Introduction to Dark Web

Wednesday, February 14, 2024 9:56 PM

Three Types of Internet (Web):

• the Clear Web,
• the Deep Web, and Deep Web Why Dark Web is Useful Associated Roles
• the Dark Web
The Deep Web, also known as the The Dark Web has a number of benefits, and not just for cybercriminals. When considering its Threat Analysts
• Underground Web or legitimate use, there are a number of obvious benefits: Threat Analysts are responsible for ensuring that information about their company
Clear Web • Invisible Web, is as limited as possible on sources such as the Dark Web. This includes searching
for discussions about future attacks, employee credentials in data breach dumps,
Threat Intelligence Collection
It has many names, such as; and more. Whilst there are tools out there that scrape the Dark Web for
is the part of the Internet that isn’t indexed by conventional search engines, A large amount of useful intelligence can be gathered from the dark web, such as malware
• The Clear Web, intelligence, Threat Analysts may attempt to infiltrate forums or private websites
such as Google or Bing. Either the site owners have prevented crawlers from and vulnerabilities for sale (which can help researchers and companies to fix these holes themselves, depending on their exact job description.
• Surface Web, and indexing their site, or they have implemented access controls to only allowed before they’re exploited on a mass scale), uncovering planning of cyberattacks on private
• Indexed Web. their intended audience to access the site. The Deep Web is huge. forums (this intelligence can be used to inform the target organization so they can Malware Analysts
implement defenses), tracking threat actors online (attempting to uncover the identities Malware Analysts may attempt to retrieve malware samples from sources such as
Crawlers are a type of software that searches the internet for publicly “Public information on the deep Web is currently 400 to 550 times larger than of advanced hackers so they can be arrested for their crimes), and much more. the Dark Web, in order to conduct analysis and gather Indicators of Compromise
available webpages so that search engines can offer them as results. These the commonly defined World Wide Web.” (IOCs) that can be used to help defend their organization by creating alerts or rules
bots go from site to site, link to link, finding every page that they’re Law Enforcement Operations in different security systems such as SIEM, EDR, and IDPS. Dark Web marketplaces
allowed to view, and reporting back. Are the Dark Web and the Deep Web the same thing? Using the dark web, law enforcement officers can infiltrate private sites, forums, and typically sell commodity malware (such as Remote Access Trojans (RATs) and key
marketplaces in order to collect evidence that would be used in the case of legal loggers) as well as more advanced malware for the right price – knowing how to
The Clear Web consists of legal sites that are generally designed for use by effectively defend against these is important, as it reduces the risk to the
No. They’re different. Log in to your Amazon account – you’re on the Deep prosecution against individuals involved in illegal activity. By joining the criminals in
the public, and tend not to have obscure methods of gaining access, such organization.
Web. Sign in to your Facebook – you’re on the Deep Web. These are web pages cyberspace, police officers and other law enforcement units are able to take the fight
as a special key or IP whitelisting. that are not indexed or publicly available, imagine if anyone could search on straight to the bad guys, and work to shut down sites, collect intelligence, and disrupt Security Researcher
Google and find your private Amazon page with your order history, payment criminal operations. Security Researchers are individuals that work to detect and report on security-
details, and more private information. Not everything on the Deep Web is illegal related activity, and the Dark Web is an attractive scene for them, due to the illegal
or shady, it’s just private pages that only certain people should have access to. Freedom of Speech activity that takes place, including the sale of malware, selling access to
Other examples include private forums, private membership pages, and online In some countries the government works to closely monitor all communications and compromised hosts, zero-day vulnerability sales, and much more. Researchers may
banking. remove any that they do not agree with, an act called censorship. Using TOR, individuals choose to infiltrate underground forums and private sites in order to collect
from these countries can bypass internet restrictions such as website blocking, or get intelligence and share it with the world.
messages out to the wider world, letting them know what’s happening in their location.
Law Enforcement
Law Enforcement agencies will work to detect illegal activities, gather evidence,
Privacy
and eventually take action. Examples of these Dark Web operations include the
Dark Web Whilst TOR does not provide 100% anonymity, it does provide more security in terms of shutting down of Silk Road, which was previously the largest underground
privacy than using a normal browser such as Chrome. Due to the way TOR operates, your marketplace, known for its huge drug trade. In October 2013 the FBI shut down
A section of the internet that is utilized for IP will be masked by a number of nodes, working like a VPN to hide your true address. Silk Road and arrested the individual behind the site, who was sentenced to life in
• anonymity, prison. Silk Road 2.0 was setup, and again taken down by the FBI who arrest the
• illegal operations, new owner, as part of ‘Operation Onymous‘ which targets darknet marketplaces.
• intelligence gathering, and more.
The UK’s National Crime Agency (NCA) has been recruiting intelligence officers for their
Whilst some search engines do exist for the Dark Web, sites are usually hidden, and “Darkweb Intelligence Collection and Exploitation” unit (DICE). Below is an archived
you’ll need to know the exact URL in order to find them. version of their job description obtained from jobs.findyourflex.co.uk:
Sites on the Dark Web use the Top Level Domain (TLD) ‘.onion’ as opposed to Clear
Web TLDs such as ‘.com’ or ‘.co.uk’.

