By Josh Fruhlinger, CSO. The “dark web” is a phrase strikes an ominous tone, conveying an impression of a marketplace where anything is for sale: hacking tools, weapons, drugs, child pornography, even freelance assassination services. And according to experts we spoke to, all of that’s still true. But something has changed in the way the dark web does business. If there was a time when venturing online to buy these illegal items was like taking your life in your hands in a dark alley, today the experience in quite different.
Take drugs, just as an example category. “The best analogy I can give for the expanse of dark web drug offerings is that it would be like walking into a major supermarket for the first time having only ever shopped at a corner store,” says Emily Wilson, director of analysis at Terbium Labs. “Almost anything you want is available from a huge host of vendors—all of whom are competing to assure buyers that their product is the freshest, purest, safest, most readily assured high available. People like to compare and contrast their experiences in detailed write-ups, and the vendors are incentivized to develop loyalty: ‘Check out this freebie of my new product,’ or ‘Hey, sorry about the slow shipping—I threw in a little extra for you.'”
And it’s not just drugs where the dark web has gone corporate. It’s happening across the board—and what most of the experts we spoke to wanted to talk about was especially the various hacking and shadowy technology services available. In hearing the details, it’s hard to avoid the realization that the various criminals on the dark web are taking their cues from the practices of corporate IT.
Products: Malicious code for sale, with instructions
Exploits and attack code can be devilishly complex to discover or build from scratch. The dark web provides a marketplace that connects programmers with the needed skills with those with motivations to unleash them. Ido Wulkan, intelligence team lead at IntSights, points to several malware packages for sale on the dark web, including Dr0p1t-Framework, a trojan that downloads other malware, and the Silent Word exploit, which converts a malicious .EXE file into an innocent-seeming .DOC.
Buyers of these exploits don’t need to be master hackers themselves. “If you have relatively little technical knowledge,” says John Shier, senior security expert at Sophos, “there are guides on how to spread your malware, and also phishing and carding tutorials.”
Services: No need to do it yourself
But just as many enterprises no longer build or even deploy their own in-house tools, so too do many criminals outsource the deployment of their misdeeds. Even if you’re sick of the endless “-as-a-service” acronyms in IT (Software-, Infrastructure-, Platform-), you’ll need add another one: RaaS, or ransomware-as-a-service.
“RaaS providers give their customers fully functional ransomware with a dashboard to track victims and support services should they need it,” says Shier. “In exchange, the authors of the RaaS portal ask for either a percentage of the ransom or a flat fee. The only thing left is for the customer to distribute the ransomware, possibly using the services of a spammer purchased separately or by doing it themselves using the knowledge they gained from the tutorials.” And if you need more evidence of this in the real world, experts are now beginning to see the Petya ransomware as a RaaS attack.
Evolving Towards a Homogenous Society: The Risk of the New Digital Economy
Understanding how information technologies, services, configurations, controls, and behaviors change over time is important to monitoring, anticipating, and preventing new exploits, malware, and botnets.
Ransomware is only one of a variety of attack options, of course. Nathan Wentzler, chief security strategist at AsTech, says that on the dark web you can pay for “more targeted arrangements that can cross the line from mischievous or ‘just another attack’ to illegal attacks to obtain specific intellectual property, national defense or military information, and other very sensitive (and valuable) data.”
Infrastructure: Why buy if you can rent
There are plenty of more mundane IT services that cybercriminals need, and naturally these are also available on the dark web. Email servers, for instance: “The ability to send and receive your mail in an anonymous way is crucial for many, for good and for bad,” says Chris Roberts, chief security architect at Acalvio. You can also buy computer time on other types of servers. “Think of them as AWS for the dark net,” says Roberts. “Some care what content you have and some don’t.”
And if you’re looking to set yourself up as the next Dread Pirate Roberts—well, you’re going to need infrastructure to sell things, and again, the dark web can provide. “A group calling itself ‘TeamZero’ is selling a black market framework, which allows ‘merchants’ to sell just about anything on the dark web,” says Wulkan. “They provide a turnkey infrastructure, just like eBay or Shopify—but for illegal goods and services.”
Blueprints, consulting, and more
If you’re looking to avoid work (and avoid getting your hands dirty), the dark web will connect you with hackers willing to consult on specific tasks for a specific price. Say you’re looking to breach a particular organization. “While you may not find organization-specific attack blueprints, like the stereotypical fraternity test file, you can find things like IP addresses, server locations, or device passwords as well as instructions for executing specific attack types on the deep web,” says Stu Bradley, VP of cybersecurity solutions at SAS. “These are enough for the skilled adversary to begin a successful campaign. Or, if you’re too busy or perhaps lack the skill to execute an attack yourself, why not subcontract it out to a hacker? You can easily find a hacker to conduct the attack with a guaranteed service level and money back if you’re not satisfied.”
Mike Viscuso, co-founder and CTO of Carbon Black, points to the Xdedic dark web marketplace, where you can connect with criminals who offer up already compromised servers on a platter. “Authorized sellers provide compromised systems and credentials for the systems in bulk to the marketplace,” says Viscuso. “The marketplace operators then validate access to the system and record details about it, such as the antivirus used, browsers available, whether the system is virtualized, and the physical characteristics of the system like the CPU model and speed, amount of RAM, and the OS installed.”
Service with a smile
Any wary IT pro who’s tangled with consultants and contractors knows that deals can go sour even when the business is above board. How can you be sure that you’ll get what you pay for when you’re dealing with, well, actual criminals? The dark web also provides plenty of ways to establish honor among thieves. Ross Lasley, chief geek at The Internet Educator, says that many web defacements are proofs of concept, perpetrated by hackers to show they have the skills and access for the real jobs.
Users also have access to Yelp-style reviews of products and services (this tutorial on buying from the AlphaBay market gives a glimpse). And then there are business incentives. “Sellers on these forums are incentivized to not engage in fraud or deceptive practices, because their reputation as legitimate sellers is at stake and therefore their ability to continue selling and making money would be jeopardized,” says Armond Caglar, principal with Liberty Advisor Group. “Some professional sellers request that any complaints or inquiries be first resolved directly with the seller over encrypted channels first, so that the seller would have time to redress a grievance prior to a buyer officially publishing a negative review.”
Caglar explains that there are even mechanisms for resolving disputes and fixing problems that any IT pro would recognize: “Some of the more professional marketplaces have a mechanism in place for buyers and sellers to submit trouble tickets, which could include complaints about a buyer or a seller. If there is a dispute with an unhappy customer, theoretically that person could submit a trouble ticket and complain, and the Bitcoin they used to purchase the good would not be released to the seller.”
Grown up, but not well-behaved
From one point of view, this is a fascinating transition, and it says volumes about how the practices of modern business have arisen to meet the real needs of buyers and sellers. But none of it mitigates the illegal and dangerous nature of what happens on the dark web. If anything, the message here is that criminals are getting more efficient. It may be that the only thing worse than hacking services for sale online are hacking services for sale online in a frictionless marketplace that let those with ill intent harness the skills of advanced programmers with some Bitcoin and a single click.