In Project Cumulus, our latest investigative report, the Bitglass research team scoured the Dark Web for sites where hackers traffic in identities and cloud application user credentials. On the Dark Web, like elsewhere on the internet, several large communities exist. A key difference, however, is that much illicit activity takes place on these hidden sites. We uncovered a handful of communities in which hackers openly shared tactics for accessing account credentials, using stolen data, and purchasing tools to mask their identities to avoid getting caught. We collected a few of the most notable conversations and remarks from these hacker communities.
These comments from around the dark web suggest there are a number of hackers that aren't familiar with the core technologies that enable these sorts of breaches and that a great deal of illicit activity takes place on the dark web.
Even Novice Hackers Use Tor
One of the first individuals our team encountered on the Dark Web was a hacker looking for advice on how to use the "phished" Google Apps credentials without getting caught. Others quickly chimed in, suggesting that Tor was not sufficient for accessing bank data and encouraged the novice hacker to purchase a VPN service with cryptocurrency and use that in conjunction with Tor to further mask their identity.
Novice hackers across the Dark Web were often confused as to the purposes of Tor, PGP, and other technologies key to accessing stolen data securely. These novice hackers were frequently warned of the dangers of illegal activity without the appropriate protective measures, with many citing the Computer Fraud and Misuse Act as reason to avoid downloads or logins. Interestingly, these words of caution weren't much of a detterent, as many continued on to access and download data anyway.
Credit Cards and Bank Access
As part of Project Cumulus, the Bitglass research team included several real credit card numbers in the victim's Google Drive, which drove a number of conversations around the best ways to make use of this data. While most consider a sale of the files to individuals with domain-specific knowledge, others who successfully accessed the Google Drive asked about the best way to write credit card numbers. The community was quick to reply with suggestions on the best card writers to use and the data needed to create a functional card. Those interested in accessing files belonging to the fictitious bank were told to use a "disposable" computer on a public WiFi network. One hacker even suggested a banking trojan, said to be key to bypassing typical bank security measures.
Is the Dark Web Run From Student Basements?
One of the Dark Web sites we uncovered, a popular hub of criminal activity, was inactive days after we found it. Unlike the surface web, URLs on the Dark Web are difficult to pinpoint. After a few days offline, the site came back up with a long note from the owner, supposedly a college student, who explained that the host server was set up in his bedroom. While this is just one example, not representative of all Dark Web sites, it goes to show that some Tor-based hosts and exit nodes are not necessarily run by individuals with malicious intent.
Overall, the Dark Web is a mix of both well-educated, professional hackers and moonlighting novices with very little in the way of expertise or knowledge. Interestingly, the latter seem more than willing to take risks in hopes of a big pay day. Not entirely unlike bricks-and-mortar criminals.