Author: Josh Fruhlinger / Source: CSO AU
The “dark web” is a phrase strikes an ominous tone, conveying an impression of a marketplace where anything is for sale: hacking tools, weapons, drugs, child pornography, even freelance assassination services. And according to experts we spoke to, all of that’s still true. But something has changed in the way the dark web does business. If there was a time when venturing online to buy these illegal items was like taking your life in your hands in a dark alley, today the experience in quite different.
Take drugs, just as an example category. “The best analogy I can give for the expanse of dark web drug offerings is that it would be like walking into a major supermarket for the first time having only ever shopped at a corner store,” says Emily Wilson, director of analysis at Terbium Labs. “Almost anything you want is available from a huge host of vendors—all of whom are competing to assure buyers that their product is the freshest, purest, safest, most readily assured high available. People like to compare and contrast their experiences in detailed write-ups, and the vendors are incentivized to develop loyalty: ‘Check out this freebie of my new product,’ or ‘Hey, sorry about the slow shipping—I threw in a little extra for you.'”
And it’s not just drugs where the dark web has gone corporate. It’s happening across the board—and what most of the experts we spoke to wanted to talk about was especially the various hacking and shadowy technology services available. In hearing the details, it’s hard to avoid the realization that the various criminals on the dark web are taking their cues from the practices of corporate IT.
And just as with corporate IT, the illicit offerings from the dark web span from code that buyers have to implement themselves to turnkey solutions and consulting services.
Products: Malicious code for sale, with instructions
Exploits and attack code can be devilishly complex to discover or build from scratch. The dark web provides a marketplace that connects programmers with the needed skills with those with motivations to unleash them. Idol Wulkan, intelligence team lead at IntSights, points to several malware packages for sale on the dark web, including Dr0p1t-Framework, a trojan that downloads other malware, and the Silent Word exploit, which converts a malicious .EXE file into an innocent-seeming .DOC.
Buyers of these exploits don’t need to be master hackers themselves. “If you have relatively little technical knowledge,” says John Shier, senior security expert at Sophos, “there are guides on how to spread your malware, and also phishing and carding tutorials.”
Services: No need to do it yourself
But just as many enterprises no longer build or even deploy their own in-house tools, so too do many criminals outsource the deployment of their misdeeds. Even if you’re sick of the endless “-as-a-service” acronyms in IT (Software-, Infrastructure-, Platform-), you’ll need add another one: RaaS, or ransomware-as-a-service.
“RaaS providers give their customers fully functional ransomware with a dashboard to track victims and support services should they need it,” says Shier. “In exchange, the authors of the RaaS portal ask for either a percentage of the ransom or a flat fee. The only thing left is for the customer to distribute the ransomware, possibly using the services of a spammer purchased separately or by doing it themselves using the knowledge they gained from the tutorials.” And if you…
Click here to read more