Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

Dark web marketplaces are online marketplaces where people can buy and sell illicit goods and services under the protection of the anonymity of the dark web. The goods and services on offer range from leaked credit card details, exploit kits and hackers for hire, to advertisements for hitmen services.

Because of the range of goods and services found for sale, as well as the conversations that occur around these sales, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are normally under intense scrutiny from law enforcement and security professionals alike.

5 Dark Web Marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples though were through closed networks and the actual exchanges of money and goods generally had to take place in person. With the advent of crypto-currencies, it became not only possible to complete trades online without leaving a money trail, but easy. As such, the trading of illegal goods online has become more commonplace and vast dark web marketplaces have been created. 

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road. Silk Road was created by Ross Ulbricht in February 2011. Over the next two years, the Silk Road set the standard for darknet marketplaces. By the time it was shut down in October 2013, and Ross Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.  

ToRReZ

ToRReZ Market is a wallet-less market; which means you only send funds when making an order. The market currently supports four cryptocurrencies: Bitcoin, Monero, Litecoin, and Zcash. Both physical goods such as drugs, and digital goods such as software and credit cards, are sold on ToRReZ Market.

Tor2door

Tor2door is a darknet marketplace that launched in June 2020. The market is built from scratch and has a unique design. Tor2door claims that security and usability are its main priorities. This market is one of the easiest to use and is very simple for inexperienced dark-net users.

Hydra

Hydra is the largest marketplace in the darknet and most popular darknet marketplace in the Russian-speaking sphere. According to the Project news outlet, it is responsible for 64.7 billion rubles ($1 billion) in sales through its 5,000 shops between 2016 and 2019. Although a wide range of illicit goods and services are sold, the site also has a few rules, which are perhaps one of the reasons for its longevity and success. These rules include no fentanyl, no weapons, no sale of hitmen services, viruses, or porn.

Versus Project

Established in 2019, Versus quickly gained a reputation for a user-friendly UI and intuitive search options. It has gained a lot of users and become a popular marketplace due to its focus on security. Buyers can purchase a range of digital goods and services which include illicit drugs, software and malware, and services related to fraud. The marketplace has over 8,400 listings and 500 vendors who communicate in English and accept Bitcoin for transactions.

White House Marketplace (WHM)

White House Market is a dark web marketplace that enforces the use of PGP (Pretty Good Privacy) encryption to just browse the site. The site goes into detail about its security on the About page and explains that it does not store Monero private keys on their servers, which can ease the mind of its users. Although White House Market is a smaller marketplace than the others on this list, it is possible that its ultra-security features and simple, easy-to-use UI will quickly attract more vendors.

Other markets include Icarus market, Dark0de Reborn, Canada HQ, Monopoly Market, and more.

How to Keep Track of Evolving Darknet Marketplaces

There are various active dark web marketplaces. According to Webhose, one of our data providers, there are approximately 20 active leading dark web marketplaces and there are dozens of smaller additional marketplaces. 

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons, for example, law enforcement might close them down, or perhaps to help avoid this fate they frequently change their domain address. It could even be because the admin implemented an exit scam, which is what happened with Empire Market, where the admin team is estimated to have made off with some $30 million worth of Bitcoin in August 2020. 

Because of this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found, as such there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find the forums and marketplaces where the important and relevant is you will need to know what you’re looking for and how to look for it.  

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to effectively gather usable intelligence. Doing this manually requires vast amounts of resources, however, you also can’t simply scrape the website as such activity can quickly get you banned from a site. 

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The Role of OSINT tools when Monitoring the Dark Web

OSINT tools allow security professionals to effectively and efficiently monitor the surface deep, and dark web. Using Signal you can create targeted searches with Boolean logic, and then run the results through intelligent filters powered by our advanced AI. This process can be automated with real-time SMS and email alerting. 

This reduces the need for skilled professionals to spend all their time manually monitoring the entirety of the web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted on without ever actually having to go onto the dark web or painstakingly gaining access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on auto-pilot, reducing costs while simultaneously increasing efficacy. As cyber-criminals embrace new technologies it’s becoming increasingly necessary for security professionals to do the same in order to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in realtime.

The dark web has grown in popularity over the years as people become increasingly technologically savvy. Using a darknet browser like Tor or I2P allows users to stay anonymous whilst browsing online. 

There could be any number of reasons a person desires anonymity online, and many of those reasons are perfectly legitimate. For example, they might simply have concerns about large companies’ abilities to track their online activity, they might not feel comfortable giving Google all their data. Alternatively, they might live in a place with restrictions on freedom and free speech and necessarily turn to dark web anonymity to access world news or freely share journalism. 

