The Deep and Dark Web

Introduction

In my previous blog post, I have briefly touched on the topic of deep and dark web. After constant harassments from my peers, they have convinced me to write another blog post covering this.

A little bit on the history of the Internet. An experimental computer network known as the Advanced Research Projects Agency Network (ARPANET) was developed in the 1960s. It was mainly used for academic reasons and the desire to share information over a long range. However, the military picked it up and started using it during the Cold War. The U.S. military funded the further development of it to link computers at Pentagon-funded research institutions over telephone lines. In the 1970s, students from Stanford University used ARPANET to sell marijuana to students in the Massachusetts Institute of Technology (MIT). Thus, making the first ever ecommerce transaction in history – selling drugs. I promise I am not making this up, TheGuardian did a news release detailing this.

As ARPANET was still available to civilian access and how the military needed it to send sensitive information, they decided to fund the development of another network. Thus, MILNET was born and used solely by the military, leaving ARPANET for civilian use such as drug selling university students. The ARPANET eventually became the Internet everyone is using now, and MILNET sort of became the deep and dark web.

Right, those are just fun facts. I’m starting to become a secondary school history teacher that has the power to make you fall asleep before entering class. Saying that, let’s move on to some slightly interesting stuff. I’ll admit, the title of this blog post is a little confusing. As it suggests that the deep and dark web are the same thing. Let me clear this up, they are two completely different things. I’ll have to start with the surface web, which I think will be the easiest to explain. Search engines like Google will crawl and index websites and its pages. This is how Google learns about the existence of websites and is also partly how Google shows you search results when you do a search.

There are parts of the Internet that Google can’t get to and index, such as websites that are protected by a login portal, or webpages that are listed in the robots.txt file of a website. This is what we call the deep web. You should still be able to view the deep web, as long as you have the right access to them. The deep web is just a part of the Internet that is protected by either authentication or authorization mechanisms. Side note, you shouldn’t fully rely on the robots.txt file to hide your webpages from Google. Although Google’s robots will respect the contents of robots.txt files and not visit them, your webpages will still be indexed if another page references them.

As for the dark web, you’ll need some special tools in order to get to them, we’ll talk about this in later sections. Instead of the typical “.com” or “.my” URLs, dark web sites, sometimes also called onion sites ends with “.onion”. You could probably try and guess a website name on the surface web if you know the organization name, such as “jjopentester.com”, but the URLs for onion sites are pure gibberish, such as “zqktlwi4fecvo6ri.onion”. This is to provide anonymity to the onion site, where no one can effective guess the URL. This 3 tier Internet can be illustrated in the image below.

The Night is Dark and Full of Secrets

I know that it was a lengthy introduction, but it was the shortest I could make it. I skipped through a lot of boring stuff, and I’m glad that it’s over. Introductions aside, what kind of stuff can you find on the dark web? This really depends on your imagination. The dark web has been a part of the Internet that served the purpose of maintaining anonymity for its users. People across the globe with varying cultures, opinions and most importantly purposes have been using the dark web for more than half a decade now. It can have a lot of weird stuff on it. Here is a list of things that I have come across in the past:

• Account details (PayPal, Banks, PornHub, etc)
• Child pornography
• Counterfeit money
• Debit / Credit cards
• Drugs
• Guns
• Guns for hire
• Hackers for hire
• Personal details
• Terrorism
• Whistleblowing sites

Navigating the surface web is straightforward, you use Google. Navigating the dark web is somewhat similar, they have search engines too, and some of the popular ones are:

Ahmia @ http://msydqstlz2kzerdg.onion
DuckDuckGo @ https://3g2upl4pq6kufc4m.onion
Torch @ http://xmh57jrknzkhv6y3Is3ubitzfqnkrwxhopf5aygthi7d6rplyvk3noyd.onion
NotEvil @ http://hss3uro2hsxfogfq.onion

If you are just starting out with surfing the dark web, a good place to start would be the hidden wiki. This wiki page will have some beginner’s material that can keep you occupied for a long time.

Most criminals surf the dark web because they have something they want to buy or sell. This brings up the topic of marketplaces, where people perform transactions with cryptocurrency, mainly Bitcoins. Thanks to the existence of Bitcoin and other cryptocurrencies, the marketplaces have flourished. Other than the physical exchange of goods, all other parts of the transactions are pretty much kept anonymous with no real feasible way of tracking where the payment went.

As the process of performing a transaction is highly anonymous, it makes it really difficult for law enforcement to take action and make arrests. Other than the physical exchange of goods, the authorities won’t really have tangible evidence to make a solid case to support their arrests. This is also why the infamous SilkRoad marketplace could operate so widely. SilkRoad was no stranger to law enforcement, it first surfaced back in 2011 as a marketplace that mainly sells drugs, but also included ammunitions and murder-for-hire services later in its lifetime. SilkRoad was eventually taken down by the feds following the arrest of its founder in 2013. In my opinion, it wasn’t an easy task as the marketplace caught the eye of most agencies in the U.S. and eventually investigations were launched by the FBI, DEA, DHS, IRS, U.S. Postal Inspection, U.S. Secret Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives. Crazy right? When the feds made the arrest, they also seized Bitcoins worth up to 28 million USD.

