Dark Web: The smart person's guide


Image: iStock / leolintang

Hacking is a fact of life for business and consumers alike. Often, leaked data surfaces and is sold to miscreants—hackers, shady government organizations, and other bad actors—on the Dark Web.

The Dark Web—or darknet, backweb, onionweb—is frequently misunderstood. The network is used by legitimate actors like law enforcement organizations, cryptologists, and journalists as often as by malefactors and criminals.

More about IT Security

SEE: Three ways encryption can safeguard your cloud files (Tech Pro Research report)

TechRepublic’s smart person’s guide is a routinely updated “living” precis about how the Dark Web works, the content that populates the encrypted internet, and the encryption tools needed to safely navigate the network.

SEE: Check out all of TechRepublic’s smart person’s guides

Executive summary

  • What is it? Much like the internet—or clearnet—that billions of people access every day from mobile and desktop devices, the Dark Web is a network of websites, forums, and communication tools like email. What differentiates the Dark Web from the clearnet is that users are required to run a suite of security tools that help anonymize web traffic. The Dark Web is used for both nefarious and reputable purposes. Criminals exploit the network’s anonymity to sell guns, drugs, and humans, while organizations like the UN and Facebook use encryption to protect dissidents in oppressive countries.
  • Why does it matter? The Dark Web matters for two significant reasons: ideology and practicality. Where encryption exists, there also exists a large market of users who wish to remain anonymous.
  • Who does it affect? Every internet user. If your data was leaked as part of a government or corporate hack, it’s for sale on the Dark Web.
  • How is it accessed? The Dark Web is most commonly accessed using the Tor security suite and the Tails flash-bootable operating system.

SEE: Cybersecurity Research 2016: Weak Links, Digital Forensics, and International Concerns (Tech Pro Research report)

What is it?

The Dark Web is a network of websites and servers that use encryption to obscure traffic. Dark Web sites require the .onion top level domain, use non-memorable URL strings, and can be accessed only by using the open source, security-focused Tor browser. Because it’s portable and disposable, Tails, a Linux-based operating system that boots from a flash drive, adds a layer of security to Deep Web activity.

Because the tools required to access Dark Web sites help protect user— and server— anonymity, in the past decade the Dark Web has become a magnet for criminal activity. The Silk Road, an eBay-like market for drugs and weapons, famously helped establish the market for peer-to-peer anonymous criminal commerce. The site grabbed mainstream headlines in 2013 when it was taken down by the FBI. In its place rose a number of copycat markets. The negative press, coupled with YouTube horror stories, glued the Dark Web’s reputation to illicit behavior. Today, the Dark Web markets sell drugs, weapons, malicious software, and piles of consumer and sensitive corporate data.

SEE: Cybersecurity spotlight: The ransomware battle (Tech Pro Research ebook)

But the Dark Web is not all bad news. ProPublica, a well-respected investigative news organization, has a Dark Web site to help the company securely communicate with sources. The United Nations law enforcement department, the Office on Drugs and Crime, monitors the Dark Web and shares data with the public and global police organizations. Even Facebook, the world’s largest social network, has a Dark Web site relied on by over one million users per month.

  • What is the clearnet? Clearnet sites are sites that track user data, drop cookies, and share IP data. Examples of the clearnet are corporate intranet pages, secure bank pages, private social media accounts, and any site that does not use SSL.
  • What is the deep web? The Dark Web and the deep web are often confused with one another. The deep web is a term applied to millions of pages that are not accessible to the public and not indexable by search engines like Google and Bing. Examples of deep web sites are corporate intranet pages and wikis, secure bank pages, and private social media accounts.
  • Are encrypted email technologies like PGP part of the Dark Web? Not really, but PGP in particular is frequently used to obfuscate communication. PGP email tools and encrypted webmail services allow Dark Web site operators and users to communicate anonymously.
  • How are Bitcoin and the Dark Web related? Bitcoin is not inherently anonymous, but scrambling the origin of a Bitcoin is a relatively nominal task. For this reason the virtual currency is the most popular currency used on the Dark Web and can enable criminal activity.
  • What is .onion? To denote that the domain points to an encrypted site, Dark Web URLs end with the .onion suffix and are inaccessible to traditional browsers that lack proper security plugins.
  • How big is it? Not very big. The total population of Dark Web sites numbers only in the hundreds of thousands. Dark Web sites frequently disappear or are discovered and yanked from servers for violating local law. Security experts estimate that at any given moment there are between 10,000 and 100,000 active sites.

Additional resources:

Why does it matter?

Though the name sounds ominous, the Dark Web did not hatch from some evil hacker lab. The Dark Web is simply a network of websites that require basic encryption technologies to be enabled before users can load content. These are the same technologies that protect passwords when users log on to bank portals and sites like Gmail and Facebook.

For this reason, the Dark Web is used by proponents of privacy and encryption. Organizations as diverse as the Electronic Frontier Foundation, Facebook, the U.S. State Department, and the United Nations all argue vociferously that encryption is a fundamental human right.