However, the same anonymity which protects those people is also a boon for criminals. It allows them to operate across borders, organize crime, and trade in illegal items, both physical and digital. Additionally, any number of topics can be found on dark web forums being discussed, including extremist ideas, hate speech, threats of violence, or even plans for cyber attacks.

It is this broad array of potentially dangerous activity on the dark web which is of concern for security professionals. By monitoring the dark web with OSINT tools like Signal, security professionals can discover exploit kits targeting their organization, get early alerts of data breaches, and even prevent physical attacks on assets or employees. 

In this article, we take a look at a few of the more common dark web forums and how security professionals can utilize OSINT tools like Signal to more efficiently and effectively monitor threats on the dark web.

About Dark Web Forums as Data Sources 

Because of the anonymity afforded by the dark web, people feel comfortable discussing all manner of things. As such, the dark web, especially dark web forums, is a valuable source of intelligence for security professionals. Monitoring these channels can help expose real and potential threats ranging from planned attacks, both physical and digital, to fraud, data breaches, and more.

Below we take a look at 7 of the largest dark web forums that professionals need to be aware as potential security data sources.

Nulled

Nulled is an online forum board with over 3 million members as of 2020, mostly used by cybercriminals to trade and purchase leaked or hacked information. In 2016 it became known as the target of a data breach which helped law enforcement to obtain information about possible "suspects", who were registered on Nulled.

Dread

Dread is a forum on the darknet that mirrors Reddit’s functionality. It provides the same familiar community discussion boards. The forum takes many ideas from Reddit, such as sub-communities and user moderation responsibilities. The Website manages to mimic this functionality without any JavaScript. The main goal of Dread is to offer a censorship-free forum, but it also offers some services, such as pen testing.

CrackingKing

Cracking King is a community forum that provides tutorials and tools for hackers. Additionally, you can find information about and from data leaks, as well as gain access to their marketplace.

CryptBB

CryptBB, which launched in 2017, started out life as a private English-speaking hacking forum known for its rigorous application policy, only accepting members who passed an interview. They have, however, recently been expanding with a new section of the site for “newbies”.

RaidForums

RaidForums is a site dedicated to sharing hacked databases and tools to perpetrate credential stuffing attacks. They also have an open web version of their site.

FreeHacks

FreeHacks is one of the most popular and one of the largest hacking forums on the web. This Russian community of hackers and cybercriminals gathers its resources to expand and solidify their knowledge base.

HackTown

HackTown is an educational platform. They have numerous courses all of which focus on hacking for profit. The forum aims to educate new hackers and cybercriminals to help them develop their skill sets and successfully pull off fraud attacks, phishing campaigns and more. 

Related: How Can 4chan be Used as a Data Source for Security Intelligence? 

Key Challenges of Dark Web Monitoring for Security Professionals

Security professionals face a number of challenges when it comes to monitoring the dark web. For a start, there is the sheer volume of posts. With each of these forums and market places operating across numerous time zones, they have continuous activity. The most popular of them get tens of thousands of posts a day. Manually monitoring these sites is just not a feasible task.

Secondly, the more explicit dark web forums and market places will require you to create an account and may even go some way to verifying you have the skills to be allowed in. While the anonymity of the dark web means they likely can’t work out exactly where you came from or what your true purpose is on their platform, those that are interested might attempt to get further information out of you to determine your real identity. When creating an account it’s important to make sure it holds no relevance to any other online account you hold if you want to maintain your complete anonymity and don’t become a target of those same criminals you are looking to monitor.

Once you’re into one of these forums or marketplaces you will then need to remain active on the platform, without arousing suspicion otherwise you could have your hard-won access revoked. 

Finally, a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with malware and any and all links or downloads should be viewed with suspicion. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. As such, unless you’re confident you can safely and securely navigate the dark web, it may be better to look for safer, more efficient alternatives. 

The Role of OSINT when Monitoring the Dark Web

The Signal OSINT platform works by continuously scanning the surface, deep, and dark web. You can create custom searches using boolean logic and select from several data sources. These search results can then be filtered using our advanced AI and natural language processing (NLP) which enable you to search across languages, determine location, analyze copy in imagery, and even assess the emotional intent behind text through our NLP software Spotlight.

The benefits of having a tool like this for monitoring the dark web include efficient continuous monitoring and assessment of a multitude of sites allowing security teams to monitor more of the web to catch more threats faster. Additionally, they can access this data without ever having to hunt down and access the various dark web forums and marketplaces which is both more secure and much more time-efficient.

