforcement and so on. The network today is maintained by an organization called Tor Project. It’s a nonprofit organization that’s based in Massachusetts, and the funding is provided by donations and corporations. But, the major investor? The US government. 

How does anonymity and the Tor Browser work? 

Tor works on a random routing system, every message, every communication that you send from your endpoint, is sent and been passed along, over 7000, different routers around the world. By the time it reaches the recipient it goes through at least 50 different steps (Figure 2). It is completely randomized, and therefore creates full anonymity. 

The Tor browser works in .onion URLs, and these URLs are not indexed and not memorable, comprised of a series of numbers and letters. Tor interprets these URLs and takes the user to the website they actually want. If you take a Tor URL and post it on Firefox or on Chrome, it won’t go anywhere. But, if you go to Tor, you can actually still go to cnn.com and amazon.com in addition to onion sites.  

Language on the Dark Web 

The dark web is a community of people with a very unique culture. There are various languages, the most popular being Russian, English, Turkish and Persian (Figure 3). 

The above is a dictionary that summarizes the more popular terms on the Russian speaking forums. If you go into a forum, and you speak in plain Russian (or any other lanugage depending on the forum) without using these terms, you’re going to be spotted as an outsider, immediately. You’ll be marked very quickly as an illegitimate user and they’ll kick you out of that forum. 

Many of the Dark Web marketplaces are very user friendly. Users don’t need to have any programming knowledge or hacking knowledge to get what they need. To get a credit card (be it a virtual card or a stolen card) all a user has to do is select their country, bank and type of card, click search, and results will appear. The user can choose, add it to the shopping cart and purchase it very easily (Figure 4).  

No hacking knowledge is needed AT ALL. The same is true for infostealers, login credentials and more.  

The Currency on the Dark Web 

One of the notorious uses of cryptocurrency is on the dark web. The Dark Web community love Bitcoin. They love Aetherium and other coins, but Bitcoin still remains the king. Most of the prices are shown in Bitcoin in addition to dollars e.g. if something costs $3, it will also show its Bitcoin equivilant. 

Bitcoin is not linked to any country and it’s completely anonymized. The transaction takes only seconds. And there are no limits to how you can how much money you can send or receive.  

The Dark Web Courts 

Users want to ensure that when they buy information, they actually get that information. There are many criminals on the Dark Web after all. The dark web community has a few ways to ensure that you get what you’re paying for: 

1. The first way is they use an escrow account – if you if you close a deal with someone, you can use an escrow account and that extra account usually belongs to a moderator or an admin of a dark web forum. They charge a fee for acting as a as a proxy. You send them the money, they confirm receipt with the threat actor, who then sends you the goods. You confirm receipt and the escrow account sends the money to the threat actor. 

1. They also use a Dark Web court. Users can make claims and defend their case in front of moderators or admins of the forums. The admins have a lot of power over the forums (they’ve been running them for a very long time). They know the participants, they know who the real deal, and who is faking and they can kick people out. When a threat actor is kicked out or downgraded it is a very big deal. 

How does Cyberint fit in? 

Every organization has its own sensitive information and has its external digital footprint – think social media, development environments, payment platforms, and so on.  

Treat actors talk amongst themselves, they think about ways to go into organizations. They brainstorm ransomware, phishing, account takeover etc. They try to target different vectors into the organization. 

Cyberint sits in the middle with visibility into your exposure and issues I.e attack surface monitoring for your external digital footprint. We also collect threat intelligence from the deep and dark web. We can understand if there are intentions of attacking the organization and we can also see if the organization has issues that enable this. We put the two together.  

Example: SCADA System

Cyberint collects information from an individual on the Dark web. We greet the individual with a basic interest message (it’s important to follow all the culture and language rules mentioned before, we need to ensure we are seen as somebody from that community). We engage with a direct question or indirect question, depending on what we’re collecting. We collect the intelligence and we disengage. Sometimes disengagement is as simple as saying I’m not interested, once the information is collected. And sometimes its actually buying something and providing even more in depth information to the client.  

In this example a threat actor is posting information that he has a SCADA system of electrical generation for sale. 

We can already see some details in the in the post itself, including that it has been used by Latin American governments like Mexico, Ecuador, and Venezuela. We can evens see the company, Pemex, Mexico. We can see that the logs are dated from 2019 and that the vendor is the Kelvin Team (Figure 6).

In our conversation above we ask an indirect question about the subscription, a question about the SCADA system and how it was obtained. 

This is just one example of Threat Intelligence Collection. Learn more about our Dark Web Threat Intelligence collection process here.