A new report from cyberthreat intelligence company Cybersixgill sees threat actors swarming to digital bazaars to collaborate, buy and sell malware and credentials.
Threat actors are consolidating their use of encrypted messaging platforms, initial access brokers and generative AI models, according to security firm Cybersixgill's new report, The State of the Cybercrime Underground 2023. This report notes this is lowering the barriers to entry into cybercrime and "streamlining the weaponization and execution of ransomware attacks."
The study is built upon 10 million posts on encrypted platforms and other kinds of data dredged up from the deep, dark and clear web. Brad Liggett, director of threat intel, North America, at Cybersixgill, defined those terms:
- Clear web: Any site that is accessible via a regular browser and not needing special encryption to access (e.g., CNN.com, ESPN.com, WhiteHouse.gov).
- Deep web: Sites that are unindexed by search engines, or sites that are gated and have restricted access.
- Dark web: Sites that are only accessible using encrypted tunneling protocols such as Tor (the onion router browser), ZeroNet and I2P.
"What we're collecting in the channels across these platforms are messages," he said. "Much like if you are in a group text with friends/family, these channels are live chat groups."
Tor is popular among malefactors for the same reason: It gives people trapped in repressive regimes a way to get information to the outside world, said Daniel Thanos, vice president and head of Arctic Wolf Labs.
"Because it's a federated, peer-to-peer routing system, fully encrypted, you can have hidden websites, and unless you know the address, you're not going to get access," he said. "And the way it's routed, it's virtually impossible to track someone."
Cybercriminals use encrypted messaging platforms to collaborate, communicate and trade tools, stolen data and services partly because they offer automated functionalities that make them an ideal launchpad for cyberattacks. However, the Cybersixgill study suggests the number of threat actors is decreasing and concentrating on a handful of platforms.
Between 2019 and 2020, data that Cybersixgill collected reflected a massive surge in use of encrypted messaging platforms, with the total number of collected items increasing by 730%. In the firm's 2020-2021 analysis, this number increased by 338%, and then just 23% in 2022 to some 1.9 billion items collected from messaging platforms.
"When considering workflow activity, it's quicker and easier to browse through channels on the messaging platforms rather than needing to log in to various forums, and read through posts, etc.," said Liggett.
Across the dark web onion sites, the total number of forum posts and replies decreased by 13% between 2021 and 2022, dropping from over 91.7 million to around 79.1 million. The number of threat actors actively participating in top forums also declined slightly, according to the report.
The 10 largest cybercrime forums averaged 165,390 monthly users in 2021, which dropped by 4% to 158,813 in 2022. However, posts on those 10 sites grew by nearly 28%, meaning the forums' participants became more active.
The study said that, in the past, most threat actors conducted their operations on the dark web alone, while in recent years there's been migration to deep-web encrypted messaging platforms.
Cybercriminals favor deep web platforms because of their relative ease of use versus Tor, which requires more technical skills. "Across easily-accessible platforms, chats and channels, threat actors collaborate and communicate, trading tools, stolen data and services in an illicit network that operates in parallel to its dark web equivalent," said the study.
"People tend to communicate in real-time across these platforms," said Liggett. "Forums and marketplaces in the dark web are notorious for not always having a high level of uptime. They sometimes end up going offline after a period of time, or as we've seen recently have been seized by law enforcement and government agencies," he said, noting that one such platform, RaidForums, was taken down in 2022, and BreachedForums just a couple weeks ago.
(Score: 3, Insightful) by Gaaark on Wednesday April 19, @04:28PM (5 children)
To me, Deep web and Dark web need to be switched.
An unindexed gated or restricted site has gone 'dark', a site that is only accessible by unusual methods is 'deep'.
Just my quibble.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by krishnoid on Wednesday April 19, @04:45PM
"Most cybercriminals do their work out in the open, public web. But in the deep, dark web ..."
"Which is it, the deep web, or the dark web? Ugh, be precise."
"See? This is why I hate writing technology thrillers."
(Score: 3, Interesting) by Rosco P. Coltrane on Wednesday April 19, @04:59PM
Those definitions have stopped making sense 20 years ago when "online apps" - in the sense of shit that gets downloaded and executed by your browser for matching shit running on a server to talk to - generating dynamic, context-dependent, unindexable content came about. In fact, you could even argue old-style cgis already qualified.
By that token, your Facebook account, your online banking site, Microsoft Office Online, your Amazon personal account... is "deep web". It is, but not in the nefarious sense implied by the stupid article - although arguabily it can be, as demonstrated by sketchy, lying targeted political campaigns on Facebook that no trace of remain that could be used to sue someone over for manipulatng the election.
All there is now is "the web" and whatever is left indexable - and most surely indexed - for the purpose of finding an entry point to the cloud app you want to access or selling stuff, which is a tiny minority of the web.
(Score: 2) by krishnoid on Wednesday April 19, @05:02PM
That's how they know they can let you in! If it's gated/restricted, and you refer to it precisely as a 'deep' web site, then they know you're legit! Or an undercover agent. Huh.
(Score: 3, Insightful) by cykros on Wednesday April 19, @05:49PM
I wouldn't worry about it -- the news is just going to mangle the words until they no longer mean anything anyway. But at least they'll tell us all about hackers, who are all evil criminals.
(Score: 0) by Anonymous Coward on Thursday April 20, @10:51AM
A little .org site I help run for engineering students is password protected -- because it contains test data that was expensive to obtain. Members of an informal consortium pay a fixed fee join and get access. Fees collected are put toward measuring more data (testing is contracted to a commercial test lab).
It's not Dark or Deep--to gain access is easy, but you do have to pay.
How about calling this part of the "Private Web"?
(Score: 3, Touché) by Opportunist on Wednesday April 19, @05:03PM (1 child)
I.e. a pointless discussion about terminology to distract from the actual topic?
(Score: 0) by Anonymous Coward on Wednesday April 19, @08:22PM
What do you mean pointless? There is a distinct difference between the two. At least there is to me. One is my misspent youth during the late 80's and 90's and the other one is well "hackers".