This approach allows you to leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

Whether they like it or not, many organizations have been forced to adopt work from home practices to continue operating. Working from home isn’t new. In fact, between 2005 and 2017 the numbers of people that were able to work from home grew 156%. However, it has generally been seen as a bonus rather than a given and more traditional workplaces have been resistant. 

Despite the fact that 49% of office workers have never experienced working from home before, this experiment has largely been a success. Empowered with communication tools like Slack, Microsoft Teams, Google Hangouts. and Zoom, teams have had deep connectivity even from their own living rooms and many organizations have actually seen increased productivity.

Even so, the challenges of working from home are enormous and are invariably compounded by technological difficulties and poor home security practices.

Security teams, in particular, are feeling the pressure. With numerous workers now operating outside the corporate network security controls, new attack vectors have been opened up which are being exploited by cybercriminals.

Cybercriminals Taking Advantage of the Pandemic

Several security providers have put together data sets which show clear spikes in malicious activity since the beginning of the pandemic. McAfee created its own coronavirus dashboard which shows malicious detections quickly growing from the hundreds into the thousands over the last six months. The most common threat type has been Trojans with Spain and the US being clear outliers in the number of threats detected.

As of August, there were nearly 2 million malicious detections against over 5,500 unique organizations. McAfee go into detail about the families and types of attacks that they’ve seen a spike of cases in since the pandemic began.

WFH challenges for security teams

We’ve established that cybercriminals are taking advantage of the security breaches created by a sudden adoption of working from home but what is it exactly that makes working from home lees secure and what exactly are the security flaws threat actors are targeting?

Working from home doesn’t necessarily mean working from home, it could also mean working from anywhere and many workers have already figured that out. This means workers can (in theory) escape their houses and head out to cafes, restaurants, libraries or other public spaces with free WiFi networks. Zoom, with its virtual background feature, has incidentally supported this. The key issue with this is when workers operate on unsecured open networks. 

Ultimately security professionals have to try and ensure device security and data protection in the work from anywhere model - a challenge made significantly harder with over 50% of employees using their own devices during this period. IT teams have tried to make the security transition easier, with some 70% increasing VPN use among employees, however, 1 in 4 workers according to the Morphisec report were unfamiliar with their company’s security protocols.

This challenge for security professionals has resulted in the majority of security professionals seeing a sizeable increase in workload since their companies began corporatewide remote work. And while most of the transition to WFH went smoothly, respondents reported an increase of security incidents, with the top issues including a rise in malicious emails, non-compliant behavior by employees and an increase in software vulnerabilities.

What can be done to improve WFH security?

Security teams have had years to develop best practices for combating the ever-evolving cyber threat landscape. The sudden move to work from home though has shifted power away from them and brought a greater reliance onto workers who simply do not have the expertise to maintain proper cybersecurity protocols. 

Worryingly, 20% of workers said their IT team had not provided any tips as they shifted to working from home. This has opened exploitable attack vectors and introduced new challenges for security professionals. This though isn’t to say that there is nothing that can be done.

Step 1: Control the WFH Environment

This is all about educating employees about best practice and the reasons for these practices when working from home. For example, informing them not to use open networks.

Step 2: Control the WFH Computer

It’s a good idea to supply the computer being used so that you can install the proper security softwares and control access to sites which might offer security risks as well as maintaining control over permissions.

Step 3: Improve your Phishing Responses 

The crossover between home life and work life extends beyond the location. People are more likely to spend time on social media networks and working on private projects than they would be if they were in the office. This opens them up to more phishing campaigns so it’s important they know how to avoid falling for them.

Step 4: Restrict Remote Access to Sensitive Documents and Data

Lockdown permissions and access to sensitive documents and data. If they really need access they can communicate this need with you directly and you can ensure it is done securely and safely. 

Step 5: Monitor Surface, Deep and Dark Web for Emerging Cyber-Threats

Use an OSINT tool like Signal to monitor for cyber threats, planned attacks and data breaches.

Step 6: Encourager VPN Usage

VPNs are a simple and easy way to improve security. It’s worth ensuring the company has a quality VPN service that doesn’t slow a users internet connection unnecessarily as this might persuade workers to turn it off.

Step 7: Don’t Allow Split-Tunnels

Split-tunnelling allows a user to access networks through both the encrypted VPN service and a potentially unsecure network simultaneously.

The Role of Threat Intelligence for Improving Work From Home Cybersecurity

One of the key benefits of using an OSINT solution like Signal is the ability to create customized searches with Boolean logic to uncover hyper-relevant threats in real-time with SMS and email alerts. 

