This article originally appeared in Loss Prevention Magazine.
Investigators Can Use the Dark Web as a Tool to Discover Potential Threats to Retail Brands
The dark web burst into public awareness in 2013 when the FBI shut down Silk Road, an online black market, and arrested its founder, Ross Ulbricht. The FBI found him through an elaborate sting operation involving an undercover law enforcement agent posing as a drug dealer on the dark web. Through this undercover operation, the FBI was able to find and locate a Silk Road administrator, who gave them access to information about Ulbricht’s Bitcoin account.
When Ulbricht discovered the administrator had been arrested, he asked the undercover agent posing as a drug dealer to murder the admin. Investigators staged the torture and killing and sent photos of what they said was the corpse to Ulbricht. Ultimately, these questionable tactics led to Ulbricht’s own arrest.
The media immediately picked up on such an exciting topic. The dark web was known for facilitating illegal activity, including money laundering, drug sales, and even murder. The appeal of the secrecy and mystery behind the dark web led to many articles and news reports; unfortunately, this coverage also propagated a lot of misinformation.
The Dark Web Explained
The dark web is one of many layers of the Internet, and a lot of terms are associated with this subject. The surface web, also known as the open or clear web, is the part of the Internet we are the most familiar with. It refers to all the websites that are automatically indexed by search engines, which makes them relatively easy to access. Despite being the most well-known part of the Internet, the surface web makes up less than five percent of the Internet.
The deep web, or invisible or hidden web, makes up the largest portion of the Internet—between 92 and 96 percent. It is an online repository of back-end information and includes financial transactions, public records, medical records, and password-protected sites. Deep web addresses consist of a random string of alphanumeric characters, and these websites are encrypted but still accessible using a regular Internet browser. This content is not automatically indexed, so it is a lot harder to find information on your own. Many services exist to help law enforcement and other investigators access the deep web, such as TLO and Accurint, a LexisNexis service.
Tor was designed to be safe, not fast, so it is much slower compared to the Internet we are used to. It is important to remember that the Tor network is a service that is independent of the Tor browser, which is simply a tool to access this network.
Like the deep web, the URLs are composed of random alphanumeric characters, but with most often the top-level domain (TLD) of .onion for anonymous sites or .onion.to for non-anonymous sites. Tor sites are sometimes referred to as Tor hidden services, onion sites, or simply onions. The very common misconception is that the dark web and the deep web are the same; in fact, though their web addresses seem similar, it is the .onion top-level domain that indicates a dark web site and requires a special browser to be accessed.
The dark web’s primary purpose is anonymity, not illicit activity. People use the dark web when they want to protect their identities, for whatever reason. Tor was developed in the 1990s by the United States Naval Research Center as a military-grade application designed to help clandestine operators protect their identities while transferring information. The dark web uses a relay methodology to hide a user’s identity behind three proxy layers. Each relay has its own geographical location, which makes it very difficult to trace a user.
One of the weaknesses of this system became apparent soon enough: although foreign hackers could not identify the specific users on Tor, they could be sure that they were all US government agents, since no other government was on the dark web. The federal government resolved this issue by making the dark web available to the public in the early 2000s; by increasing the number of users on the dark web, it became significantly more difficult for foreign governments to identify US clandestine agents and operations. The Internet Frontier Foundation, which is largely funded by the federal government, picked it up and continued to develop the code. In 2006, they officially announced the Tor project to the public and made the Tor browser available for use.
Today’s dark web is a versatile tool, which is what led to the creation of online black markets such as Silk Road and AlphaBay, which was shut down in 2017. Though Ulbricht claimed to have founded Silk Road based on the libertarian ideal of a completely free market, Silk Road was best known as a platform for selling illegal drugs.
The FBI investigation and subsequent shutdown of Silk Road gained global attention. The story of Silk Road’s rise and fall essentially drove the dark web to become what it is today: a hotbed of online black markets.
Users can track their orders and interact with customer service agents, just like they can with any other online retailer. Setting up a cryptomarket does not require a high degree of technological experience. Like e-commerce sites on the surface web, templates exist for dark web sites as well, which means that anyone can easily start selling on the dark web.
These sites even sort illicit goods into categories such as fraud, drugs, counterfeit items, weapons, software and malware, stolen credit card and financial information, and stolen personal identifying information, which often have specific search controls to allow potential buyers to search the listings by location, social security number, birth year, credit limit, and much more.
After his arrest in 2013, Ulbricht was convicted of money laundering, computer hacking, conspiracy to traffic fraudulent identity documents, and conspiracy to traffic narcotics by means of the Internet. He is currently serving two life sentences without the possibility of parole. Many people have criticized the FBI for its dubious methods of investigating and arresting Ulbricht, even going as far as to accuse the FBI of entrapment. However, Ulbricht was clearly guilty of his crimes. Despite having created Silk Road with possibly good intent, he eventually got caught up in the greed of monetizing the platform, which is what actually led to his arrest.
Unlike Ulbricht, the founder of AlphaBay, Alexandre Cazes, created his online black market in 2014 with the specific goal of creating the “largest eBay-style underworld marketplace,” a claim he made on the AlphaBay website. Through AlphaBay, Cazes made over $23 million in revenue and lived in luxury in Thailand where he owned many mansions and even had multiple wives. He was arrested in 2017 and found dead of apparent suicide in his jail cell in Thailand days later. AlphaBay was officially shut down a few days later.
How People Pay on the Dark Web
The leading form of payment on the dark web is cryptocurrency, with Bitcoin being the most common type of cryptocurrency exchanged. Cryptocurrency is a digital currency, where transactions are recording on a public ledger, usually a blockchain, and every process is protected by cryptography, which is simply the practice of secure communication.
People on the dark web use cryptocurrency because it is decentralized, digital, and almost completely anonymous. No banks or governments can control cryptocurrency. Instead, cryptocurrency is controlled by its users and a blockchain to maintain its integrity. As a digital currency, cryptocurrency can be instantly exchanged online without needing a physical representation of its value, such as paper money.
Cryptocurrency is a pseudo-anonymous system. Although it is impossible to trace transactions back to their senders or recipients because the blockchain only has a record of each user’s public identity, you could theoretically find out a user’s identity if you had the private key to their account.
When users purchase goods on the dark web, such as drugs, they usually transfer cryptocurrency to be stored in escrow, just like someone does when they buy a house. The cryptocurrency sits in escrow until the buyer confirms they have received their order. This prevents sellers from ripping off buyers.
However, sellers on the dark web don’t often try to rip people off. To them, the dark web is simply another method of delivery for products they have already been selling. Though they are criminals, these sellers operate just like typical businesspeople. They are motivated by money, which is what keeps them honest. This incentivizes them to sell high-quality products and provide good customer service in order to entice buyers to return.
Sellers on the dark web provide customer support the same way as many other e-commerce retailers by contracting overseas customer service call centers. These call centers, often located in countries like Romania and India, are simply providing a service, whether they are doing so for a legitimate retailer or for someone on the dark web who sells drugs.
The Dark Web and Retail Asset Protection
How does all this secretive and potentially illegal activity relate to retail? The dark web is where people go when they want to learn about something or communicate without others knowing who they are. Although drugs are the most common illegal commodity found on the dark web, there are more immediate threats for private retailers—stolen credentials, stolen credit card information, counterfeit merchandise, and hacking tools, just to name a few. Criminals can even use the dark web to learn about company security policies, which stores are best to steal from, and which EAS tags a company uses, so they can learn how to defeat them.
Because the dark web is primarily used for secure communication, it can facilitate organized retail crime planning, research, and discussion. People can also use the dark web for hacking as a service (HaaS), where a hired hacker serves as a contractor. Some of the services offered in hacking as a service include gaining access to another person’s social media accounts, denial of service (DoS) and distributed denial of service (DDoS) attacks on websites, network infrastructure attacks to bring down communications, and even command and control of a huge botnet army. Hiring a hacker is just as much a crime as hacking itself since inducement to commit a crime is itself a crime under US law.
