Dark web marketplaces are online marketplaces where people can buy and sell illicit goods and services under the protection of the anonymity of the dark web. The goods and services on offer range from leaked credit card details, exploit kits and hackers for hire, to advertisements for hitmen services.

Because of the range of goods and services found for sale, as well as the conversations that occur around these sales, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are normally under intense scrutiny from law enforcement and security professionals alike.

5 Dark Web Marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples though were through closed networks and the actual exchanges of money and goods generally had to take place in person. With the advent of crypto-currencies, it became not only possible to complete trades online without leaving a money trail, but easy. As such, the trading of illegal goods online has become more commonplace and vast dark web marketplaces have been created. 

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road. Silk Road was created by Ross Ulbricht in February 2011. Over the next two years, the Silk Road set the standard for darknet marketplaces. By the time it was shut down in October 2013, and Ross Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.  

ToRReZ

ToRReZ Market is a wallet-less market; which means you only send funds when making an order. The market currently supports four cryptocurrencies: Bitcoin, Monero, Litecoin, and Zcash. Both physical goods such as drugs, and digital goods such as software and credit cards, are sold on ToRReZ Market.

Tor2door

Tor2door is a darknet marketplace that launched in June 2020. The market is built from scratch and has a unique design. Tor2door claims that security and usability are its main priorities. This market is one of the easiest to use and is very simple for inexperienced dark-net users.

Hydra

Hydra is the largest marketplace in the darknet and most popular darknet marketplace in the Russian-speaking sphere. According to the Project news outlet, it is responsible for 64.7 billion rubles ($1 billion) in sales through its 5,000 shops between 2016 and 2019. Although a wide range of illicit goods and services are sold, the site also has a few rules, which are perhaps one of the reasons for its longevity and success. These rules include no fentanyl, no weapons, no sale of hitmen services, viruses, or porn.

Versus Project

Established in 2019, Versus quickly gained a reputation for a user-friendly UI and intuitive search options. It has gained a lot of users and become a popular marketplace due to its focus on security. Buyers can purchase a range of digital goods and services which include illicit drugs, software and malware, and services related to fraud. The marketplace has over 8,400 listings and 500 vendors who communicate in English and accept Bitcoin for transactions.

White House Marketplace (WHM)

White House Market is a dark web marketplace that enforces the use of PGP (Pretty Good Privacy) encryption to just browse the site. The site goes into detail about its security on the About page and explains that it does not store Monero private keys on their servers, which can ease the mind of its users. Although White House Market is a smaller marketplace than the others on this list, it is possible that its ultra-security features and simple, easy-to-use UI will quickly attract more vendors.

Other markets include Icarus market, Dark0de Reborn, Canada HQ, Monopoly Market, and more.

How to Keep Track of Evolving Darknet Marketplaces

There are various active dark web marketplaces. According to Webhose, one of our data providers, there are approximately 20 active leading dark web marketplaces and there are dozens of smaller additional marketplaces. 

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons, for example, law enforcement might close them down, or perhaps to help avoid this fate they frequently change their domain address. It could even be because the admin implemented an exit scam, which is what happened with Empire Market, where the admin team is estimated to have made off with some $30 million worth of Bitcoin in August 2020. 

Because of this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found, as such there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find the forums and marketplaces where the important and relevant is you will need to know what you’re looking for and how to look for it.  

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to effectively gather usable intelligence. Doing this manually requires vast amounts of resources, however, you also can’t simply scrape the website as such activity can quickly get you banned from a site. 

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The Role of OSINT tools when Monitoring the Dark Web

OSINT tools allow security professionals to effectively and efficiently monitor the surface deep, and dark web. Using Signal you can create targeted searches with Boolean logic, and then run the results through intelligent filters powered by our advanced AI. This process can be automated with real-time SMS and email alerting. 

This reduces the need for skilled professionals to spend all their time manually monitoring the entirety of the web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted on without ever actually having to go onto the dark web or painstakingly gaining access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on auto-pilot, reducing costs while simultaneously increasing efficacy. As cyber-criminals embrace new technologies it’s becoming increasingly necessary for security professionals to do the same in order to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in realtime.

The dark web has grown in popularity over the years as people become increasingly technologically savvy. Using a darknet browser like Tor or I2P allows users to stay anonymous whilst browsing online. 

