The dark web is a bustling place, and many people from many walks of life utilize it daily. Some people use the dark web for legitimate purposes, like journalists in countries with strict censorship laws, government and military agencies or cybersecurity researchers. Only approximately 6.7% of global users use the dark web for illicit activities such as sharing malware, distributing child abuse content, or selling illegal substances or weapons. Of course, many regular dark web users are selling dangerous, stolen or illegal items and are also engaged in cybercrime. Learning more about who uses the dark web can help security professionals better defend businesses against threats.

What does the dark web look like these days?

The internet as we know it has three distinct layers, and the dark web is by far the smallest:

1. The surface web is what most of us access in our regular, day-to-day activities. It is available to the general public using standard search engines. The shopping sites, social media platforms, streaming services, news organizations and other websites people commonly visit are on the surface web. It can be accessed using standard web browsers without special configuration, such as Mozilla Firefox, Microsoft Edge and Google Chrome. The surface web seems vast, but it is, in fact, just about 4% of the overall web.
2. The deep web is the largest portion of the web. It is not indexed or searchable by ordinary search engines. Accessing these websites or services requires a specific URL or IP address. Some sites are part of the deep web because they block search engines from identifying them or do not use common top-level domains (TLD). Sites on the deep web are often used to store data and content in databases supporting services like social media sites, insurance companies or banks. The deep web is 400 to 500 times the size of the surface web.
3. The dark web is a less accessible subset of the deep web that relies on peer-to-peer connections. Specialized software or tools are required to access the dark web. The Tor browser is the most widely used method of accessing the dark web, but other communications platforms like Signal can also be used. The dark web percentage in the total space of the deep web is approximately 0.01%.

What are the most popular ways for dark web users to log on?

Over two million users access the Tor platform daily. While many of them use it for legitimate purposes, like getting around censorship, many others use Tor for nefarious purposes. One-quarter of the world’s population has used the Tor browser to connect to the dark web at some point. Tor users connect to the dark web in two ways:

1. Bridge: A bridge is a private server in the Tor network that can access blocked clients, often in combination with pluggable transports, that registers itself with the bridge authority. This connection method is often chosen in countries that regulate or suppress internet access. The three countries from which users most frequently connect to Tor this way are Iran, Russia and the United States.
2. Relay: A relay is a publicly listed server in the Tor network that forwards traffic on behalf of clients and registers itself with the directory authorities. This is the most common way for someone to connect to Tor.

Who are the major cybercrime players on the dark web?

The dark web is constantly evolving and growing, as is the technology that powers the wide variety of cyberattacks that emanate from the dark web. An estimated 30,000 hidden websites exist on the dark web. Cybercrime and its related industries are booming sectors, and unlike many of the world’s economies, the dark web economy is strong and growing. All sorts of nefarious characters are dark web users, and a wide array of shady goods and services are sold on dark web sites, exchanged on dark web forums, peddled in the marketplaces or deposited in data dumps.

Here are some of the major cybercrime players on the dark web:

• Hackers of all sorts retail their goods and services.
• Malicious employees of companies dealing in passwords or information.
• Initial access brokers sell access to compromised networks.
• Specialists offering Cybercrime-as-a-Service (CaaS), including Ransomware-as-a-Service (RaaS) and Phishing-as-a-Service (PhaaS) practitioners.
• Cybercrime gangs, like ransomware groups, recruit affiliates to join their crime network and conduct cyberattacks.
• Hacktivists, like Anonymous, release data obtained from organizations or governments that they oppose politically or morally.
• Nation-state threat actors and advanced persistent threat (APT) groups conduct operations that fund their activities or harm other nations.

How can I protect my organization from dark web threats?

It pays for businesses to take smart precautions against dark web threats. It’s an essential part of any organization’s defensive strategy because it enables IT teams to find out about their users’ compromised credentials quickly (before dark web users who are cybercriminals do). With dark web threat intelligence, IT professionals gain an edge against dark web exposure threats that helps them act to protect the organization immediately, reducing its chance of a cyberattack. A dark web monitoring solution can monitor credentials in various configurations typically customized to fit your organization’s needs.

Common types of credentials that can be monitored include:

• Employee credentials.
• Privileged user credentials.
• Personal credentials.
• Domains.
• IP addresses.
• Sensitive personal email addresses of executives.
• Privileged users’ email addresses.

Source: ID Agent