Patrianna Napoleon and Marina Tovar, Counterintelligence and Cyber (CICYBER) Team
Week of Monday, December 13, 2021
Dark Web advertisement[1]
TOR is an anonymity browser used to access the dark web as it hides a user’s IP address by generating random addresses and routes web pages through a series of servers operated by thousands of users worldwide.[2] Law enforcement agencies have very likely not discovered all cyber security threats due to the existence of encrypted websites or secret communication channels, like modified versions of ransomware and advanced Remote Access Trojans (RATs). “Business fullz,” the “hacker university,” and “destroy an individual’s business” are new threats emerging on the dark web.[3] “Business fullz” allows cyber criminals to impersonate employees and access the company’s confidential data through social engineering techniques, very likely posing a threat to the organization’s assets and reputation.[4] The “hacker university” allows amateur hackers to learn advanced types of cybercrimes through the courses offered by the university, likely increasing the number of crimes and diversifying their targets.[5] The “destroy an individual’s business” service will very likely target small companies as these organizations will likely be unable to cope with the large amount of phishing emails and scam calls. However, training and information-sharing methods used by public sector and law enforcement agencies are very likely not enough to tackle the challenges the dark web poses.
The dark web's anonymity enables the government to prevent malicious actors from deciphering their communication and protect its operations using encrypted sites and messaging systems.[6] However, hackers will almost certainly leverage this anonymity to protect their identity while conducting attacks, almost certainly making it difficult for law enforcement to identify and prosecute attackers. If law enforcement cannot track the hacker's online interaction, authorities will likely possess evidence of what the attacker did but no way of charging the individual.
The dark web is the hidden set of Internet sites that can only be accessed through a specialized web browser, the TOR.[7] The dark web’s size, expansion, and anonymity almost certainly promotes the creation of new communication channels that will likely harvest new cybersecurity threats for governments and private organizations. Law enforcement agencies and businesses will likely be unable to identify new modified versions of ransomware and advanced RATs due to their lack of awareness of the various communication channels on the dark web and the rapid pace at which these threats develop. Competitiveness between cybercriminals, due to the lucrative business of cybercrime, will almost certainly encourage innovation of new threats by reinventing and expanding the services cybercriminals offer, such as more advanced versions of ransomware-as-a-service or malware-as-a-service to increase profits. To remain undetected, malicious actors will very likely use hidden communication channels to develop and promote these services.
“Business fullz” are packets of information that contain an individual’s background report, full name, bank account numbers, and Employee Identification Number (EIN); they can be bought for $35-65 USD by a cybercriminal to impersonate corporate officers.[8] Access to an employee’s network will almost certainly allow malicious actors to steal company and employee data, posing a direct threat to the organization’s assets and reputation. Hackers will likely use this information to demand ransom from the victims, very likely posing a financial burden on the organization or individual. Cybercriminals will likely use social engineering techniques, like spear phishing, to ensure that their targets are unaware of their intentions. Social engineering includes manipulation techniques that exploit human error to gain private information, combining observation and information gathering, to lure unsuspecting users into exposing data or giving access to restricted systems.[9] Hackers will very likely choose impersonation as they can target both employees and businesses, increasing the amount of data gathered and their revenue.
New threats from the dark web like “Business Fullz”, the “Hacker University” or “Destroy a business-as-a-service” are posing security risks to businesses.[10] An unknown cybercriminal group has created the “Hacker University,” where users can access courses on how to conduct cyber attacks for $125 USD, like ransomware “exploit kits” which contain tutorials that allow malicious actors to exploit known vulnerabilities of an organization’s systems.[11] This will almost certainly allow users without technical knowledge or previous experience in hacking to obtain information on how to conduct cyber attacks like ransomware, phishing, or malware attacks. The courses will very likely increase the number of cybercriminals and cybercrimes. Cybercriminals will likely develop variations of these services, like ransomware-as-a-service, to differentiate themselves from other hackers and demand a higher price of their services. Companies and individuals are unlikely to possess the proper methods to detect and deter these new sophisticated cyber attacks.
Hackers are offering to “destroy an individual’s business” by conducting spam email campaigns, making scam phone calls, and shipping unwanted items to businesses for $185 USD.[12] This will very likely pose a financial strain on small companies as they will likely be unable to deal with phishing emails or a large volume of unwanted calls. If an employee clicks on an infected file or website link in a phishing email, malicious actors will almost certainly access the organization’s network. By accessing the data on the organization’s networks, hackers will likely send phishing emails to access the employee’s personal network. Small organizations very likely lack the resources to deal with these threats, like effective anti-spam software or training for employees to detect these threats. Employees are very likely unaware of or lack the proper training to detect phishing campaigns or malicious files. However, training is very likely not enough to tackle the challenges the dark web poses as the detection of these threats is very likely difficult because of the lack of data of the dark web’s traffic. Cybercriminals will almost certainly continue to commit illicit activities on the dark web leading to the innovation of more sophisticated cybercrimes due to the extended time hackers have communicated in hidden channels if law enforcement agencies do not detect these threats. Malicious actors will very likely create new hidden communication channels to reinforce criminal cooperation to share techniques and tactics to produce improvements in existing cybercrime threats.
Law enforcement agencies should employ inter-agency cooperation and new techniques, like Open-Source Intelligence (OSINT) tools like TorBot, which will very likely be effective for detecting the threats and activities carried out on the dark web which would likely assist in prosecuting cybercriminals. TorBot collects open data from “.onion” domains on the dark web with the help of algorithms.[13] Law enforcement should engage in inter-agency information sharing to fill the information gaps and develop a well-rounded response to the dark web’s threats. This information will very likely be obtained from user-generated contact, forum interaction, or social media platforms.
The Counterterrorism Group (CTG) and the Counterintelligence and Cyber (CICYBER) Team will continue to monitor existing and new threats on the dark web as cybercrime activity is published and detected. The CICYBER Team will continue to collect and analyze data on the dark web activity to detect early threats and potential attacks. The CTG’s Worldwide Analysis of Threats, Crime, and Hazards (W.A.T.C.H.) Officers will remain vigilant to cyber threats that occur on the dark web and public channels by monitoring global events 24/7 and producing relevant reports. CTG will provide threat investigations by conducting threat and risk assessments to properly assess the scope of potential threats.
[1] “Wiki Dark Web” by AvantyCZ licensed under CC BY-SA 4.0
[2] Threat Intelligence Uncovers Alarming New Threats on the Dark Web, Rack Space, June 2021, https://www.rackspace.com/solve/threat-intelligence-uncovers-alarming-new-threats-dark-web
[3] Ibid
[4] Ibid
[5] Ibid
[6] Taking on the Dark Web: Law Enforcement Experts ID Investigative Needs, National Institute of Justice, June 2020, https://nij.ojp.gov/topics/articles/taking-dark-web-law-enforcement-experts-id-investigative-needs
[7] Qué es la Deep Web y la Dark Web, Kaspersky, https://www.kaspersky.es/resource-center/threats/deep-web (Translated by Marina Tovar)
[8] Threat Intelligence Uncovers Alarming New Threats on the Dark Web, Rack Space, June 2021, https://www.rackspace.com/solve/threat-intelligence-uncovers-alarming-new-threats-dark-web
[9] What is Social Engineering?, Kaspersky, https://usa.kaspersky.com/resource-center/definitions/what-is-social-engineering
[10] Dark Web hacking tools: Phishing kits, exploits, DDoS for hire and more, Infosec, August 2021 https://resources.infosecinstitute.com/topic/dark-web-hacking-tools-phishing-kits-exploits-ddos-for-hire-and-more/
[11] Threat Intelligence Uncovers Alarming New Threats on the Dark Web, Rack Space, June 2021, https://www.rackspace.com/solve/threat-intelligence-uncovers-alarming-new-threats-dark-web
[12] Ibid
[13] TorBot – Herramienta de OSINT para la Dark Web, Derecho de la red, November 2020, https://derechodelared.com/torbot-herramienta-osint-dark-web/ (Translated by Marina Tovar)