The Dark Web is practical. The anonymity and security provided by the encrypted internet means the Dark Web is a haven for criminals, law enforcement agencies, freedom fighters, journalists, neo-capitalists, and curiosity seekers. The Dark Web is unlikely to vanish any time soon.

Additional resources:

Who does it affect?

Using the clearnet generates data. Consumers generate data every time they create a social media account, send a webmail message, or upload a photo from a smartphone. Governments and large corporations generate and oversee billions of records and sensitive files. This makes governments and companies theft targets, and today, data breaches are common.

Consumers and companies need to be aware that sensitive records are bought and sold routinely in anonymous markets. If you’ve been part of a corporate or government hack, your data is on the Dark Web.

The Dark Web is also a small haven for terrorists and organized crime. Most Dark Web-focused security firms, however, caution against exaggerating the size of, and the risks posed by, the encrypted internet. Global law enforcement is aware of, operates on, and works to combat illicit Dark Web activity.

Additional resources:

How is it accessed?

The best way to access the Dark Web is with Tor. An acronym for the onion router, Tor is an open source protocol and suite of plugins built on top of Mozilla’s Firefox web browser. Tor helps anonymize the source and destination of web traffic by passing the machine’s IP address through a network of similarly encrypted IP addresses. The result is that web browsing slows down a bit as each request is bounced around the world, obfuscating user traffic.

For additional security, power users and experts also use anonymity-protecting operating systems like Tails. Tails is a Linux distribution that specializes in security and convenience. The operating system takes about 20 minutes to install on a flash drive and can be booted from the USB drive on nearly any machine in the world. Tails comes preconfigured with Tor and offers dozens of other security features.

There is no guarantee of privacy on the Dark Web. Tor recently warned users not to expect complete end-to-end privacy while using the network.

Additional resources:

SEE: Quick glossary: Malware (Tech Pro Research report)

Novices and experts should exercise care and caution when visiting the Dark Web. TechRepublic does not condone illegal or unethical activity. Offensive material can sometimes be just a click away. Browse at your own risk. Never break the law. Use the Dark Web safely, and for legal purposes only.

Additional resources:

Password-Stealing Trojan Now Also Attacks With Cerber Ransomware

Weaponized Microsoft Word Documents spread one-two punch via the infamous Betabot.

An old-school banking Trojan has been reincarnated as a weaponized document payload that first steals passwords and then drops ransomware.

The Betabot Trojan, which the FBI warned about in 2013, is best known as a botnet and for disabling anti-malware software and bypassing virtual machines and sandboxes on victim machines in its quest to steal passwords. But researchers at Invincea have discovered Betabot spreading via rigged documents: after it steals a victim’s browser-stored passwords, it then drops the infamous Cerber ransomware in a second phase of the attack.

Invincea says this is a first: a weaponized document that steals passwords then uses ransomware on its victims.

Patrick Belcher, senior director of threat research at Invincea, says Betabot has infected thousands of victims in this latest iteration. “We haven’t seen Betabot ever do this: doing a phishing run with the same sort of phishing Cerber was using. Instead of using just Cerber, the [attackers] are installing Betabot and then going to Cerber.”

Cerber is a ransomware tool that has caught fire in the cybercrime underground. It uses a ransomware-as-a-service model, which allows nontechnical criminals to deploy it. Cerber affiliates extorted from their victims some $195,000 in July, according to recent data from Check Point, and Cerber’s author nets around $946,000 per year, a hefty income for ransomware operations.

Why the one-two punch? Belcher says it’s all about maximizing potential profit. Once the attackers have stolen the stored passwords, they then hit the victim with Cerber ransomware in order to squeeze as much as they can out of an infected victim.

“They were really after the passwords, I think, or they would not bother to drop Betabot. But they are trying to maximize their profits for each compromised endpoint. They get an amount of value on passwords of the systems … and the second whammy is ‘pay ransom’ on top of that,” he says.

Betabot basically harvests any credentials stored in the browser cache, and in the recent campaign, infects users with a malicious macro in a Word Document posing as a resume. The user only gets infected if macros are enabled in the document either by default or manually.

Bottom line: enterprises continue to be juicy marks for phishing lures. “Our research shows that weaponized documents are six times more prevalent than running into an exploit kit,” Belcher says. Not just malicious macros, but otherwise rigged files as well, he says.

“Every business in America is being run having to open up invoices, resumes, documents, reservations … Phishing campaigns have proven to be extremely accurate in the way they are worded,” for example, he says.

Another perplexing issue, notes Belcher: if users are creating strong passwords and then storing them in their browser cache, their passwords are toast in Betabot-type password-stealing attack.

The best bet to protect against this latest Betabot-Cerber campaign—aside from practicing savvy phishing awareness–is to disable macros altogether and for users to refrain from storing any passwords.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights