What we see when we browse the web is just the tip of the iceberg. Hidden below the surface, accessible only by the Tor browser, exists a marketplace in which criminals can sell drugs, weapons and stolen data with relatively little surveillance.
But lawless does not mean rule-less. Research by cybersecurity company Trustwave shines a light into the web’s darkest corners, and in doing so reveals surprising patterns of behaviour among its criminal populace.
“The dark web and the underground communities are a lot more structured than what people may think,” says Trustwave’s vice president of SpiderLabs Security Research, Ziv Mador.
One example is recruiting bank insiders, which Mador says tend to be at Russian or Eastern European banks.
And the reasons for recruiting an insider vary. Sometimes it’s to gain access to information. Other times it’s to increase the withdrawal limits of stolen cards to allow criminals to withdraw as much as possible before the account is blocked.
For this service, recruiters are willing to pay up to ten times their legitimate salary – and that’s just for an hour of their time per day for a month.
But with high reward comes high risk, explains Mador:
“Not only may they lose their job, they may go to prison, they may lose their ability to work in the finance sector entirely for the rest of their lives.”
High risk, high reward
The entire process is open, and Mador describes the brazenness as “shocking”.
“Clearly, from the description of the jobs, these are illegal,” says Mador. “They’re not trying to hide that.”
Trustwave’s observations also reveal a “pretty good” correlation between the riskiness of the job and the reward.
Drug delivery drivers, for example, are offered five to eight times more than the highest paying driving jobs.
“This type of job involves very high risk,” says Mador. “If the police arrests that person he or she can spend many years in prison, so that’s why they reward them so well.”
For comparison, research shows that the most dangerous jobs in the legitimate world– agriculture, forestry and fishing – only pay marginally higher than the national average.
The dark web recruitment process
Most of the dark web recruitment process isn’t visible to Mador and his team because once a job is accepted, the parties move to a secure instant messaging service.
But what they can see shows similar market forces at play to the legitimate world’s recruitment process such as supply and demand.
However, the dark web also creates its own rules.
One such example is in jobs where the recruited person is handling a valuable commodity, such as drugs. Prospective employees are expected to pay a deposit equal or proportional to the value of the merchandise before they are sent the commodity.
Upon successful completion of the job, they receive their deposit back in addition to their pay.
“This concept doesn’t exist in the legit world,” says Mador. “That’s clearly done because the employer has to protect themselves from the scenario where the person will run away with drugs or with that merchandise.
“In the real world, of course, the company can sue the employee if that ever happens and the court will rule against the employee who will have to compensate the company.”
“But these guys obviously can’t go to court so they have to develop their own rules.”
Zero-day exploits: dark web gold
All of these rules were observed as a by-product from Trustwave’s primary research on malware being sold on black markets, which makes up a small but notable part of the dark web’s transactions.
Mobile malware can be purchased for as little as $150, commercial malware $2,500 and higher.
But the big bucks is in selling exploits that take advantage of a particular vulnerability in a system. Two years ago, the Trustwave team came across a person trying to sell a then-unknown zero-day exploit that was present in all versions of Windows. The price? $95,000.
“The vulnerability allowed what’s called lockout privilege escalation (LPE),” says Mador. “Let’s say someone runs the malware in a user account – a non-administrator account – by using that vulnerability and exploit, they will be able to escalate their privilege to an administrator account.”
Essentially, the exploit allows the hacker to do more with the infected device than they would be able to without it. They can impact “millions” of people every month.
After two weeks, the seller lowered the price to $85,000 then sold it. Trustwave reported this vulnerability to Microsoft to ensure the proper protection could be taken against it.
How escrow services are used during dark web recruitment
But what was most interesting about the transaction was steps the seller took to persuade buyers that the zero-day worked as advertised. In a community of criminals, how does the scammer ensure they don’t get scammed?
Step forward escrow services, a legal practice in which a third party keeps the commodity until the other party meets their end.
“In [dark web] escrow, it’s normally a respected criminal, sometimes the forum administrator. He gets the zero-day from the seller, he gets the money from the potential buyer,” says Mador.
“He then confirms that the zero-days works as advertised. And then, once confirmed, he sends the money to the seller and the zero-day information. So it’s a way to guarantee that people don’t get scammed.”
When Trustwave finds malware or exploit kits, they update their secure web gateways to block them.
But there are far too many incidents to report to the police case-by-case because there are “hundreds and hundreds of websites on the dark web selling drugs” and there are “many that sell guns, etc.”.
For more serious cases, Trustwave provides technical advice to law enforcement, typically in a few global cases a year.
“If they need our help, we do help,” says Mador. “They approach us, especially when it comes to investigating cyber threats.”
This article is from our sister cybersecurity publication, Verdict Encrypt. You can find more stories like this in issue 7 here: