Photo by Markus Spiske on Unsplash
For law enforcement and national security agencies today, open web monitoring is still necessary, but it often serves as merely a starting point. A combination of tougher regulations on these mainstream social media platforms, stricter Terms of Service, and more public exposure make it difficult for criminals to continue to market their illicit activities on these platforms. As a result, they have migrated their activities to the deep and dark web.
For law enforcement and national security agencies today, open web monitoring is still necessary, but it often serves as merely a starting point. A combination of tougher regulations on these mainstream social media platforms, stricter Terms of Service, and more public exposure make it difficult for criminals to continue to market their illicit activities on these platforms. As a result, they have migrated their activities to the deep and dark web.
That leaves law enforcement with no choice but to incorporate dark web monitoring tactics to their crime-fighting arsenal. It is important to understand that dark web monitoring is far more than checking out the TOR network. It includes the deep web - which is distributed across encrypted chat applications, password protected forums and other content only accessible via a username and password - along with hundreds of other dark web networks as well.
This can be challenging, since successful deep web monitoring includes:
* Access to password-protected content
* Access to hidden content
* The ability to pass CAPTCHAs which block automated crawling
* The ability to pass paywalls and invite-only forums and channels, which are more likely to contain illicit activity
Here are a few deep and dark web sources that cybersecurity analysts today need to include and combine with dark web data analysis for more comprehensive crime fighting.
Monitoring Open Web Forums and Chat Applications
Cybercriminals like to hang out on forums. Unlike dark web marketplaces, where money is transferred through escrow services and administrators can always steal the money from the buyers (e.g. an exit scam), forums offer a more stable environment and a wealth of information for law enforcement officials looking for top criminals engaged in hacking, data leaks, and other illicit activity. Marketplaces also only offer
listings of sold items, but don’t give you access to the leaked databases or credit cards unless you buy the products. In forums, however, actors often share their databases or tools with the community, which means you can see more information about the raw data being shared as well as hacking tools, and more.
The following post is from RaidForums, a known deep web hacking forum. The post publicizes a leak of a popular dating website and application MeetMindful, founded in 2013 and located in Denver, USA. The post was published in the forum on January 20 and first reported four days later by the known actor ShinyHunters.
Post sharing the MeetMindful data fields leaked in RaidForums by ShinyHunters
Although many forums exist on the dark web, there are many, like RaidForums and Nulled.to that are available on the open web.
Although many forums exist on the dark web, there are many, like RaidForums and Nulled.to that are available on the open web.
Forums allow users to download the raw data and examine it with just a click. This is in contrast to marketplaces, where users must buy the data or product to understand it. Hackers in forums usually start a community and keep all valuable items shared inside the community. These items are not usually available in social media due to strong moderation policies, violation of the Terms of Service, and the high public profile that these platforms enjoy. It’s not the safest place for cybercriminals to communicate with one another or plan their criminal activities. But some chat applications, like Telegram, can provide hackers, carder and dark web vendors with a safer haven.
Here is a Telegram channel that shared the download for the MeetMindful database, a mere 24-hours before the first publication in the media about this breach. These types of posts demonstrate the ability for data breaches to travel and spread throughout different sources and networks.
Telegram channel sharing the MeetMindful data leak
Identifying Drug-Trading Activity in the Dark Web
Aside from hacking, LEA also monitors cybercriminal activities related to illicit drug trading. The latest operation that shut down DarkMarket, a TOR-based marketplace that hosted drug trafficking of different substances and prescribed medication, proves that the dark web monitoring efforts of LEAs can be successful. Since these TOR-based marketplaces are the largest websites that host such activity, it is crucial for LEA to have these sources monitored and covered.
Not only that, LEA must be able to get access to new marketplaces that are being opened all the time, rather than only existing ones.
The following post is an image of ketamine, a medication used for anesthesia, that is sold in a dark web marketplace. This is merely one of tens of thousands of listings published there daily.
The following post is an image of ketamine, a medication used for anesthesia, that is sold in a dark web marketplace. This is merely one of tens of thousands of listings published there daily.
Ketamine sold illegally on the dark web
The Telegram chat application also attracts this kind of activity - take for example the Israeli Telegrass operations and many European or Russian-based channels.
The following is an example of a post from Telegram published February 3 that offers cocaine by the gram to buyers located in Northern Israel.
The following is an example of a post from Telegram published February 3 that offers cocaine by the gram to buyers located in Northern Israel.
Post selling cocaine on Telegram
Criminal Hacking Activity in the Open Web Versus Deep and Dark Web Sources
The dark web is rife with posts about hacking services. This includes both designated forums and communities that lie outside the reach of social media networks, helping cybercriminals to avoid both law enforcement as well as the censorship and bans of certain types of content on social media networks.
The following DDOS attack service and program, published on February 7th, is listed in a TOR-based forum, allowing any hacker to download this program and use it freely. The post includes a disclaimer stating that the distributing hacker is not responsible for any use of his program. These DDOS attack services are offered in different languages, forums, marketplaces and chat channels.
This specific tool was published in at least 10 different forums in Webhose’s coverage, but we could not find any related posts in social media platforms such as Facebook.
This specific tool was published in at least 10 different forums in Webhose’s coverage, but we could not find any related posts in social media platforms such as Facebook.
Post of DDOS attack tool in a TOR-based forum
Post of DDOS attack tool in a TOR-based forum
A Holistic Multi-Faceted Approach to Crime Fighting
Dark web actors prefer advertising themselves or sharing their products and services in an environment that is both protected from law enforcement agencies through anonymity and also has an audience. Chat applications and open web forums are just a few examples of this type of deep web content that provides both. Law enforcement and national security agencies today must constantly monitor all of these different types of dark web sources with the right tools that can aid them in monitoring, mitigating and even thwarting the nefarious activities of these cybercriminals.