Ways that this has been used in the past to improve cybersecurity include:

• Early detection of data breaches. The average cost of a data breach in 2020 is $3.86 million. The earlier you catch a data breach the faster you can take action to mitigate the associated financial and reputational damage.

• Discovery of new cyberattack strategies, exploit kits, phishing tactics which were talked about or for sale on the dark web.

• Organizations have uncovered attacks that are yet to be carried out. This is true for both physical attacks against an asset or person as well as cyberattacks. For example, details of a phishing strategy and the targets within the organization were discovered after being talked about in a darknet forum. 

• Monitor employee online activity. For example, this can allow security teams to identify employees who have been targeted and even blackmailed by cyber attackers for access to company data.

The dark web isn’t inherently bad or evil. It’s not illegal to be anonymous on the web. However, the unfortunate truth is that there are plenty of people who are willing to take advantage of the anonymity lent by the dark web and to undertake some form of illicit activity.

Cybercriminals use the dark web as a means to communicate about all manner of activities, from planning cyberattacks to the selling of illegal goods or stolen data.

On top of this, with distrust growing towards governing bodies and large corporations around data privacy dark web communities are thriving. More people are becoming familiar with the dark web for both legitimate and illegitimate reasons, a fact that should cause security professionals increasing concern.

On the flip side, many security professionals actually shy away from the dark web. It is an online region surrounded by an ether of mystery and myth. However, while certain parts of the dark web should only be accessed with the utmost skill and caution, the basics of the dark web need to be understood by all members of the security community.

The difficulties of accessing dark web forums

There are numerous challenges that security professionals face when they come face to face with the dark web. The first of which is actually finding the dark web forums where illicit activity is taking place.

The first step to locationg dark websites is through various directory lists. These easy to locate sites and forums, however, are unlikely to be where the really important things are happening. Instead it’s more likely to be filled with amateurs and more innocent activity. Additionally, these lists often become outdated quickly as dark web domains change frequently.

In order to locate more relevant darknet forums for the purposes of security research, there are strategies which can be employed, for example, snowball sampling.

Snowball sampling is a method which involves creating a web crawler that takes a root URL and crawls the website for outgoing links. Generally, this will then return a large number of dark web URLs. This works particularly well for dark web forums as people often link to other sites in comments or posts. Done incorrectly though could draw attention to your bot and have the admin block you.

The dangers of accessing dark web forums

Accessing the dark web should be done with care and caution. It is in some ways like the last frontier, the wild west. It provides a training ground for new techniques and strategies for experienced and inexperienced hackers alike. For a security professional, getting to know these new techniques is vital for the efficacy of your security strategies.

A few key safety concerns and the dangers of the dark web are as follows:

• Breaking the law. Law enforcement officials operate on the dark web to catch people engaged in criminal activity. Like others on the dark web, law enforcement can do their work under a cloak of anonymity. It’s important to remember that you can be prosecuted for things you do on the dark web and thus to behave in an appropriate and legal manner.  

• Viruses. Unsurprisingly a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with viruses and any and all links or downloads should be viewed with suspicion. There are a lot of viruses to watch for, from ransomware to spyware and everything in between. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. 

• Webcam hijacking. It’s smart practice to cover your webcam with a piece of tape or plastic when you’re not using it. This is because some people may attempt to gain access to your device’s webcam by using a remote administration tool (RAT). The risk of this happening increases exponentially when you enter the dark web.

Remember: You use the dark web at your own risk and you should take necessary security precautions such as disabling scripts and using a VPN service.

Why do security professionals need to surveil dark web forums?

We’ve talked about the dangers and difficulties of accessing and finding relevant dark web forums for security research. Why though should accessing these dark web forums be a priority for security professionals and how can one effectively monitor these forums for potential threats?

Identify new hack strategies. 

The dark web is where many cyber criminals go to learn as well as to purchase things like exploit kits. Monitoring the dark web, being able to investigate and understand the methods and mindsets of hackers is essential to enable security professionals to develop counter strategies.

Discover physical threats or plans against your organization or executives.

Terrorist organizations, violent far-right dissenters, and others who intend to commit or openly discuss violence against others can be found on dark web forums. One example of this is the shooting which took place in a mosque in New Zealand on the 15 March 2019 which killed 51 people.

This attack was talked about before and during the attack on forums such as 8chan. Pictures of the weapons that would be used were shared along with a 74 page manifesto. Conversations around the event appeared with numerous like-minded individuals actively in support.