The Good Guys - Intelligence Gathering Intelligence Gathering by Law Enforcement Intelligence Gathering by Threat Intelligence Company The Bad Guys - Insight into Illegal Sites a screenshot of a REAL site on the dark web that is supposedly selling handguns
in the UK. This site could be run by scammers, law enforcement, or worse – a
It’s important to note that different countries will likely have different It is common knowledge that law enforcement entities around the world monitor the Here are just a few things that security teams could benefit from Dark Web: DO. NOT. SEARCH. FOR. SITES. LIKE. THESE. legitimate site.
regulations and laws when it comes to accessing the dark web for different dark web, infiltrate private sites and forums, and gather intelligence and evidence
purposes, and you should always research any applicable legal content before that can be used to prosecute criminals who hide behind the apparent anonymity • Information about cyber-attacks that are being planned or launched in the near • If you click on one wrong link and your browser loads explicit material,
conducting dark web operations to ensure that you are not prosecuted for provided by TOR and the dark web. future – allows security teams to prepare. such as child pornography, you are accountable for it and can be
illegal activity. Involve your legal team or a consultant, and make law • Information about malicious actors selling access to companies – this can allow prosecuted for viewing it.
enforcement aware of what you’re doing. The below is based on information Below are some interesting cases where law enforcement has conducted large-scale security teams to identify the compromised accounts or systems and kick the attacker • If you click on one wrong link your system can be infected with malware
from the US Department of Justice. operations within the dark web. out. that can steal or encrypt your files, leading to 2nd stage attacks such as
• Information about malicious actors selling malware and hacking tools – this can blackmail.
Legal Activities Operation Onymous provide valuable indicators that a security team can proactively block (such as file
• Organizations are able to ‘passively’ collect threat intelligence from dark Silk Road was the largest and most well-known dark web marketplace, hashes).
web sources. This means ‘scraping’ publicly-accessible sources is primarily used for the sale of illegal drugs around the world. The website • Data breach dumps typically end up on the dark web, either freely available or sold at
permitted. Organizations can silently watch and listen to activity on the launched in February 2011, but was shut down in October 2013 by the FBI who an auction – being able to access the list of breached credentials can help
dark web, and record it for other purposes such as dissemination or for arrested the founder, Ross Ulbricht. In November, Silk Road 2.0 was raised by the organizations to identify if any of their corporate accounts were included, so they can
team behind the original website. A year later the site was once again shut down Whilst illegal marketplaces do operate in the dark web, there are a vast number of
selling to clients. reset the passwords and ensure no malicious actors can gain access.
by law enforcement as a part of “Operation Onymous”, a joint effort headed by fake sites and stores. These can either be operated by scammers, looking to take
• Access private dark web forums legally. This goes hand-in-hand with the
the FBI and Europol to “address the problems of malware, botnet schemes, and money then disappear, or by law enforcement setting up sting operations to
above point – provided individuals can gain legitimate access to a forum,
Example Company - https://www.recordedfuture.com/ catch individuals that are purchasing illegal goods. Let’s walk through a mock
they are permitted to scrape the contents for later analysis or sharing. illicit markets or darknets” (1). Police forces in 17 different countries were
involved, and it is thought that around 27 sites were taken over, preventing scenario where a criminal in the UK is looking to buy a firearm.
Legal access in this context means that the individual(s) need to be invited
into the forum (typically achieved by creating a fake online persona and illegal activities from continuing. Over $1,000,000 in bitcoin was retrieved, along
performing social-engineering attacks against forum staff) or by with other assets including gold, silver, cash, and drugs.
purchasing access.
• Masquerade as a criminal on forums, asking for advice from criminals or Hansa Dark market Infiltration
hackers in order to collect intelligence. This must be well documented so • Hansa, similar to Silk Road, was previously the largest dark web marketplace in
that law enforcement knows this is for legitimate purposes and not Europe, with 3600 dealers, 24,000 different drug-related products, and other
genuine criminal activity. miscellaneous sales of fake documents. As observed with Silk Road, when a
marketplace is simply shut down by law enforcement, customers and traders
Illegal Activities simply move to one of the many other available sites. In the case of Hansa, in
• Providing dark web forums or private site staff with illegal material in 2016 Dutch officers from the Netherlands National High Tech Crime Unit decided
order to gain access or build trust, such as malware or personal to infiltrate and take over a marketplace, rather than shut it off completely.
information that could be used to conduct crimes. • Dutch investigators uncovered the identities of two Hansa administrators and
• Accessing forums or private sites by brute-forcing account credentials, gained access to both of their accounts, so they now had complete control over
exploiting a vulnerability, using compromised credentials belonging to the site. In the following months, officers worked to uncover the identities of
another user, or impersonating a real person. sellers and buyers by performing social engineering attacks, tricking users into
• Assist individuals or parties in committing crimes by offering advice, opening files on their own systems which grabbed system information and
information, money, or resources, as this makes you an accessory to any geographical location and edited the site code to perform passive
crimes that occur as a result. reconnaissance and collect information from site visitors.
• This operation was believed to be “one of the most successful blows against the
dark web in its short history: millions of dollars' worth of confiscated bitcoins,
more than a dozen arrests and counting of the site’s top drug dealers, and a vast
database of Hansa user information that authorities say should haunt anyone
who bought or sold on the site during its last month online”.

