Hacker hands with binary codes on monitor showing the dark web

Beneath the Surface: Monitoring the Deep and Dark Web

We are all familiar with the web that Google shows us – the “visible” surface web that is indexed by search engines. When you search for your own name on Google, you’re likely met with results that are familiar to you, including social media profiles, your bio on your employer’s website, and maybe a few local media clippings if you’ve been interviewed by the press. As vast as it may seem, with millions of results for even just a simple search of your name, the surface web actually only makes up about 4% of the entire web. Just like an iceberg, there is a much larger part of the web, the deep web, that is beneath the surface and not indexed. This means search engines cannot “crawl” this information (think: paywalled content, bank account information, medical records, etc.). You cannot locate it with a simple Google search. Enterprises focus much of their attention on the surface web, and rightfully so, because these results make up your company’s public presence. However, monitoring the hidden corners of the internet is just as if not more important for risk professionals.

The deep web has many common uses, so perhaps it is not exactly hidden, but it does require a password or additional security measure to gain access. The infamous dark web – or dark net – a subset of the deep web, is more commonly associated with nefarious activities, and you must use a specific browser, such as Tor, to access this underground ecosystem. While web browsers typically reveal a user’s IP address, Tor and other dark web networks hide this information, thus masking the identity of the users. Interestingly enough, the original technology behind Tor, also known as onion routing, was developed by the United States Navy “and has received about 60% of its funding from the State Department and Department of Defense.”

What goes on in the dark web?

In recent years, the amount of cybercrime has continued to rise, especially in underground markets. This is increasingly true in the wake of COVID-19. Data has suggested that the first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019, with cyber criminals taking advantage of the cybersecurity gaps that accompany remote workforces. The formula is quite simple: the lower the barriers to entry (in other words, you do not need advanced computer skills or sophisticated tools to access the dark web) coupled with more data and infrastructure will result in more and more cybercrimes.

This is not to say everything that takes place in the dark web is illicit – Facebook, BBC, and The New York Times all have onion sites, for instance – but the anonymized and encrypted nature of this hidden corner of the internet lends itself to criminal activity, ranging from buying, selling, and trading (via cryptocurrency) drugs to weapons to large data sets amassed from breaches.

More than likely, you, a colleague of yours, or a family member has personally identifiable information (PII) that is either exposed or for sale on the dark web right now. Millions of accounts are compromised in data breaches every year and billions of exposed credentials continue to circulate and re-circulate in underground communities. In my firm’s 2020 Breach Report, we found that there were more than 18 billion raw identity records being passed around through these underground marketplaces. Threat actors will sell or leak this information onto forums and private channels, and, alarmingly, are able to compile digital profiles of citizens and businesses, fueling a host of identity-based attacks, including Account Takeover (ATO), Business Email Compromise (BEC) and sophisticated Social Engineering (SE) attacks.

This doesn’t just mean that criminals are trying to hack into your bank account to drain the balance or use your credit card for an online purchase. Using social engineering techniques, bad actors can now use compromised data to develop nearly indistinguishable identities from their true owners – deceiving others in their networks. This is increasingly troublesome when you consider that many are continuing to work from home during the COVID-19 pandemic. With more correspondence taking place digitally, you might not think twice if you get an email that appears to come from your boss asking you to authorize a payment to a supplier, when in reality it may actually be a sophisticated cyber criminal impersonating your executive.

Underground marketplaces run very much like a business, to the point where people can even leave reviews for websites, similar to an Amazon review. You can also report scams to the admin or community in some markets so that they may ban the seller or buyer. Identity records get sold in chatrooms, hacking sites, forums, you name it – and the average prices for different identity record types vary by country, type of account, etc. My firm found that in 2019, social security numbers went for around $67; passports were roughly $53; drivers licenses were $48; credit cards were $40.80; and tax IDs were $28.75.

Tips to protect data

Despite the vast amount of data already circulating on the dark web, there are still actions you can, and should, take to safeguard your identity and information. First and foremost, password reuse exacerbates the proliferation of exposed credentials. Identity records exposed from one breach can be reused to compromise completely separate accounts through credential stuffing attacks. This happens when criminals attempt to log into different platforms using the same stolen credentials, hoping the users don’t have unique passwords across their accounts. So, even if your organization has an excellent security posture, a single employee’s breached information makes for an easy entry point for cybercrime if they don’t update their credentials after the breach. This puts the entire organization’s reputation and finances at risk and goes beyond their employer to potentially others in their business’ supply chain. Human error can be costly.

People must use unique, complex passwords for all their accounts, both work and personal, and use a password manager to safely keep track of them all. Multi-factor authentication, when possible, provides an added layer of protection as well. Enable automatic software updates and be sure to back up your data in case it does get pilfered. When you suspect your credentials could have been compromised, updating them will immediately make the data obsolete. Do not provide personal information if it is not mandatory; many forms request your address, phone number, etc., but only fill out the minimum information that is required. Lastly, practice internet awareness; always err on the side of caution and only visit sites you trust. If an email or website asks you for personal information and threatens punishment for a lack of compliance, it is wise to be suspicious.

At an enterprise level, companies need to do a better job of either preventing their information from getting into the wild or having an early warning system that enables them to secure their networks as soon as it does. This means businesses have processes and tools in place that swiftly alerts them when their sensitive information — credentials, documents, intellectual property — is exposed. The sooner organizations and individuals know about the breach, change credentials, and lock down networks, the less damage occurs. No single service can parse through the entire dark web but knowing where to look in this space is key.

The sooner you know about the exposure of your sensitive data, change credentials, and lock down networks, the less damage occurs. #cybersecurity #respectdataClick to Tweet

In the context of onboarding, due diligence, and risk rating for potential new customers, it can be  immensely valuable for an enterprise to know at the earliest point in time if a company has data floating around the deep and dark web. For anti-money laundering (AML) transaction monitoring, the ability to automatically populate and update electronic case filing with information about parties involved in transaction can make for an easy and efficient investigation. The examples could go on and on. Simply put, the deep and dark web is just as important to monitor as the indexed web and social – keep pace with constantly evolving threat actors by looking beneath the surface.


VP of Risk Protection at Constella Intelligence