This is an extreme, worst-case scenario. But it absolutely highlights the necessity for security teams to have the tools to effectively monitor dark web forums.

Listen and filter noise around your organization’s name. 

There is a lot of noise on the internet. Inevitably some of it may be about your organization and it’s more than likely that not all of it will be good noise. Because of the nature of dark web forums, there is an increased likelihood of discovering negative noise about or relating to your organization.

With the right tools, such as Signal paired with our emotional analysis tool Spotlight, you can identify persons of interest and more closely monitor future activity around them. 

Additionally, discussions around stolen data for sale, as well as things like exploit kits are often discussed on the dark web. Identifying these threats as soon as they appear will allow you to take appropriate action to mitigate these threats and reduce any potential damages.

Dark web monitoring solutions: Signal OSINT platform

With an ever increasing amount of Cyber activity it is more important than ever for organizations to mitigate the potential risks of cyber threats, attacks, and data breaches. As the traditional Physical Security and Cyber Security worlds converge, Signal cyber feeds provide the ability to expand areas of interest and boost potential Cyber threat intelligence.

Cyber feeds that are accessible with a Signal subscription include:

• Onion/Tor – Anonymous network requiring Tor browser (AKA as Dark Web)

• I2P – Invisible Internet Project

• ZeroNet – decentralized web-like network of peer-to-peer users

• Open Bazaar – a fully decentralized marketplace

• Telegram – a cloud-based instant messaging and voice over IP service

• Discord – a VOIP application and digital distribution platform

• IRC Chat – instant relay chat

The information available on these additional Cyber feeds can help identify a number of potential scenarios including;

• Hacking for hire

• Compromised accounts & servers

• Sale of financial data

• Sale of counterfeit and/or stolen goods

• Money laundering

• Sale and/or publication of personal information such as SSN, email, phone numbers

• Discussions on and/or exposure of data breaches

Related: What is OSINT and how is it used for Corporate Security?

Supply chain operations can be vast and while globalisation and digital technologies are making the world a smaller place in many ways, they are simultaneously increasing the number of potential vulnerabilities that security teams and supply chain managers need to monitor. Current threats to the logistics sector range from piracy, which has been experiencing a resurgence in recent years, to terrorism, to DDoS attacks, malware or data breaches.

The range of potential threats is exacerbated by the particular vulnerabilities of the supply chain and the sheer size and scope of the operations involved. For example, around 90% of the entirety of global trade flows through only 39 bottleneck regions. An effective attack on any of these 39 traffic heavy logistics hubs would have far-reaching and knock-on consequences impacting billions of dollars worth of trade. 

One example is the Hong Kong - Shenzhen freight cluster where nearly 15% of both container and air freight traffic moves through. Additionally, there is a selection of geographic chokepoints such as the Panama Canal or the Strait of Malacca where a successful attack could effectively halt a vast amount of freight.

If this wasn’t enough digitisation has increased the number of threat vectors that logistics companies need to consider. This increase in vulnerability needs to be addressed with effective security measures such as real-time data collected through Open Source Intelligence (OSINT) software.

How Can Transport and Logistics Companies Secure their Supply Chains?

Ensuring secure passage 

One of the key concerns, and one of the oldest, that logistics and transport companies have to contend with are the tangible and physical security threats; terrorism and piracy being the obvious examples. Organisations need real-time information to carefully and continuously assess the threat level, implications, and risks surrounding these physical security concerns.

Using these analyses organisations can then determine strategies to mitigate these threats as well as determine contingency plans for worst-case scenarios. They will need to be able to adapt and respond quickly to events as risk levels change. Supply chain managers across all industries will need to take into account higher transport costs, longer travel times, and potential problems meeting schedules when alternative transport routes are used

Fundamentally these risk management strategies hinge on having all of the information available on emerging and current threats. To be able to respond in a timely fashion it is absolutely necessary for supply chain managers and security teams to have the most up to date data. Being caught unawares could have far-reaching and even devastating consequences. And in some cases, business models based on time-critical deliveries may be squeezed out of the market. 

Keeping cyber space safe 

Cyber security is a secondary consideration for many logistics and transport companies. However, it is a security concern that should be receiving increasing levels of attention as “cyber criminals are evolving their tradecraft with new innovations and increasingly automating their attacks”, according to the 2020 Global Threat Intelligence Report (GTIR) by NTT Ltd. 

You only have to look back to 2017 for a clear example of what can happen should a logistics operator be caught unaware by malware. In this scenario the shipping giant Maersk had their IT systems taken out by a vicious malware called NotPetya. With roughly one container shipping into port every 15 minutes you can imagine the logistical nightmare that ensued as the company was forced to turn to manual processes to keep things moving. It was estimated that the delayed operations, lost revenue, and the process of completely rebuilding their IT systems cost Maersk upwards of $300 million.

NotPetya, developed by the Russian military, was targeting businesses in Ukraine – but the malware quickly got out of hand. Soon it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue. Meaning, in this scenario, Maersk was simply collateral damage.

Despite this, according to The State of Logistics Technology Report 2019 by EFT, “the logistics industry is still not seeing security as a primary part of business operations” even with clear examples of what can happen. In this report, researchers surveyed more than 500 industry professionals with questions relating to cybersecurity and found: 

• Only 35% of solutions/service providers have a Chief Information Security Officer (CISO) in place;

• Only 43% of shipping companies have a CISO;

• Only 21% of logistics companies believe they even need a CISO.

Transportation is already heavily reliant on Information Communication Technology (ICT), and virtual threats are growing in frequency and complexity. For this reason, cyber threats are an increasingly worrisome problem across multiple industries. Additionally, for transportation and logistics cyber attacks as part of an attack designed to induce physical damage is an additional attack vector of increasing commonality.

OSINT Software for a More Secure Future

Some organisations operate with hundreds of individual suppliers. Disruption to any of these suppliers anywhere along the supply chain could have costly ramifications. Maersk is just one example of this, operations weren’t returned to normal for nearly two weeks, and even with employees across the company going above and beyond to maintain operational efficiencies, losses for customers and themselves quickly climbed into the millions.

Security investments provide a payback not only in terms of loss prevention but also by enhancing supply chain performance. When it comes to security and supply chain management, it’s especially important to look at future scenarios and manage security proactively. Reacting to crisis situations is not enough. Companies have to find the right combination of preventive and reactive measures to achieve the optimal level of supply chain security. 

Executives should keep an eye on so-called wildcard events too. That means looking at the possible financial impact, the relative vulnerability of their business model and their company’s ability to react to low-probability, high-impact events. 

How Signal is Already Helping Secure Logistics Supply Chains

Signal Open Source Intelligence software allows you to gather hyper-relevant real-time data giving users a clear oversight of their often vast supply chain operations. 

This means they will have details of potential disruptions or cyber-attacks before, or as, they are happening allowing them to implement their contingency plans in a timely fashion and prevent unnecessary financial losses.

Sites on the dark web are marketplaces for emerging cyber threats. As such, these are rich sources of intelligence, often relevant to a broad spectrum of potential targets.

Signal’s AI and emotion analysis paired with customisable alerts allows you to identify potential relevant threats from sites on the dark web to other threat sources, enabling you to more quickly identify, profile, and mitigate risks to your organization.

Cybersecurity Threats from the Dark Web

With enough knowledge, you can create actionable insights. To understand and counter cyber threats we need developed intelligence and actionable insights and details of those threats.

Three of the main forms of threat identified on the dark web are: 

• Physical threats. 

• Data for sale online. 

• Fraudulent activity.

What we know is that the darknet contains difficult-to-locate hacker websites and tools which are the basis of cybersecurity threats. To understand how to counter these cyber-threats, we need to develop intelligence about the details of those threats.

Before we start looking at how that intelligence is gathered, let’s look first at what sort of things we are looking for. 

Content to Look out for on the Darknet

The darknet isn’t itself criminal or illegal. Rather it provides a platform of anonymity which makes it a very attractive prospect for criminals. There have been cases where contract killers have been hired, or terrorist cells have organised attacks.

On top of this, the darknet hosts various items related to cybercriminals as well as the more traditional criminal activities. It is worth noting though that the majority of traffic that goes through Tor browsers is not criminal activity.

1. Malware

You don’t need to be a proficient software coder any longer to become a hacker. Malware, and things like phishing and exploit kits, are freely available to purchase on the dark web if you know where to look.

2. Data for Sale

It’s common to discover stolen data for sale on the dark web. This often includes non sensitive data such as account logins and email addresses which will be used in credential stuffing attacks. However, more concerning is the amount of credit card and PII (Personal Identifiable Information) that can be found for sale.

Read: Mitigating the threat of credential stuffing.

3. Cyber Security Vulnerabilities

Another item hackers and cybercriminals sell on the dark web are “exploits”. These are when exploitable vulnerabilities in a companies security is discovered. Then the cybercriminal sells the exploit to a hacker who can use the information to create tailored malware.

On a positive note, it has been found that the number of exploits for sale on the dark web have declined in recent years. One potential reason for this decline is due to an increasing number of companies offering a bug bounty program. These programs offer a legitimate financial reward to those that discover potential security flaws.

