Billions of searches take place on the surface web every day. Synonymous with Google, this part of the web is indexed by search engines. Try searching your name and you’ll likely be met with thousands if not millions of results, a few of which are familiar to you – your social media profiles, bio on your employer’s website, mentions in the news. The surface, or “clear” web, is only the tip of the iceberg, as vast as it may seem. In fact, it makes up only 4% of the entire World Wide Web. A much larger chunk of the web, the deep web, lies beneath the surface and is not indexed by search engines – but it is still just as important for security professionals to monitor.
What sort of information is rarely available on the surface web? Medical records, bank account information, and so much more. This deep web content is not indexed because it is either password protected, behind a form, the volume of information is very high (e.g., tweets), etc. Parts of the deep web are commonly used and just as mundane as the surface. It is a bit of a misnomer to refer to the deep web as “hidden”, but you do need to know where the information is located, because Google will not help you to discover it. If you have ever signed into your email, for instance, you’ve browsed the deep web. A subset of the deep web, the dark web, is notoriously known as a clandestine haven for crime (think: Silk Road), but this is not entirely the case. ProPublica, The New York Times and even Facebook all have onion sites. Yes, onion – I’ll cover this shortly.
It is true, however, that the anonymized and encrypted nature of the dark web lends itself to criminal activity. Virtual currency, such as Bitcoin, is widely used alongside other cryptocurrencies due to its almost anonymous nature. In all my years monitoring these underground communities, I’ve seen everything from drugs to weapons to large data sets amassed from breaches, being bought, sold, and traded.
To access the dark web, you must download a browser that anonymizes your communications, such as Tor. Tor and other dark web networks make it difficult to trace a user’s internet activity, thus masking their traffic. The original technology behind Tor, also known as “onion routing”, was actually developed by the United States Navy and, to this day, nearly half of its funding comes from the U.S. government.
In the wake of COVID-19, cybercrime has increased. A September 2020 Microsoft report found that the first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019, with threat actors leveraging the security gaps that come with remote workforces. Further, the volume of dark web users also surged during this lockdown period. An increase in cybercrime and dark web users is a formula that keeps security professionals up at night.
As scary as it may seem, there’s a good chance you have had – or currently have – personally identifiable information (PII) that has been exposed or for sale on the dark web. It is not an exaggeration to say that millions of accounts are compromised every year, and billions of exposed credentials continue to circulate in underground communities. My firm’s 2020 Breach Report found that there were more than 18 billion raw identity records being passed around through these underground marketplaces. Threat actors will use this information, which can be found on forums and private channels, to compile digital profiles of citizens and businesses, fueling a host of identity-based attacks. Sometimes, PII is sold, but just as often, it is leaked.
A fact people often find funny is that these dark markets run very much like a business. People can leave reviews for websites, report scams to the community, and even correspond with customer support. The average prices for different identity record types vary by country, type of account, etc., but in 2019, we found that social security numbers went for roughly $67; passports around $53; drivers licenses about $48; credit cards nearly $41; and tax IDs were just under $29.
Despite the vast amount of data already circulating on the dark web, all is not lost. To safeguard your identity and information, the first and simplest step you can take is to stop reusing credentials. Everyone seems to understand that reusing passwords is bad, but, according to a recent LastPass survey, most people do it anyway. Only changing a character or two among your various passwords isn’t enough. Use unique, complex passwords for all accounts (a password manager can help), and implement multi-factor authentication, when possible. If you suspect your credentials have been compromised, reset you password to render the data obsolete. Include as little personal information about yourself online, and, when filling out forms, only put down what is required (e.g., if an address or phone number isn’t mandatory, don’t list it). Finally, err on the side of caution when browsing the web – don’t visit suspicious sites or click on sketchy links/attachments.
Businesses need to prevent their information from getting into the wild with enhanced security measures and cyber awareness training. Once sensitive information is exposed, which is almost an inevitability at this point, it is important to implement processes and tools to swiftly get alerted. The sooner organizations and individuals know about the breach, reset credentials, and lock down networks, the less damage occurs. Simply put, the deep and dark web is just as important to monitor as the indexed web.