What’s behind the surge in people hiring hackers on the dark web? What type of systems are they targeting and who is at risk? We rummage through the dark web for answers.
Hiding on the Dark Web
If you know where to look you can find a hacker-for-hire who’ll happily take your money in exchange for committing cybercrimes for you. There are many places on the dark web where hackers advertise their dubious services. These hacking forums and dark web market places have existed for many years. They’re hardly new. What is new is the sudden increase in postings from people looking for hackers to do their dirty work for them.
Getting onto the dark web isn’t too difficult. You just need to use the right tools. The dark web is made up of a series of overlay networks called darknets. These piggyback on the regular internet infrastructure but use their own set of protocols and routing nodes known as relays. Darknet web addresses have unusual suffixes like “.onion” and “.i2p.”
Darknets give you two cool superpowers: anonymity and invisibility. Darknet protocols are encrypted so no one can see your internet traffic, and darknet routing nodes employ other tricks to make back-tracing and identifying your IP address virtually impossible.
Like most things, a darknet is neither good nor bad per se. There are many non-criminal users of darknets, too. Dissidents in repressive regimes use them to communicate with the rest of the world. Whistleblowers, activists, and even the military use darknets for legitimate reasons. Many newspapers maintain a dark web portal so anonymous sources can protect their identity while they deliver stories and tip-offs. It’s the anonymity of darknets that make them such attractive haunts for criminals of all types.
Searching for Hackers
The Tor browser will get you as far as the Tor darknet. Used with a Virtual Private Network (VPN) your real identity will be as cloaked as it can be. So you’re on the darknet. Now what? There’s nothing like Google for the dark web. You can’t search for where you want to go. You need to know the web address of the marketplace or site that you intend to visit.
Getting to grips with the Tor browser, VPNs, and “.onion” sites is achievable—with a bit of determination—for most moderately internet-savvy people. Locating a forum or marketplace where hackers-for-hire advertise their availability and expertise shouldn’t be beyond them either. The real difficulty is knowing which posts are scams.
How do you know the hacker—if they are even a hacker at all—won’t simply take your money and do nothing? And how does the hacker know you’re not law enforcement trying to entrap them? That’s the problem with doing dodgy deals in the digital equivalent of a back alley at night. How do you know you’ve found a criminal you can trust? It’s quite the oxymoron.
But even if the majority of posts promoting hacking services are scams, the rest are real. There are escrow services available on darknets. They hold the money for deals until both sides are satisfied their business has been completed to their mutual satisfaction. But whether or not some proportion of posts by hackers are scams, that doesn’t explain the upturn in posts from potential customers looking for hackers.
Customers part with money, they don’t ask for it. So they have nothing to gain by being fake. Law enforcement agencies use more subtle strategies to try to dupe hackers. A fake advert from a prospective customer is far too blunt an instrument to have much hope of success.
The Pandemic Strikes Again
A report by Positive Technologies suggests that about 90 percent of posts are by customers looking for hackers, and about 7 percent are by hackers looking for commissions. Since March 2020 they’ve seen the number of posts from customers rise and rise. Around 70 percent of inquiries are looking for hackers to attack websites.
The pandemic triggered a widespread and rapid change to working from home. Remote access, web portals, and Software-as-a-Service were suddenly hot topics for organizations that had never had to provide—nor contend with the security of—this type of service and extended IT estate.
Cybercriminals are opportunistic and nimble. They can exploit new trends almost as fast as the trends appear. If the corporate online world has become larger—and in haste—they’re not going to pass that up. They’ll look for ways to exploit it. If they have the skills, that is. Because of the availability of attack software and malware kits, it is easy for even the low-skilled to commit cybercrimes.
But the lowest tier of cybercriminals has neither the knowledge nor skills to discover vulnerabilities nor to create their own exploits. But if they can get someone else to gain access to a website or network they can then step in and take control from that point. It’s the obvious way for the lower-tier threat actors to commit crimes that—end to end—are much too complex for them.
They simply contract out the hard parts. It’s the end result that counts. And the easiest way to that end result is always going to be the preferred route.
Websites are a prime target. They often hold databases of email addresses and passwords. These can be used to access the accounts on the compromised website, but they’re also perfect for feeding into credential stuffing software for brute force attacks on other websites. The database may hold other information that makes identity theft a possibility, or it might hold credit card details or other payment details. This information can be used by the threat actor for further cybercrime or it can be sold on the dark web.
The website may be compromised with malicious scripts such as keystroke recorders to catch credit card details and other sensitive information. If the website is hosted on a server connected to the corporate network it could be used as a stepping-stone to the corporate infrastructure.
The other reason is that websites tend to be an easy nut to crack. A report from 2020 showed that 50 percent of websites have 4 or more critical vulnerabilities. These are documented flaws that the threat actors know about and for which there are off-the-shelf exploits. In other words, 50 percent of websites aren’t closed and secure, they’re wide open.
As depressing as that thought is, it’s actually an improvement on the previous year. In general, the figure is falling every year. Probably because organizations are starting to listen to the general cybersecurity message.
Following these steps will help prevent you from being a victim to an off-the-shelf hacker:
- Probe Your Own Defenses: Before the threat actors do it for you, conduct penetration testing on your websites and portals and act on the findings. Perform the required remediation, and repeat the testing until you have driven down your susceptibility to acceptable levels.
- Set a Frequency for Penetration Testing: How frequently you need to repeat the penetration testing should be based on your budget and the risk and impact of a successful attack. Annually, biannually, and quarterly are common testing cycles.
- Pay Attention to Custom Software: If you have custom software running on your website pay special attention to the architecture, platforms, and frameworks that it makes use of. These underlying technologies need to be patched and kept up to date, just like your operating systems and other software.
- Consider a Web Application Firewall: A web application firewall sits between the outside world and your website. It analyzes all HTTP/S traffic arriving at your website and filters out malicious activity.
- Don’t Forget the Basics: Good cyber hygiene should be maintained. Encrypt databases, use robust passwords for web administration accounts, and patch frequently and thoroughly.