4. Distributed Denial of Service (DDoS) BOts and Tools

Kaspersky has found that cybercriminals are reaping rewards of up to 95% profit by selling DDoS-as-a-service. Cybercriminals offer a sophisticated pricing plan for customers wanting to attack websites. Cheap and dangerous darknet botnets, for sale from $20, can cause havoc.

5. Discussion Forums for Cyber Criminals

Hackers come together on darknet forums to plan, share details, and exchange goods and information. And while the use of a Tor browser grants them anonymity, discovering their conversation allows security teams to potentially spot threats as or even before they are emerging.

What is Darknet Intelligence?

The darknet hosts a huge amount of valuable insights and data that could make all the difference to your security teams success. Understanding the kind of information you are looking for and how the dark web is used by cyber criminals allows you to effectively monitor criminal forums on the dark web and evolve effective plans to counter impending threats.

However, there is one fundamental problem. How do you do efficiently scan or monitor the dark web? 

Due to the nature and structure of the dark web, finding relevant sources, gaining access to criminal forums, and obtaining information is a huge undertaking that requires specialised knowledge. 

Manually Gathering Darknet Intelligence

Skilled security analysts can spend time building up knowledge around darknet based threats, locating relevant forums and gathering access via pseudonyms. Understandably this approach is wrought with difficulties such as:

• Expense.

  A skilled security analyst is expensive, the average salary being over $99,000 a year. And there aren’t that many out there. By 2022 there will be an estimated shortfall of around 1.8 million skilled cybersecurity professionals. 

• Efficiency.

  The darknet is disparate and deep. The names dark web or darknet are themselves misnomers. They suggest that the dark web exists somewhat like the World Wide Web in a state of connectivity. However, many of the websites on the dark web, especially the criminal ones do not want to be found. They aren’t indexed and other sites don’t link to them. Many of them require you to form an account and to be vetted by admin before you can gain access. 

  One individual is going to have an incredibly hard time finding, gaining access to and manually monitoring relevant dark web sites. One solution could be employing a team of security analysts - however, that brings us back to the first point; expense.

• The changing nature of the darknet.

  Sites on the darknet come and go quickly. Again this is especially true for the criminal websites that you would want to be monitoring. This means that anybody wanting to monitor these sites would need to regularly research and find the same sites as well as continuously looking for new ones.

Thankfully, there is an alternative and you don’t need to waste hours of a skilled analysts time trawling through an almost endless see of data in the dark. This alternative requires you to utlize automation tools such as Signal or our recently launched product LERTR. 

Automating Darknet Intelligence with Signal or LERTR

Darknet intelligence-gathering tools work by running automated searches of darknet websites and forums. Using Signal you can create customised alerts filtered via specific keywords, phrases or even locations. We also have a built-in translation tool so that data can be searched across languages and automatically translated into your default language.

On top of this, you can run alerts through our emotional analysis tool to determine how much of a threat any particular alert is. Finally, get our optional Sapphire bolt-on and utilise our skilled data analysts to further refine your results. 

This approach allows your leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

All of this allows you to gather actionable intel in realtime.

How are data breaches of non-sensitive data used by cybercriminals?

When it comes to cyberattacks having detailed situational awareness and the ability to quickly sift through open-source data and information on the surface, deep, and dark web allows businesses and financial institutions to quickly determine potential risks and take necessary precautionary actions fast. This can help mitigate threats posed by cybercriminals, reducing the security spending and costs surrounding the fallout after criminals successfully commit fraud through the use of leaked data.

In this article, we explore a growing concern for a number of businesses which poses increased year on year risk, with increasingly costly repercussions - credential stuffing. We answer the following questions and more: what is credential stuffing? Why does it pose a severe security risk? And how can dark web monitoring and social media monitoring be used to mitigate the threat of data breaches?

What is credential stuffing?

Many businesses assume that non-sensitive customer data has little value to a cyber-criminal.

In fact, in a recent study, it was found that a number of businesses didn’t even password protect cloud-stored customer data. Meaning anyone could have come along and downloaded the entirety of those databases.

What is even more worrying, is that many data breaches go entirely undetected. 

Credential stuffing is a tactic growing in popularity that weaponises non-sensitive stolen credentials (eg. usernames and passwords) against websites and mobile applications. Large volumes of stolen account logins are tested against other website login pages to gain unauthorised access to accounts, in order to commit fraud. 

The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.