Accessing the Dark Web Accessing the Dark Web Accessing the Dark Web Browsing Activity

The Onion Router Tor Warning and Disclaimer Accessing Tor Below is a list of the sites that you need to find either using clear web or dark web
search engines to find their current URLs, and then answer an additional question by
The History of TOR
before attempting to access TOR, for your own safety: When using TOR, your request is encrypted, sent to your ISP, then moves on to TOR nodes, visiting them using the TOR browser.
TOR was founded by individual researchers who worked at the US Naval Research Laboratory. systems that are used to bounce requests around. After a number of bounces, your request
• Understand that there is the potential for you to come across offensive or explicit will be decrypted and sent to the intended destination so that it is impossible to track • What is the current URL for the CIA mirror website on the dark web?
David Goldschlag, Mike Reed, and Paul Syverson realized there was a distinct lack of internet
http://ciadotgov4sjwlzihbbgxnqg3xiyrg7so2r2o3lt5wz5ypk4sxyjstad.onion/
security in the 1990s and saw how easy it was to perform surveillance, so they decided to find a content, and you should be prepared to deal with viewing it. where the original request actually came from.
solution that would work to protect the privacy of internet users. Their solution was onion • As an unregulated part of the internet, there is an increased risk of criminals or
• Visit the CIA mirror site and search for “Our Organization” on the “About” sub-
routing. hackers trying to steal your data, get you to download malware, or attack your system
menu. What is the first of the seven basic components of the CIA?
through the browser. Make sure all software is up-to-date or disabled, such as Flash integrity; service; excellence; courage; teamwork; and stewardship
The basic explanation for how onion routing works is that instead of traffic going from A > B it Player and your browser. Do not click on any links or navigate to any sites if you do
goes from A > C > J > K > B, and the traffic is encrypted at each part of the journey, making sure not know what they are. • What is the current URL for the ProPublica investigative journalism outlet?
that it can’t be intercepted or sniffed during transit. This also meant that it was extremely • Ensure you have an updated operating system, including security updates and https://www.propublica.org/
difficult for B to identify where the request has come from (A). patches. http://p53lf57qovyuvwsc6xnrppyply3vtqm7l6pcobkmyqsiofyeznfu5uqd.onion/
• Ensure you have an up-to-date anti-virus solution and it is running.
For TOR to function, it needed a decentralized network – a large number of independently- • We highly recommend that you use a VPN, then use the TOR browser.
owned servers (known as ‘nodes’) which worked together to form a network, which would later Tor download - https://www.torproject.org/ • On the ProPublica site, click on “About” at the top. Copy and paste the first
be named the ‘Tor network’. To make it accessible for new nodes to be created, in October sentence under the heading “The Mission”.
2002 the code for Tor was released as free and open-source software, and within a year there To expose abuses of power and betrayals of the public trust by government, business,
were 13 active Tor nodes. and other institutions, using the moral force of investigative journalism to spur reform
through the sustained spotlighting of wrongdoing.
The Electronic Frontier Foundation, a non-profit dedicated to defending civil liberties in the
digital world, saw the importance of the Tor network in 2004 and began funding the work being
completed by Roger Dingledine and Nick Mathewson. In 2006 they formed “The Tor Project,
Inc”, a 501(c)3 non-profit organization, so they could receive funding in order to continue
developing and maintaining Tor.

