CIO

The Dark Web: explored and ignored

By David Sykes, Sophos

For most of us, the dark web is a mysterious entity which we know exists, but are unaware of how or why it works. However, as 33% of Australian businesses fell victim to financial fraud in the last year alone, the dark web played a leading role in making this all too easy for cyber criminals. In fact, the ease of availability and accessibility to this type of information makes it simple for criminals to become involved.

 
There are large organised groups, operating with a range of levels, who are reliant on the dark web for information. However, the vast majority of criminals are now operating on a much smaller scale or alone. Due to the increasing data available on the dark web, laws are struggling to keep up to make all kinds of activity operating on it illegal and smaller operations can act without too much fear of getting caught.
 
On a daily basis, consumers share our personal details - whether it’s accessing the local ATM, scanning drivers licence at a nightclub to sharing our credit card details when paying bills online. Unfortunately, this is a hacker’s paradise when it comes to accessing personal data to easily sell on the dark web.
 
Financial fraud products and services are one of the most popular purchases. Criminals called ‘carders’ will gather, either via phishing, skimming or hacking, and sell the information on. The stolen ‘dump’ of card details will then be up for sale on the dark web - and that’s only the beginning.
 
Purchasing the dump is a method of laundering money. Vendors purchase bitcoins via stolen money, then purchase stolen card information with the bitcoins. From there, they can buy whatever goods with the stolen cards and resell the goods for bitcoins. It’s a vicious cycle.
 
The sheer amount of the data available has amounted in its own grading system that uses elements from freshness (how new the data is), validity (how much data is known), demographics (of the victim) and location to determine the value of the dump.
 
Most countries, Australia included, fall victim to the dark web and struggle to ensure laws are keeping up with cybercrime. In many instances, it’s against the law to use the exploits mentioned above, but it isn’t illegal to sell manuals describing how to use the exploits. With guides available to purchase, it isn’t surprising that there’s a rise in individual criminals who might purchase skimming machine tutorials and training to further develop their malicious skills.
 
The dark web has put spotlight on the type of data that criminals are looking to gather, much of this data consumers give out freely, day in day out. Businesses haven’t necessarily investing in protecting their data, a lack of mandatory disclosure laws in the past meant that they weren’t obliged to share any breaches. However, as the Privacy Amendment (Notifiable Data Breaches) Bill 2016 is due to come into effect this year, there will be an expectation to remain alert on phishing attempts and should result in a reduction of data breaches.