According to a hacking-as-a-service website called “Hire An Hacker,” many hacking-as-a-service websites intentionally use bad English to disguise their identities and make it harder to figure out where they are located. Other hacking services include Facebook account hacking as their most requested service, along with smartphone hacking, backdoor computer access, database modification hacking for websites, and even a way to fix one’s credit score. Service costs start at $350 for “easier” jobs, such as email account hacking, and can go up to nearly $2,000 to hire someone to deface or even completely delete a website.
Hackers can also facilitate identity and credit card fraud by stealing this information and selling it on the dark web. In 2016, credit card fraud totaled $24 billion in losses, half of which affected cardholders in the United States.
In April 2017, the then-unidentified group called the Shadow Brokers published a collection of the National Security Agency’s (NSA) most coveted hacking tools, including ways of exploiting most versions of Microsoft Windows, allowing essentially anyone to download cyber weapons. The authors of the WannaCry ransomware attack, a worldwide cyber attack in May 2017 that encrypted users’ data and held it for ransom in exchange for Bitcoin payments, used the EternalBlue exploit originally developed by the NSA and later released by the Shadow Brokers. The Shadow Brokers also offered a subscription service for the latest hacking malware for tens of thousands of dollars a month.
Some dark web users believe they are impossible to trace, so they will keep the same usernames they employ on the surface web. This makes investigators’ jobs a lot easier. Furthermore, because the dark web is not automatically indexed, criminals must advertise their products and services. There are even directories for providers of illicit services. Forums, both on the surface web and the dark web, discuss the relative merits of various dark web marketplaces and services. All this makes it surprisingly easy for investigators to locate bad actors.
On the other hand, investigative targets can be tough to pin down because dark web sites come and go quickly. They must constantly adapt to changing circumstances, like pressure from competitors or law enforcement activity. When these illicit marketplaces gain visibility, their operators often simply move outside the United States. In fact, most of the most prolific fraud sites technically exist on the surface web and often don’t bother with the dark web. They use top-level domains based in countries with lax fraud policies, such as Samoa (.ws), Cameroon (.cm), Cocos Islands (.cc), or Oman (.om).
Protecting Yourself from Cyber Crime
Fighting back against cyber crime is really a war, and as in any war, you need to have a strategy. It is important to prepare a plan for deterring cyber crime and responding to an attack. This can make all the difference between a minor incident and a major financial and public relations nightmare.
Understand your company’s information systems. Use data inventory and data mapping to gain a thorough understanding of what you are trying to protect. Include all the obscure data sources that are easy to overlook.
Classify the data. Some information is highly sensitive and valuable, while other information is not. You must create a clear process for distinguishing the various level of information sensitivity.
Create clear guidelines for data access. Not every employee needs to have access to all the information in a company. Structure this access based on need.
Secure the data. Use encryption and passwords to protect your information, regardless of its level of sensitivity.
Define cyber crime clearly, so everyone understands. All employees must be aware of current threats and issues, including those affecting the company’s customers. What reaches them could eventually reach you, so if they understand and report cyber crime early on, you can respond much more quickly.
Conducting Investigations on the Dark Web
Even with your company’s measures to protect itself from cyber crime, as a security professional, sometimes you feel the need to do more. Though only a very small portion of the Internet is on the dark web, you still might find it helpful to use the dark web when conducting investigations. Below is a how-to guide for searching the dark web.
Search for dark web URLs on a regular search engine. Even though the dark web is generally not indexed, it is possible to use a search engine to see what non-anonymous dark web sites exist. Use the search term [something illegal] inurl:.onion.to. For example, you can use this tip to see if dark web sites have shoplifting master lists for specific retailers or how-to guides for defeating various types of EAS tags. The caveat is that this method will only capture a very small amount of the information. It’s a quick and simple trick and will yield less that 5 percent of what is actually available on the dark web.
Check your company policy before starting an investigation on the dark web. Although using the dark web is completely legal, many companies have strict policies against it.
Use a computer dedicated for searching the dark web. An even greater risk is that bad actors could discover your information and access your system, so you do not want to put your personal or work computer at risk. Instead, buy a cheap computer for this specific purpose.
Download the Tor browser. The Tor browser is the most common way to access the Tor network. Other browsers and methods are available, but the Tor browser is the most secure way to date.
Connect to the dark web using a virtual private network (VPN). A VPN adds another layer of anonymity and prevents third parties from seeing your web traffic. Instead of using your home or work network, connect to a VPN while conducting your investigations on the dark web. Do not use a VPN provided by your workplace, as this defeats the purpose of protecting your work from any potential attacks.
Create a new email address for the dark web. Once you are logged into the Tor network, create a new email address that you will only use on the dark web. Do not log in with any other email addresses.
Do not use any identifiable or personal information. Do not use your real name, photos, previous usernames or even passwords you have used before on the surface web. This will put you at risk of being traced back to your personal or work accounts.
Do not download content from the dark web. If you want to save content you need for an investigation, use the screen capture tool or a screen recording software. If you feel it is necessary, work with a technical expert or download content into a “sandbox,” a virtual space isolated from the rest of your computer to protect it from any possible malware.
Myths and Misconceptions
People often associate the dark web with weapons, drugs, human trafficking, and child pornography. But a 2016 study by Terbium Labs showed that only 47.7 percent of .onion domains hosted illegal activity.
There are many fabricated stories about the dark web, often created and spread by the media and most of which are untrue or simply impossible. Below is a list of the most common myths and misconceptions and why they are not true.
Myth: It is illegal to access the dark web. Accessing the dark web is completely legal. Furthermore, the content of the dark web is mostly legal—over 50 percent of the dark web does not contain illegal or illicit content. Some people fear that searching the dark web will bring law enforcement knocking at your door. That’s what criminals are worried about. As a retail security professional, your only concerns should be the bad guys themselves.
Myth: The dark web is only for criminals. The dark web was made for anonymous, not illegal, activity. That means that many dark web users just want to research or communicate without revealing their identities. These users can range from citizens of countries with strict Internet censorship laws who want to read the news to protestors who are fighting against oppressive governments to LGBT citizens of a country where homosexuality is illegal. Licensed physicians even post free drug-related advice on forums. They know drug addicts are less likely to seek out medical advice on their own, which means health care professionals need to go out and find them on their own.
Myth: Terrorists use the dark web to communicate. Though terrorists could easily use the dark web to communicate with one another, there are many other encrypted forms of communication that are more easily accessible. They typically use popular messaging platforms such as WhatsApp, Signal, and Telegram, which are more accessible and exist on multiple platforms such as smartphones.
Myth: The dark web is where mass shooters buy weapons. This is not an issue of concern in the United States, where someone can purchase a military-grade assault rifle at a gun show much more easily. However, the person who killed nine people and injured twenty-one others in Germany in July 2016 bought his gun from the dark web since firearm laws are much stricter in Europe. German police were able to discover his use of the dark web via two separate investigations into other attempts to use the dark web to obtain weapons.
Myth: You will be hacked if you go on the dark web. If you use the same safe Internet practices you use on the surface web—don’t share your personal information and don’t download content from an untrusted source—then you will not be hacked on the dark web.
Myth: You can “stumble” upon scary sites. The dark web is part of the deep web, which is not automatically indexed, as explained earlier. This means you have to actively look for sites on the dark web. It is impossible to “accidentally” come across criminal content. That can only happen if you are seeking it out.
Myth: “Red rooms” are everywhere. Red rooms refer to the supposed websites where people live stream themselves mutilating or even murdering someone for “entertainment.” However, they are mostly urban legend when it comes to the dark web. The Tor network is too slow to stream live video. If red rooms do exist, they would be found on the surface web, and it is highly unlikely that you would find one.
A New Tool
The dark web has a mysterious and dangerous reputation and a very colorful history. However, it is actually a simple concept to understand and use in your work. Like any investigations, you need the right tools, a clear idea of what you are looking for, and a healthy level of caution to protect yourself and your organization. With a solid understanding of the dark web in mind, you can use this new tool to your advantage and discover potential threats before they come actual attacks against your company.
Tom’s column is featured in every issue of Loss Prevention Magazine. To subscribe to the printed version of the magazine and enjoy other great content, visit losspreventionmedia.com.