Challenge Scenario

Last month we were informed about a huge drug trafficking network that was taking place in
the UK through the TOR network, in response to this situation we set to work and managed to
dismantle their main TOR marketplace to stop drugs from reaching the streets of the UK.
However, we were informed that one of the creators of this network managed to evade us and
is now continuing to carry out this type of activity. This is where you come in. We think we have
found the site that this individual uses to “tell their stories” regarding criminal activity.

We need you to find evidence that will allow us to identify this subject, relate it to drug
trafficking crimes, and bring them to justice. We know this is a difficult task, but we are
confident in your abilities, and we are sure that you will succeed.

1] Gain access to the site (Visit the URL, click on ‘Start Challenge’ button. When presented with
a login screen, right-click and select “Inspect Element”. Select the ‘Console’ tab and enter in the
command: generateUserCredentials(). Decode the answer, and you’re good to go!)

generateUserCredentials(){let
ret='';usrs=["KF7ybuD1"];pswds=["AIyhfot0V9VIWm6W"];ret="USR:"+usrs[Math.floor(Math.random()*u
srs.length)]+" , PASS: "+pswds[Math.floor(Math.random()*pswds.length)];cons…

2] Find evidence that the individual is involved in drug trafficking

3] Find any information about the next shipment that is coming in, so we can seize it

New Section 1 Page 1

function generateUserCredentials()
USR:KF7ybuD1 , PASS: AIyhfot0V9VIWm6W

siteusername1- Wousbacan
siteusername2- DarkChest984

Country: Germany
Country: United Kingdom

Date: 17/8/20XX
Date: 23/8/20XX

Date: 26/10/20XX

31st October
51°56'57.2"N 1°19'26.1"E

====

Authentic Swiftzerland's chocolate you're tired of not finding good chocolate? This post is for you.

GunsWANNA KNOW HOW TO BUY YOUR GUNS?, THIS IS FOR YOU

Recreational Drugs Buying/SellingLet the party begins! (Everything you wanna know about drug dealing)

Hey dude... wanna candy? (The real D king!)Deliver the package, collect the money and live like a king!

BBB Organs for saleAre you such an alcoholic that your kidney stopped working? Don't worry, we can
get you a new one.

No more silence (Politics)THEY'LL NEVER SHUT US UP AGAIN, FREE THE COUNTRY!!!

Love Scales (Reptile Sales)We all love these little cute and beautiful reptiles, come and get one :3

New Section 1 Page 2

 Authentic Swiftzerland's chocolate GunsWANNA KNOW HOW Recreational Drugs Hey dude... wanna BBB Organs for
you're tired of not finding good TO BUY YOUR GUNS?, Buying/SellingLet the candy? (The real D king!) you such an alco
chocolate? This post is for you. THIS IS FOR YOU party begins! Deliver the package, that your kidney
(Everything you wanna collect the money and working? Don't
know about drug live like a king! we can get you
dealing) one.

No more silence (Politics)THEY'LL

NEVER SHUT US UP AGAIN, FREE THE
COUNTRY!!!

Love Scales (Reptile Sales)We all love

these little cute and beautiful reptiles,
come and get one :3

New Section 1 Page 3

 Recreational Drugs Buying/SellingLet the party begins! (Everything you wanna know about drug dealing)

Hey dude... wanna candy? (The real D king!)Deliver the package, collect the money and live like a king!

BBB Organs for saleAre you such an alcoholic that your kidney stopped working? Don't worry, we can
get you a new one.

No more silence (Politics)THEY'LL NEVER SHUT US UP AGAIN, FREE THE COUNTRY!!!

Love Scales (Reptile Sales)We all love these little cute and beautiful reptiles, come and get one :3

saleAre
oholic KF7ybuD1 AIyhfot0V9VIWm6W

y stopped DarkChest984

worry, -

a new United Kingdom

26/10/20XX

Hexadecimal

31/10/20XX

51°56'57.2"N 1°19'26.1"E

New Section 1 Page 4