Threats from the Dark Web

27 June 2017

Despite the hype associated with the dark web, maintaining visibility into it is an important component of a comprehensive digital risk management program. In support of our announcement today about the expansion of our SearchLight’s dark web collection capabilities, we wanted to highlight some of the digital risks that can be associated with the dark web in this blog. It is important note that these risks can also occur on the open and deep web, just as with our previous research on sites like deer.io.

Criminals are stealing customer data through payment systems and they are talking about it on the dark web

The insecurity of payments systems makes the news frequently. Take the recent Chipotle breach, which resulted from malware on their Point of Sale devices. It’s important for retailers (and any organizations with ATMs or PoS devices) to ensure these devices and their transactions are secure. Having visibility into criminal forum conversations that discuss committing fraud against these devices, third parties or your company is critically important. It is also important to have visibility into the items for sale in criminal marketplaces that could be used to conduct fraud. This can be in many forms; it might be in a guide for ATM skimmers (Figure 1), or product listings for specific hardware. Having visibility to these dark web conversation can make the difference in stopping or mitigating a breach. 

 ATM Skimming Guide

Figure 1: Dark Web Marketplace offering guides on how to make ATM skimmers

  

Criminals are selling customer account details on the dark web

For banks seeking to protect their customers, gaining visibility and monitoring the dark web can be a highly valuable tool to stop fraud. Adversaries share credit card numbers on IRC channels (Figure 2) and sell accounts on dark web forums (Figure 3). Detecting these activities gives banks better visibility into their customers’ online exposure and enables them to get on the offense to minimize the impact.

 IRC BINs

Figure 2: IRC channel sharing and testing customer credit card information

 

Forum account for sale 

Figure 3: Accounts for sale on the dark web

Criminals are taking over employees and customers’ accounts

It isn’t always a company’s assets that are at risk; organizations can also gain awareness of tools used against them. Figure 4 is an example of a tactic used to bypass SMS account verification. Understanding the latest tactics used by adversaries is vital for organization’s security decision-making to reduce their risk profile.

Bypassing SMS

Figure 4: New tool for bypassing SMS authentication offered, mentioning specific sites

Criminals are conducting tax return fraud

Tax milestones throughout the year are popular times for fraud, and tax information is high in demand by cybercriminals. Approaching the deadline for 2017’s tax return, we detected a user claiming to sell access to the PCs of an individuals working for accounting companies. The accompanying screenshots indicated that the user had access to information on hundreds of companies in the United States.

tax fraud dark web 

Figure 5: User selling access to an accounting company’s customer information, consisting sensitive tax information

 

Digital Shadows provides the context you need to manage dark web threats 

It isn’t enough to simply detect mentions of company assets and concerns across the dark web. Organizations need context behind these posts to have a better understanding. As a result, today we announced an expansion of our SearchLight’s dark web collection capabilities where we help our customers manage their dark web threats in five ways: 

  1. Detailed Explorer view. View the post in Searchlight’s explorer view to see previous posts by other users on the same thread or post. This enhanced view provides organizations with added context, enabling them to better understand how their company, employees or customers are likely to be impacted. 
  2. Dark Web User Background. The incident also provides an overview of the user in question, with their username, date joined, activity levels and reputation. This enables you to understand the credibility of the dark web user, informing your response.
  3. Incident view with context. The incident includes a description, impact and recommendation action, all of which are written up by our team of expert analysts. This helps you to make a more informed decision about the risk to your business.                                                                 
  4. Detailed Source Background. Pivot from the incident into the intelligence view, providing context on the forum or marketplace. This context includes a description, timeline of events, associations, intelligence, and associated sites and social media accounts.

The importance of our team of data analysts extends beyond adding vital and relevant context. Not all dark or deep web sites can be easily accessed with technology on its own; expert human data analysts must also gain access to closed sources to provide the most relevant view of digital risks. Digital Shadows recognizes it is critical to complement automation with a team of data scientists and intelligence experts who gain access to closed sources, and qualify the data collected to enhance analytic capabilities. This gives our customers the full breadth and context needed to address the digital risks that are most relevant and impactful to their business. searchlight incident view

Figure 6: SearchLight’s incident view, complete with vital context

 

Armed with this vital context, organizations are better informed about the risks they face online across the open, deep and dark web; understanding not only when they are mentioned online, but also why, by whom and the likely impact to your organization. 

To learn more about Digital Shadows Searchlight™ dark web monitoring capability, watch this demo video or read our datasheet for more details.