There could be any number of reasons a person desires anonymity online, and many of those reasons are perfectly legitimate. For example, they might simply have concerns about large companies’ abilities to track their online activity, they might not feel comfortable giving Google all their data. Alternatively, they might live in a place with restrictions on freedom and free speech and necessarily turn to dark web anonymity to access world news or freely share journalism. 

However, the same anonymity which protects those people is also a boon for criminals. It allows them to operate across borders, organize crime, and trade in illegal items, both physical and digital. Additionally, any number of topics can be found on dark web forums being discussed, including extremist ideas, hate speech, threats of violence, or even plans for cyber attacks.

It is this broad array of potentially dangerous activity on the dark web which is of concern for security professionals. By monitoring the dark web with OSINT tools like Signal, security professionals can discover exploit kits targeting their organization, get early alerts of data breaches, and even prevent physical attacks on assets or employees. 

In this article, we take a look at a few of the more common dark web forums and how security professionals can utilize OSINT tools like Signal to more efficiently and effectively monitor threats on the dark web.

About Dark Web Forums as Data Sources 

Because of the anonymity afforded by the dark web, people feel comfortable discussing all manner of things. As such, the dark web, especially dark web forums, is a valuable source of intelligence for security professionals. Monitoring these channels can help expose real and potential threats ranging from planned attacks, both physical and digital, to fraud, data breaches, and more.

Below we take a look at 7 of the largest dark web forums that professionals need to be aware as potential security data sources.

Nulled

Nulled is an online forum board with over 3 million members as of 2020, mostly used by cybercriminals to trade and purchase leaked or hacked information. In 2016 it became known as the target of a data breach which helped law enforcement to obtain information about possible "suspects", who were registered on Nulled.

Dread

Dread is a forum on the darknet that mirrors Reddit’s functionality. It provides the same familiar community discussion boards. The forum takes many ideas from Reddit, such as sub-communities and user moderation responsibilities. The Website manages to mimic this functionality without any JavaScript. The main goal of Dread is to offer a censorship-free forum, but it also offers some services, such as pen testing.

CrackingKing

Cracking King is a community forum that provides tutorials and tools for hackers. Additionally, you can find information about and from data leaks, as well as gain access to their marketplace.

CryptBB

CryptBB, which launched in 2017, started out life as a private English-speaking hacking forum known for its rigorous application policy, only accepting members who passed an interview. They have, however, recently been expanding with a new section of the site for “newbies”.

RaidForums

RaidForums is a site dedicated to sharing hacked databases and tools to perpetrate credential stuffing attacks. They also have an open web version of their site.

FreeHacks

FreeHacks is one of the most popular and one of the largest hacking forums on the web. This Russian community of hackers and cybercriminals gathers its resources to expand and solidify their knowledge base.

HackTown

HackTown is an educational platform. They have numerous courses all of which focus on hacking for profit. The forum aims to educate new hackers and cybercriminals to help them develop their skill sets and successfully pull off fraud attacks, phishing campaigns and more. 

Related: How Can 4chan be Used as a Data Source for Security Intelligence? 

Key Challenges of Dark Web Monitoring for Security Professionals

Security professionals face a number of challenges when it comes to monitoring the dark web. For a start, there is the sheer volume of posts. With each of these forums and market places operating across numerous time zones, they have continuous activity. The most popular of them get tens of thousands of posts a day. Manually monitoring these sites is just not a feasible task.

Secondly, the more explicit dark web forums and market places will require you to create an account and may even go some way to verifying you have the skills to be allowed in. While the anonymity of the dark web means they likely can’t work out exactly where you came from or what your true purpose is on their platform, those that are interested might attempt to get further information out of you to determine your real identity. When creating an account it’s important to make sure it holds no relevance to any other online account you hold if you want to maintain your complete anonymity and don’t become a target of those same criminals you are looking to monitor.

Once you’re into one of these forums or marketplaces you will then need to remain active on the platform, without arousing suspicion otherwise you could have your hard-won access revoked. 

Finally, a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with malware and any and all links or downloads should be viewed with suspicion. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. As such, unless you’re confident you can safely and securely navigate the dark web, it may be better to look for safer, more efficient alternatives. 

The Role of OSINT when Monitoring the Dark Web

The Signal OSINT platform works by continuously scanning the surface, deep, and dark web. You can create custom searches using boolean logic and select from several data sources. These search results can then be filtered using our advanced AI and natural language processing (NLP) which enable you to search across languages, determine location, analyze copy in imagery, and even assess the emotional intent behind text through our NLP software Spotlight.

