Dark Web: An ever-more-comfortable haven for cyber criminals

Nobody expects the white hats of the IT world to be able to eliminate cyber crime entirely. But, according to McAfee Labs' Threats Report for the fourth quarter of 2013, the good guys are having a tough time even making life difficult for the bad guys.

According to the report, what was most notable during the quarter was not the stream of headlines about massive credit card data breaches affecting retailers like Target, Neiman Marcus, White Lodging, Harbor Freight Tools, Easton-Bell Sports and Michaels Stores. Instead it was, "how well the malware industry served its customers," who don't need much technical expertise to launch their attacks."

The Target malware was a customized version of BlackPOS, which McAfee described as, "far from 'advanced.' The BlackPOS malware family is an 'off-the-shelf' exploit kit for sale that can easily be modified and redistributed with little programming skill or knowledge of malware functionality," the report said.

In short, all the attackers needed was criminal intent and a safe place to work, which is provided by the so-called "Dark Web." As Security Week put it, "cybercriminals are settling into a comfortable place in the 'Dark Web' where they test, refine and distribute malware for online thievery."

Vincent Weafer, senior vice president for McAfee Labs, said in a statement that the attacks "represent a coming of age for both Cybercrime-as-a-Service and the 'Dark Web' overall," which allows criminals to operate as easily as any other legitimate online business.

Indeed, experts agree that there is little hope that law enforcement can disrupt criminals on the Dark Web in any major way. Even the highly publicized shutdown last October of the online narcotics black market Silk Road came after it had been operating for two and a half years. And that was, by the FBI's own admission, because the alleged administrator of Silk Road, Ross William Ulbricht, made a "simple mistake."

The bust didn't do much to curb the market either. A month later, Silk Road 2.0 made its debut, with a similar line of illegal products.

In an interview last December, IDTheftSecurity CEO Robert Siciliano said the Dark Web is, "exponentially larger than what everyday consumers have access to. The tools to search and navigate via Tor (The Onion Router) are getting better every day."

Raj Samani, EMEA CTO at McAfee agreed, saying that a combination of better tools and better service means that it no longer takes special skills to get into the business. The attacks, "are enabled through cybercrime-as-a-service. In other words the ability to outsource products, tools and services to enable a cyberattack means the number of persons capable of conducting an attack is increasing," he said.

Ironically, Tor was "originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory ... for the primary purpose of protecting government communications," according to the Tor Project website.

It is favored by privacy advocates, who point to a number of its legitimate uses: Journalists can communicate anonymously with whistleblowers and dissidents; employees of non-governmental organizations (NGO) can connect to their home website from foreign countries without alerting that government of their activities; corporations use it to protect their sensitive information from competitors and it is generally seen as a way to protect domestic online civil liberties from government surveillance.

But, as has been widely reported -- increasingly in mainstream media as well as the IT trade press -- it is a haven for criminals.

While Tor, "piggybacks over the same Internet as everybody else, it has its own little secret handshakes and requires end-to-end encryption to each site," said Kevin McAleavey, a malware expert and cofounder of the KNOS Project.

He said there have been a few attempts to index Tor sites, "but by and large they change with the wind direction. The really dodgy ones probably change their onion URLs multiple times per day."

McAleavey noted that Tor has been around for more than a decade (the first version was announced in 2002), but the scale of the criminal activity has spiked. "The only thing that's changed since 2006 -- even the malware has barely changed -- is that there's big money in hitting big places, so the kids are better financed now," he said. "The criminals are willing to pay far bigger rewards for zero-day attacks than the software companies. It's free enterprise -- pure supply and demand financing."

Still, while the McAfee report described the illicit activities on the Dark Web as "healthy and growing," enterprises are not entirely defenseless. Mario de Boer, research director, Security and Risk Management Strategies at Gartner for Technical Professionals, offered three recommendations.

Enterprises should not, "overspend on new technologies without understanding their efficacy and before optimizing their current security controls. Next, assess risks that are not addressed by your current technology stack. Then, balance additional protection with deeper monitoring capabilities and incident response," he said.

Samani said organizations have to move beyond the traditional approaches to capturing malware. "There are multiple ways that organizations can defend themselves -- whitelisting, sandboxing, etc.," he said. "So the innovation within the security industry is equally healthy and growing."

McAleavey said the notion that the Dark Web is, "some immutable, impenetrable wall of doom ... is nonsense. Tor connections are suspicious to authorities simply because of the ports used and the encryption standing out like a lighthouse in the middle of the Pacific," he said.

But he agrees it is, far more difficult to track down criminals using it, "because of the randomness, anonymity and most of all, the encryption."

To do that, he said, requires HUMINT (Human Intelligence). "It's just a matter of wasting a lot of time hanging out where the criminals or the Lulzboat people and 'carders' (people buying and selling credit card information) do."

Beyond that, he said an enterprise's anti-virus (AV) software should be able to monitor all attempts at incoming and outgoing connections. "If it ain't on the list of known and safe, then don't let it communicate. How hard a concept is that?"

But he and others agree that it may get worse before it gets better, and that the high-profile breaches at the end of last year may indeed just be the "tip of the iceberg."

"As long as consumers are able to pay by merely showing a sequence of numbers, and as long as that information is aggregated in POS terminals or, even better, in online transaction systems, these will be attacked," de Boer said.

"As long as security is a fight between convenience and lockdown, then it's not going to get any better," McAleavey added. "Especially now with all those abandoned XP machines out there or older. And same goes for those stuck with old versions of OSX that can't be upgraded because the hardware is obsolete."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about FBIGartnerindeedMcAfee Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts