[BreachExchange] Taking Down Dark Web Sites May Cause Headache for Both the Bad Guys and the Good Guys

[Destry Winant]

https://www.securityweek.com/case-taking-down-dark-web-sites

Ever since the first dark web monitoring services became available,
around 2005, consumers of such services often asked – why aren’t these
websites being taken down? After all, the sites that comprise the dark
web are platforms and tools for illegal activities.

The answer, which used to satisfy most, was that these sites are
intelligence sources and taking them down means that the criminals
will congregate somewhere else, somewhere that may not be known to
those who monitor them.

These sites are intelligence sources for both law enforcement and
security vendors, without them there is less intelligence to prevent
fraud, recover credentials, and reveal the true identity of criminals.

It’s law enforcement’s main goal to apprehend criminals, and
considering it takes time to build a case of evidence, dark web boards
can be a treasure trove of leads and relevant data for a case, one
that keeps growing as criminals post new content. It makes sense for
them not to touch a board until they are ready to make their move and
apprehend the bigger players on a certain site, usually an
international operation involving multiple local agencies.

For security vendors, it’s just operationally expensive – if a site
goes down, it may come back somewhere else in a different board
format, which means the vendor will have to develop new crawlers.
Alternatively, it may now be protected by a new bot detection service,
which will have to be circumvented, or worse – not come back at all.

These are all good reasons, supporting the notion that dark web
monitoring should be performed with the smallest disruption as
possible. However, there is a case to be made for adopting the other
strategy – disrupt the dark web as much as possible – and it seems
that unlike the early days of dark web monitoring, it is not one that
is discussed at all.

So why, despite all the reasons above, should we consider trying to
take down dark web sites? To answer that, we first need to talk about
what the dark web is.

Sites on the dark web, specifically the part focused on cybercrime,
consist of three main types – forums, marketplaces and tools.

These three types are essentially variants of the same thing –
facilitating the trade of items and services between criminals. As
pulling off attacks or scams can be a complex matter that requires
understanding in multiple areas (for example, launching a Phishing
attack requires knowledge of coding, obtaining a webhosting server,
spamming, etc.), instead of learning everything on their own,
criminals go to these resources to fill in their gaps. This is done
either by purchasing a missing tool or partnering with someone else.
In other words, the dark web’s main contribution, as a whole, to the
criminal ecosystem is its ability to dramatically lower the bar of
entry to cybercrime.

Don’t know how to code a ransomware? Not a problem, you can just buy
one in the dark web from someone who does. You’re a hacker with access
to compromised credentials but don’t know how to use them? Not a
problem, through the dark web you can sell them off to those who do.

Access to the dark web means the ability for many unsophisticated
individuals to enter and participate in the world of cybercrime – and
the majority of the criminals are indeed that – technically
unsophisticated. Without the access to the tools and services provided
in the dark web, they could not launch attacks on their own, or will
have to resort only to basic ones such as 419 scams.

This is the driving force behind the strategy of taking down dark web
sites – they are not just intelligence sources to security vendors and
law enforcement, they’re also sources for criminals. Take away those
sources, and they will either have to find another platform to fill
their gaps or they will have to remain constrained only to low-level
attacks that they know how to fully perform on their own.

There is another question that is pivotal to this discussion – is it
even feasible? We all know that most dark web sites are using TOR to
mask their location or are hosted on bulletproof hosting services. Can
we even take them down if we wanted to? The bad news is that we will
never be able to fully take down the dark web, or even a large
proportion of it. The good news is, that we don’t have to in order to
see the strategy’s positive effects.

Just like the denizens of the dark web vary in sophistication, so are
the sites that are part of it. There are forums that are clearly
reserved only to the elite criminals in that world, hosted on secure
bulletproof hosting service that will never adhere to any takedown
requests. However, there are many forums that are catering to the more
upstarting fraudsters. These are often characterized with a lot of
freebies such as free stolen credit card credentials and more of a
business-only approach. These sites are not necessarily hosted in
hosting services that will ignore takedown requests, but instead are
hidden behind anti-DDoS services that hide the host’s IP address. The
most popular anti-DDoS services are legitimate companies, located in
Western countries.

It is not just about forums – many sites on the dark web are automated
vending carts for compromised credit card credentials, or compromised
accounts. Criminals can purchase these credentials from the site
completely automatically, 24x7. Account checking and credit card
checking tools are also widely available. Most of these are not hosted
on TOR and their location could be reached following an investigation.

In most likelihood, applying this strategy will start a new arms race
with the criminals – most sites that would be taken down will pop up
somewhere else, with better location masking, on TOR or hosted on a
bulletproof hosting service. However, this means that over time the
dark web will consolidate to specific hosting locations and IP masking
methods, which would make it easier to target as a group. Furthermore,
one must remember that when a community goes down, even if it pops
back up again, it may not be the same again – they’ll have to round up
their existing users and get them to use the new site, that is
assuming they kept a decent backup of their data, otherwise they’ll
have to start everything again from scratch.

The suggested strategy is one that probably will not be subscribed to
by law enforcement, who need and want their time to investigate, or
security vendors. However, one must remember that while law
enforcement’s work is important, it never really shook up the criminal
ecosystem as a whole and the current strategy of how the dark web is
being monitored mainly benefits the large organizations that can
subscribe to intelligence services.

Taking down dark web sites may cause headache for both the bad guys
and the good guys, but it can also have a profound positive effect on
the fight against cybercrime as a whole, for all organizations, as it
can take many criminals or would-be criminals out of the equation.