The benefits of having a tool like this for monitoring the dark web include efficient continuous monitoring and assessment of a multitude of sites allowing security teams to monitor more of the web to catch more threats faster. Additionally, they can access this data without ever having to hunt down and access the various dark web forums and marketplaces which is both more secure and much more time-efficient.

This approach allows you to leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

The dark web isn’t inherently bad or evil. It’s not illegal to be anonymous on the web. However, the unfortunate truth is that there are plenty of people who are willing to take advantage of the anonymity lent by the dark web and to undertake some form of illicit activity.

Cybercriminals use the dark web as a means to communicate about all manner of activities, from planning cyberattacks to the selling of illegal goods or stolen data.

On top of this, with distrust growing towards governing bodies and large corporations around data privacy dark web communities are thriving. More people are becoming familiar with the dark web for both legitimate and illegitimate reasons, a fact that should cause security professionals increasing concern.

On the flip side, many security professionals actually shy away from the dark web. It is an online region surrounded by an ether of mystery and myth. However, while certain parts of the dark web should only be accessed with the utmost skill and caution, the basics of the dark web need to be understood by all members of the security community.

The difficulties of accessing dark web forums

There are numerous challenges that security professionals face when they come face to face with the dark web. The first of which is actually finding the dark web forums where illicit activity is taking place.

The first step to locationg dark websites is through various directory lists. These easy to locate sites and forums, however, are unlikely to be where the really important things are happening. Instead it’s more likely to be filled with amateurs and more innocent activity. Additionally, these lists often become outdated quickly as dark web domains change frequently.

In order to locate more relevant darknet forums for the purposes of security research, there are strategies which can be employed, for example, snowball sampling.

Snowball sampling is a method which involves creating a web crawler that takes a root URL and crawls the website for outgoing links. Generally, this will then return a large number of dark web URLs. This works particularly well for dark web forums as people often link to other sites in comments or posts. Done incorrectly though could draw attention to your bot and have the admin block you.

The dangers of accessing dark web forums

Accessing the dark web should be done with care and caution. It is in some ways like the last frontier, the wild west. It provides a training ground for new techniques and strategies for experienced and inexperienced hackers alike. For a security professional, getting to know these new techniques is vital for the efficacy of your security strategies.

A few key safety concerns and the dangers of the dark web are as follows:

• Breaking the law. Law enforcement officials operate on the dark web to catch people engaged in criminal activity. Like others on the dark web, law enforcement can do their work under a cloak of anonymity. It’s important to remember that you can be prosecuted for things you do on the dark web and thus to behave in an appropriate and legal manner.  

• Viruses. Unsurprisingly a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with viruses and any and all links or downloads should be viewed with suspicion. There are a lot of viruses to watch for, from ransomware to spyware and everything in between. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. 

• Webcam hijacking. It’s smart practice to cover your webcam with a piece of tape or plastic when you’re not using it. This is because some people may attempt to gain access to your device’s webcam by using a remote administration tool (RAT). The risk of this happening increases exponentially when you enter the dark web.

Remember: You use the dark web at your own risk and you should take necessary security precautions such as disabling scripts and using a VPN service.

Why do security professionals need to surveil dark web forums?

We’ve talked about the dangers and difficulties of accessing and finding relevant dark web forums for security research. Why though should accessing these dark web forums be a priority for security professionals and how can one effectively monitor these forums for potential threats?

Identify new hack strategies. 

The dark web is where many cyber criminals go to learn as well as to purchase things like exploit kits. Monitoring the dark web, being able to investigate and understand the methods and mindsets of hackers is essential to enable security professionals to develop counter strategies.

Discover physical threats or plans against your organization or executives.

Terrorist organizations, violent far-right dissenters, and others who intend to commit or openly discuss violence against others can be found on dark web forums. One example of this is the shooting which took place in a mosque in New Zealand on the 15 March 2019 which killed 51 people.

This attack was talked about before and during the attack on forums such as 8chan. Pictures of the weapons that would be used were shared along with a 74 page manifesto. Conversations around the event appeared with numerous like-minded individuals actively in support.

This is an extreme, worst-case scenario. But it absolutely highlights the necessity for security teams to have the tools to effectively monitor dark web forums.

Listen and filter noise around your organization’s name. 

There is a lot of noise on the internet. Inevitably some of it may be about your organization and it’s more than likely that not all of it will be good noise. Because of the nature of dark web forums, there is an increased likelihood of discovering negative noise about or relating to your organization.

With the right tools, such as Signal paired with our emotional analysis tool Spotlight, you can identify persons of interest and more closely monitor future activity around them. 

Additionally, discussions around stolen data for sale, as well as things like exploit kits are often discussed on the dark web. Identifying these threats as soon as they appear will allow you to take appropriate action to mitigate these threats and reduce any potential damages.

Dark web monitoring solutions: Signal OSINT platform

With an ever increasing amount of Cyber activity it is more important than ever for organizations to mitigate the potential risks of cyber threats, attacks, and data breaches. As the traditional Physical Security and Cyber Security worlds converge, Signal cyber feeds provide the ability to expand areas of interest and boost potential Cyber threat intelligence.

Cyber feeds that are accessible with a Signal subscription include:

• Onion/Tor – Anonymous network requiring Tor browser (AKA as Dark Web)

• I2P – Invisible Internet Project

• ZeroNet – decentralized web-like network of peer-to-peer users

• Open Bazaar – a fully decentralized marketplace

• Telegram – a cloud-based instant messaging and voice over IP service

• Discord – a VOIP application and digital distribution platform

• IRC Chat – instant relay chat

The information available on these additional Cyber feeds can help identify a number of potential scenarios including;

• Hacking for hire

• Compromised accounts & servers

• Sale of financial data

• Sale of counterfeit and/or stolen goods

• Money laundering

• Sale and/or publication of personal information such as SSN, email, phone numbers

• Discussions on and/or exposure of data breaches

Related: What is OSINT and how is it used for Corporate Security?

It is estimated that cybercrime will cost organization a combined amount of upwards of $6 trillion a year. Cybercriminals are getting smarter and to defend networks, predict threats, and protect staff, organizations need increased access to timely intelligence. 

Effective information security requires smarter detection techniques which is why many organizations are incorporating AI-driven solutions and products to enable their security teams. However, even with AI assistance the sheer amount of data to assess is encumbering. Signal offers a multi-faceted approach that incorporates filters using boolean logic, AI analysis, and a human hand.

Getting Actionable Insights in Real-Time

In threat intelligence having timely data means everything! Having hyper-relevant intelligence as or even before events are unfolding could mean the difference of several zero’s. By contrast, acting upon old threat insights that maybe have dated can be counter-productive, or even undermine the purpose of the intelligence.

Automation and AI tools can make all the difference when it comes to constantly collecting fresh data. A threat intelligence platform such as Signal which harnesses automation and AI tools massively expands the potential data sources and amount of data that an organisation is able to effectively and efficiently monitor. As well as enabling security teams to sift through all that data and detect anomalous and potentially dangerous activity.

Reacting fast is vital to mitigating threats, but what is even more effective is preempting potential attacks enabling security teams to take preventative measures. For example, using a dark web scan a security team might discover an exploit package for sale targeting a previously unknown vulnerability. Discovering this exploit pack allows the security team to patch the vulnerability before hackers have a chance to take advantage of it.

Automation isn’t Everything

Machines can save you time and in that way they save you money. The combination of AI and Automation when scanning the surface, deep and dark web allows your security team to have more eyes on more data sources. This is vitally important especially today when cyber skills are scarce and data growth so overwhelming. This combination helps prevent analysts from being utterly swamped by endless admin work and allows them to deliver true value to their role.

That being said. Machines can only do so much by themselves (at least for the foreseeable future. People remain fundamentally better at understanding insights from potentially vague context and who are able to deliver an effective response.

Acting fast as we have already mentioned is incredibly important. But just throwing machine learning at the threat intelligence problem isn’t nearly enough. The perfect blend combines rapid and large-scale initial gathering and analysis by machines that then hand-off to their human team-mates to apply strategic intellect while the data is still fresh.

Security professionals have to think how cybercriminals think: machines (e.g. botnets) to do the heavy lifting and a sprinkling of human intervention to execute as successfully as possible.

Injecting Human Intelligence into Automated Threat intelligence

The key to superior threat intelligence accuracy and timing is to leverage automation whilst simultaneously injecting human expertise. You don’t want to be wasting your human resources by making skilled data security analysts wade through piles of admin. Nor do you want those analysts to miss potential anomalous data because your automated system disregarded a seemingly meaningless information package which later turned out to be a viable threat. 

Signal allows you to create filtered searches using Boolean logic scanning your chosen data sources and understanding potential location information. These searches can additionally be run through our emotional analysis tool Spotlight. 

There is one more problem though. Getting the balance of human and automation right is essential if you want to derive an effective threat intelligence system at a competitive cost.

To solve this problem we have launched our Sapphire program. Sapphire is an optional bolt-on which enables Signal customers to leverage our skilled in-house data analysts to further refine their results allowing their in-house security personnel to spend time on delivering real value.

Final Words

As can be seen from the description above, Signal is not an “AI application” in the commonly understood way. Instead, it’s a system where we use AI techniques and automation in multiple places to create a tool which in the right hands creates an extremely capable intelligence solution.

Even though machines and software will continue to evolve with dazzling speed, the complexity of threat analysis means there will be plenty of challenging opportunities for human analysts for a very, very long time.

Sites on the dark web are marketplaces for emerging cyber threats. As such, these are rich sources of intelligence, often relevant to a broad spectrum of potential targets.

Signal’s AI and emotion analysis paired with customisable alerts allows you to identify potential relevant threats from sites on the dark web to other threat sources, enabling you to more quickly identify, profile, and mitigate risks to your organization.

Cybersecurity Threats from the Dark Web

With enough knowledge, you can create actionable insights. To understand and counter cyber threats we need developed intelligence and actionable insights and details of those threats.

Three of the main forms of threat identified on the dark web are: 

• Physical threats. 

• Data for sale online. 

• Fraudulent activity.

What we know is that the darknet contains difficult-to-locate hacker websites and tools which are the basis of cybersecurity threats. To understand how to counter these cyber-threats, we need to develop intelligence about the details of those threats.

Before we start looking at how that intelligence is gathered, let’s look first at what sort of things we are looking for. 

Content to Look out for on the Darknet

The darknet isn’t itself criminal or illegal. Rather it provides a platform of anonymity which makes it a very attractive prospect for criminals. There have been cases where contract killers have been hired, or terrorist cells have organised attacks.

On top of this, the darknet hosts various items related to cybercriminals as well as the more traditional criminal activities. It is worth noting though that the majority of traffic that goes through Tor browsers is not criminal activity.

1. Malware

You don’t need to be a proficient software coder any longer to become a hacker. Malware, and things like phishing and exploit kits, are freely available to purchase on the dark web if you know where to look.

2. Data for Sale

It’s common to discover stolen data for sale on the dark web. This often includes non sensitive data such as account logins and email addresses which will be used in credential stuffing attacks. However, more concerning is the amount of credit card and PII (Personal Identifiable Information) that can be found for sale.

Read: Mitigating the threat of credential stuffing.

3. Cyber Security Vulnerabilities

Another item hackers and cybercriminals sell on the dark web are “exploits”. These are when exploitable vulnerabilities in a companies security is discovered. Then the cybercriminal sells the exploit to a hacker who can use the information to create tailored malware.

On a positive note, it has been found that the number of exploits for sale on the dark web have declined in recent years. One potential reason for this decline is due to an increasing number of companies offering a bug bounty program. These programs offer a legitimate financial reward to those that discover potential security flaws.

4. Distributed Denial of Service (DDoS) BOts and Tools

Kaspersky has found that cybercriminals are reaping rewards of up to 95% profit by selling DDoS-as-a-service. Cybercriminals offer a sophisticated pricing plan for customers wanting to attack websites. Cheap and dangerous darknet botnets, for sale from $20, can cause havoc.

5. Discussion Forums for Cyber Criminals

Hackers come together on darknet forums to plan, share details, and exchange goods and information. And while the use of a Tor browser grants them anonymity, discovering their conversation allows security teams to potentially spot threats as or even before they are emerging.

What is Darknet Intelligence?

The darknet hosts a huge amount of valuable insights and data that could make all the difference to your security teams success. Understanding the kind of information you are looking for and how the dark web is used by cyber criminals allows you to effectively monitor criminal forums on the dark web and evolve effective plans to counter impending threats.

However, there is one fundamental problem. How do you do efficiently scan or monitor the dark web? 

Due to the nature and structure of the dark web, finding relevant sources, gaining access to criminal forums, and obtaining information is a huge undertaking that requires specialised knowledge. 

Manually Gathering Darknet Intelligence

Skilled security analysts can spend time building up knowledge around darknet based threats, locating relevant forums and gathering access via pseudonyms. Understandably this approach is wrought with difficulties such as:

• Expense.

  A skilled security analyst is expensive, the average salary being over $99,000 a year. And there aren’t that many out there. By 2022 there will be an estimated shortfall of around 1.8 million skilled cybersecurity professionals. 

• Efficiency.

  The darknet is disparate and deep. The names dark web or darknet are themselves misnomers. They suggest that the dark web exists somewhat like the World Wide Web in a state of connectivity. However, many of the websites on the dark web, especially the criminal ones do not want to be found. They aren’t indexed and other sites don’t link to them. Many of them require you to form an account and to be vetted by admin before you can gain access. 

  One individual is going to have an incredibly hard time finding, gaining access to and manually monitoring relevant dark web sites. One solution could be employing a team of security analysts - however, that brings us back to the first point; expense.

• The changing nature of the darknet.

  Sites on the darknet come and go quickly. Again this is especially true for the criminal websites that you would want to be monitoring. This means that anybody wanting to monitor these sites would need to regularly research and find the same sites as well as continuously looking for new ones.

Thankfully, there is an alternative and you don’t need to waste hours of a skilled analysts time trawling through an almost endless see of data in the dark. This alternative requires you to utlize automation tools such as Signal or our recently launched product LERTR. 

Automating Darknet Intelligence with Signal or LERTR

Darknet intelligence-gathering tools work by running automated searches of darknet websites and forums. Using Signal you can create customised alerts filtered via specific keywords, phrases or even locations. We also have a built-in translation tool so that data can be searched across languages and automatically translated into your default language.

On top of this, you can run alerts through our emotional analysis tool to determine how much of a threat any particular alert is. Finally, get our optional Sapphire bolt-on and utilise our skilled data analysts to further refine your results. 

This approach allows your leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

All of this allows you to gather actionable intel in realtime.

The dark web is a layer of the internet that is only accessible through an encrypted browsing software such as a Tor browser. This software makes the user anonymous. It is this anonymity which is so beneficial to criminals who are able to trade illegal items and services.

Cybercriminals are known to buy and sell stolen data, for example, which can be used to commit identity theft and fraud. Many of the overtly criminal websites require membership logins that you can only gain if you are active as an online criminal making it challenging for companies and security forces to access and monitor these websites.  

However, with the right tools, like Signal threat intelligence software, monitoring and filtering through these websites is entirely possible without ever needing to download a Tor browser yourself. 

What is dark web scanning?

A dark web scan monitors open-source information available on the dark web, using both human and artificial intelligence to scan things like criminal chat rooms, blogs, forums, private networks and other sites. In doing this it helps organizations detect potential security threats. 

Examples of activities that have been identified from dark web content using Signal Threat Intelligence software include;

• Online markets selling stolen and fake goods;

• Hackers selling non-sensitive data for use in credential stuffing attempts;

• Impersonation of individuals or organizations;

• Details in regard to hacking or incitement to hack;

• Reputational risk via fake news or impersonation;

• Illegal activities such as drugs and drug paraphernalia;

• Information regarding a previously undetected sensitive data breach.

What happens during dark web monitoring?

There are some 55,000 dark websites, however, many of these are inactive and even fewer of them are actually used for overtly criminal activity. During dark web scanning our security software monitors and detects any data that is relevant to the particular search queries that have been set up. This allows you to create a customised highly relevant stream of data and information around key points of interest for your company.

The information can also be run through a sentiment filter to create an even further refined stream of data, we explore this in further detail below.

Why is dark web monitoring with Signal Corp important for businesses?

1. Detecting data breaches

Our software has been used to identify stolen credentials and other personal information that is circulating on dark web networks and other channels.

To identify relevant data you are able to set up specific search queries within the software. These constantly monitor the open, dark and deep web and then filter these searches using our AI technology to determine what is and isn’t relevant. We then add a human touch to the remaining data to further filter using human intelligence to identify what is highly relevant.

The scan infiltrates private sites - many of which require membership within the cybercriminal community to enter. 

When it comes to detecting data beaches it can quickly identify chat around data that is circulating online which has been gained by illegal hacking attempts. If data is detected from a particular company, whilst there is no way to retrieve that data organisations can take precautionary measures to mitigate the damage and threat of the data breach as well as determining how the data was gained and ensuring that breach is secured against further data beach attempts.