Whilst the strike rate is low - think a few successes for every thousand attempts - there are billions of stolen credential pairs in the hands of cybercriminals. 

In 2018 there were 2.8 billion credentials stuffing attempts reported in the US alone. And this number is only rising. Which goes to show just how much of a threat credential stuffing has become.

On top of this, a skilled hacker, using a throttled bot with multiple Autonomous Systems Numbers (ASNs) and IP addresses can remain undetected for long periods of time, allowing them to try potentially millions of login combinations without anyone knowing anything untoward is happening. 

What are the cybercriminal’s goals?

“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves.” - Source

Obviously, the most valuable data for cybercriminals is going to lead them to bank account and credit card details. These they can use directly to access a persons money. In 2019 though, there was a significant decrease in the amount of sensitive data exposed. Going from a reported 471 million records in 2018, down to 164 million in 2019. It’s worth noting though that the Marriot breach in 2018 did skew the records there with over 300 million sensitive records exposed in that single data breach.

However, there are numerous ways a cybercriminal can benefit from accessing another persons account data through credential stuffing of purportedly non-sensitive data. These strategies will be tailored to the sites they gain access to and can lead to various forms of identity fraud and phishing scams.

Part of the reason this indirect strategy is growing in popularity with cybercriminals is that sensitive data is becoming better and better protected by corporations and financial institutes. However, this somewhat simplistic approach creates a serious vulnerability to any company. 

Credential stuffing is costing businesses millions each year. Not just in the follow-up costs of a cyber attack and the ramifications of fraud, but from increases inIT security spending, potential lost revenue from lost customers, and application downtime. This, according to one study by Akamai is costing companies an estimated $4 million a year.

Who is most at threat?

When it comes to what this looks like in real life you only have to take a cursory glance at the numbers to have cause for concern. In 2019 it was reported that a total of 869,857,509 records were stolen by cybercriminals in the US - and it’s likely that many more stolen records went either undetected or unreported.

The majority of that data, around 750 million records, was non-sensitive data, that will largely find its way to the hands of cybercriminals who will use it for credential stuffing. 

The credential stuffing technique can be used against any company with a login page. 

“Up to 83%  of people - according to 2018 research - use the same password for more than one account.”

Consumers face growing complexity in password requirements, with various length requirements, plus symbols and numbers - this has actually encouraged many users to find a single password that fits the bill and they’ve then reused that password or variations of it across numerous account logins. This is then paired with a growing number of individuals who have access varying levels of technology and might not know how to best protect their data.

What can be done to mitigate the threat of credential stuffing?

People are always talking about having better online security but no one ever talks about what happens after a data breach or after being hacked. 

As the old saying goes, “hope for the best, but plan for the worst.” A growing number of companies are on the receiving end of cyberattacks and it is leading to an increasing number of data breaches. 

Shoring up online and cybersecurity is absolutely vital. However, it may well not be you who is hacked, instead a victim of the credential stuffing technique. One thing to do is to require two-factor authentication. But even this isn’t flawless as the hacker may well have access to that user’s email account as well. 

So, what can businesses do to mitigate the growing threat of credential stuffing? Often hackers responsible for the data breach won’t use all the data themselves. Instead, they’ll turn to the dark web where they can anonymously sell the data instead.

This is where threat intelligence software like Signal comes in. Signal allows for users to monitor the dark web without needing a Tor browser. With threat intelligence software like Signal one can do much more than just monitor the dark web though.

Users can set up alerts for keywords and monitor dozens of channels instantly generating alerts for users based on their search queries. What this means is that as soon as leaked data goes up for sale on the dark web - or as soon as anyone talks about purchasing records gained through illegal or forced access to your database you will know.

You can then take precautionary actions to mitigate the potential threat. For example, warning customers of potentially exposed data so that they can secure any logins with the same password, force resetting customer passwords, and reporting the incident to the authorities.

In one recent example, it was found that an employee of a bank, stole over 3 million sensitive records from their company database. They then went away and bragged about it on social media and on various dark web forums (like 8chan). These set off immediate alerts through the Signal system and action was able to be taken, the data was recovered before it changed hands and the employee faced the legal ramifications of their actions.

Because Signal uses open-source data all evidence and information gathered through its channels are able to be used as actionable intelligence.

Related: Black Hat Brags about Bank Hack Signal Could have Spotted

Detect and remedy data breaches fast with Signal

Get in contact to learn more, or request a demo using the options below: info@signalpublicsafety.com

Resources and Further Research

• akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-2018-credential-stuffing-attacks-report (pdf)

• idtheftcenter.org/2019-data-breaches/ (pdf)