2. Detecting Physical Threats against People and Assets

The big draw for criminals to the dark web is that all users need to use an encrypted browser to access the dark web which entirely anonymises their presence. This means, very simply, that criminals can and do talk about their activity, either to brag or as part of their preparations.

Using software like Signal you can constantly monitor the dark web and when a criminal talks about or potentially threatens one of your staff or assets you can know instantly. Whilst they are anonymised and you won’t know who is planning something, you will know that there is a very real potential threat that you can now guard against.

3. Predicting potential terrorist actions

In the same vein as detecting potential physical threats against a company online, the dark web is also a place where terrorists go to communicate and organise. By monitoring the dark web then you can pick up on their conversation and use the data gathered to potentially predict and deter terrorist attacks aimed at the company.

How do you determine when chat becomes a serious threat? 

One of the potential issues some of our customers face is the sheer amount of noise which might surround their brand. Invariably not all of this noise is good. Which is why we have a sentiment analysis tool to help filter out what chat, what noise online we need to pay attention to.

On top of this, this can then closely monitor individuals who have been detected to hold negative sentiments towards a customer and it can determine if that was a once-off comment, or if this negative sentiment might actually evolve into a more palpable threat.

How are data breaches of non-sensitive data used by cybercriminals?

When it comes to cyberattacks having detailed situational awareness and the ability to quickly sift through open-source data and information on the surface, deep, and dark web allows businesses and financial institutions to quickly determine potential risks and take necessary precautionary actions fast. This can help mitigate threats posed by cybercriminals, reducing the security spending and costs surrounding the fallout after criminals successfully commit fraud through the use of leaked data.

In this article, we explore a growing concern for a number of businesses which poses increased year on year risk, with increasingly costly repercussions - credential stuffing. We answer the following questions and more: what is credential stuffing? Why does it pose a severe security risk? And how can dark web monitoring and social media monitoring be used to mitigate the threat of data breaches?

What is credential stuffing?

Many businesses assume that non-sensitive customer data has little value to a cyber-criminal.

In fact, in a recent study, it was found that a number of businesses didn’t even password protect cloud-stored customer data. Meaning anyone could have come along and downloaded the entirety of those databases.

What is even more worrying, is that many data breaches go entirely undetected. 

Credential stuffing is a tactic growing in popularity that weaponises non-sensitive stolen credentials (eg. usernames and passwords) against websites and mobile applications. Large volumes of stolen account logins are tested against other website login pages to gain unauthorised access to accounts, in order to commit fraud. 

The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.

Whilst the strike rate is low - think a few successes for every thousand attempts - there are billions of stolen credential pairs in the hands of cybercriminals. 

In 2018 there were 2.8 billion credentials stuffing attempts reported in the US alone. And this number is only rising. Which goes to show just how much of a threat credential stuffing has become.

On top of this, a skilled hacker, using a throttled bot with multiple Autonomous Systems Numbers (ASNs) and IP addresses can remain undetected for long periods of time, allowing them to try potentially millions of login combinations without anyone knowing anything untoward is happening. 

What are the cybercriminal’s goals?

“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves.” - Source

Obviously, the most valuable data for cybercriminals is going to lead them to bank account and credit card details. These they can use directly to access a persons money. In 2019 though, there was a significant decrease in the amount of sensitive data exposed. Going from a reported 471 million records in 2018, down to 164 million in 2019. It’s worth noting though that the Marriot breach in 2018 did skew the records there with over 300 million sensitive records exposed in that single data breach.

However, there are numerous ways a cybercriminal can benefit from accessing another persons account data through credential stuffing of purportedly non-sensitive data. These strategies will be tailored to the sites they gain access to and can lead to various forms of identity fraud and phishing scams.

Part of the reason this indirect strategy is growing in popularity with cybercriminals is that sensitive data is becoming better and better protected by corporations and financial institutes. However, this somewhat simplistic approach creates a serious vulnerability to any company. 

Credential stuffing is costing businesses millions each year. Not just in the follow-up costs of a cyber attack and the ramifications of fraud, but from increases inIT security spending, potential lost revenue from lost customers, and application downtime. This, according to one study by Akamai is costing companies an estimated $4 million a year.

Who is most at threat?

When it comes to what this looks like in real life you only have to take a cursory glance at the numbers to have cause for concern. In 2019 it was reported that a total of 869,857,509 records were stolen by cybercriminals in the US - and it’s likely that many more stolen records went either undetected or unreported.

The majority of that data, around 750 million records, was non-sensitive data, that will largely find its way to the hands of cybercriminals who will use it for credential stuffing. 

The credential stuffing technique can be used against any company with a login page. 

“Up to 83%  of people - according to 2018 research - use the same password for more than one account.”

Consumers face growing complexity in password requirements, with various length requirements, plus symbols and numbers - this has actually encouraged many users to find a single password that fits the bill and they’ve then reused that password or variations of it across numerous account logins. This is then paired with a growing number of individuals who have access varying levels of technology and might not know how to best protect their data.

What can be done to mitigate the threat of credential stuffing?

People are always talking about having better online security but no one ever talks about what happens after a data breach or after being hacked. 

As the old saying goes, “hope for the best, but plan for the worst.” A growing number of companies are on the receiving end of cyberattacks and it is leading to an increasing number of data breaches. 

Shoring up online and cybersecurity is absolutely vital. However, it may well not be you who is hacked, instead a victim of the credential stuffing technique. One thing to do is to require two-factor authentication. But even this isn’t flawless as the hacker may well have access to that user’s email account as well. 

So, what can businesses do to mitigate the growing threat of credential stuffing? Often hackers responsible for the data breach won’t use all the data themselves. Instead, they’ll turn to the dark web where they can anonymously sell the data instead.

This is where threat intelligence software like Signal comes in. Signal allows for users to monitor the dark web without needing a Tor browser. With threat intelligence software like Signal one can do much more than just monitor the dark web though.

Users can set up alerts for keywords and monitor dozens of channels instantly generating alerts for users based on their search queries. What this means is that as soon as leaked data goes up for sale on the dark web - or as soon as anyone talks about purchasing records gained through illegal or forced access to your database you will know.

You can then take precautionary actions to mitigate the potential threat. For example, warning customers of potentially exposed data so that they can secure any logins with the same password, force resetting customer passwords, and reporting the incident to the authorities.

In one recent example, it was found that an employee of a bank, stole over 3 million sensitive records from their company database. They then went away and bragged about it on social media and on various dark web forums (like 8chan). These set off immediate alerts through the Signal system and action was able to be taken, the data was recovered before it changed hands and the employee faced the legal ramifications of their actions.

Because Signal uses open-source data all evidence and information gathered through its channels are able to be used as actionable intelligence.

Related: Black Hat Brags about Bank Hack Signal Could have Spotted

Detect and remedy data breaches fast with Signal

Get in contact to learn more, or request a demo using the options below: info@signalpublicsafety.com

Resources and Further Research

• akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-2018-credential-stuffing-attacks-report (pdf)

• idtheftcenter.org/2019-data-breaches/ (pdf)

There is plenty of online information regarding the dark web – mostly accurate, although it can be daunting to understand the various nuances. There are numerous benefits that come with monitoring of the dark web.

When it comes to dark web monitoring, Signal risk intelligence software offers a comprehensive service which enables security professionals to gain increased situational awareness using targeted, highly relevant data gathered from dark web sources.

Why did we add Dark Web monitoring to Signal threat intelligence software?

The Dark Web is the place to lurk out of sight, with complete anonymity, which makes it a logical centre for criminals to gather, discuss illegal activity, and sell illegal goods and services. Because of this, those bodies and security teams which are able to effectively monitor the blogs, forums, and chat rooms of the dark web have an invaluable source of information on nefarious or illegal activities - and are often among the very first to know about important and relevant information that may impact their company or organisation.  

Advanced warning for things like data breaches, reputational risks and physical threats to assets allow companies to effectively form strategies to deal with and mitigate the threats to their organisations.

These conversations and activities are highly relevant to many Signal subscribers, hence the addition of the Dark Web as a data source for Signal Gold subscribers in 2017.

Read our articles:

• Why a Dark Web Scan is Essential for your Business

• Mitigating the Threat of Data Breaches and the Risk of Credential Stuffing

Examples of activities that have been identified from dark web content include:

• Online markets selling stolen and fake goods

• Impersonation of individuals or organizations

• Details in regard to hacking or incitement to hack

• Reputational risk via fake news or impersonation

• Illegal activities such as drugs and drug paraphernalia

One of the benefits that Signal provides is the ability to review the dark web post content without needing to utilize a Tor browser – simply review the content from within your Signal browser session.

Dark web monitoring is available for Signal subscribers with a gold or better subscription– if you are interested in more information in regard Signal or the dark web content, then contact us info@signalpublicsafety.com