Although drugs are commonly found on the dark web, financial services such as counterfeit money, hacked bank or PayPal accounts as well as debit or credit cards are also commonly found on marketplaces. You can buy currencies or bank accounts/cards with a lower amount of money. For example, you buy 150 USD with 0.000087 Bitcoins (0.000087 in Bitcoins was 100 USD at the time of writing), meaning you still earn 50 USD. Sounds too good to be true? Because it’s counterfeit money, meaning its fake, and some of the notes are so real that they could pass the ultraviolet light test. Some sellers even advertise selling accounts that has up to 20000 USD for only 20 USD.

Saying all of that, most of the marketplaces are fake. They are mostly setup by law enforcement as honeypot onion sites to catch people breaking the law. The real bad guys understand that law enforcements are trying to catch them, and because of this, they mostly operate on an invitation only basis. Just like how real life works, you won’t be able to take part in those juicy transactions unless you know someone that is already part of that marketplace.

Not all onion sites are used to do bad things. News organizations commonly use whistleblower sites to gather information from the general public. This offers a win-win situation where the identity of whistleblowers is kept anonymous, whilst the press gets all the juicy information. Although we are living in the year 2020, many countries still do not have freedom of speech. Citizens would have to rely on the dark web to stay anonymous and communicate with the outside world.

How Dark Does It Get?

Sounds like the dark web is a messed up place to be huh? That’s not even the start of it. I tend to joke around with many things, attempting to add humor into what I say from day to day; but please be aware that the dark web has a lot of weird stuff on it. Some you need a strong stomach for, and some will violate your principals. I came across things that I literally need to step away from my workstation and get some fresh air. So think again when you’re accessing the hidden onion sites.

How dark can the dark web get? I mentioned a list of things I have come across in earlier sections of the blog post, including terrorism. Before going into details, I need to clarify that I don’t know whether these things that I came across are true, but I literally felt sick after seeing them. There were videos and pictures of terrorists decapitating victims as part of their publicity stunts. Yes, just like the ones you saw on action movies, except these ones were not blurred out. In extreme cases, they even wrote a dairy-like post of what their past operations included. Although it doesn’t surprise me that terrorists have evolved into using the dark web for communication, the contents that I saw and read was too much for me. I did not explore further and kept my distance from topics like this ever since.

Other, real dark things like child pornography are also common on the dark web. It’s not my cup of tea, so I tend to steer away from anything even remotely related to them.

Accessing the Dark Web

Your standard web browsers like Chrome, Edge and Safari will be able to get to the surface web. In order to access the dark web, you will need a special browser. There are a lot of options out there, but the easiest way to access the dark web is via the TOR network. Using the TOR browser, sometimes also called the onion router, you will be able to access and navigate the dark web freely. It is as simple as that, but how safe is it? Well, I wouldn’t say that surfing the dark web is a dangerous thing to do. You’ll be fine as long as you know what you are doing. There are some things that you definitely should not do whilst surfing the dark web if you want to stay safe. Here are some but not limited things that a standard Joe or Jane should avoid:

• Use your actual personal details
• Download and run anything
• Engage in any illegal activities or transactions
• Enter any credentials
• Talk to strangers – Yes, even if they offer you candy, or credit card details in this matter

Just a note on entering credentials. If you really want to setup an account on a forum or marketplace, make sure it is a newly setup account and the credentials does not relate to or resemble any of your real-life accounts.

If you have a look around, you would probably realize that the dark web sites are messy, chaotic and highly unpredictable. Well, this is what you get when the environment is not moderated. Onion sites you are able to visit now may not exist in a few days’ time. Marketplaces operated by scammers can easily shut their onion sites down and setup shop as another alias just to avoid being caught by their victims. This creates a highly dynamic environment, making them extremely difficult to keep track of. It is worth the visit if you can tolerate the lousy performance, unstable availability, and the occasional stomach-turning contents. However, we here at JJO Pentesters are required to monitor the dark web due to the threat intelligence service we offer. This will allow us to stay on top of what kind of information is out there, what kind of things blackhat hackers are up to, and most importantly, allow us to perform threat analysis for our clients.

Conclusion

All of this may look like information used purely to conduct illegal activities. So how does this relate to a penetration test? Blackhat hackers tend to go straight to the dark web to sell information they have compromised. That means that your personal data could already be available on dark web marketplaces. This poses a significant level of risk to yourself as a high value target, or a risk to your organization if any one of your employees has their information floating around on the dark web.

This is where threat analysis comes in, which we can aid with the threat intelligence service we offer. As part of the many things we do, we will scour the dark web to identify and report anything that could cause you or your organization harm. If you are interested in finding out more, please do not hesitate to get in touch with us! Our team of specialists will be more than happy to aid you in securing your organization and its data.

Due to the potentially sensitive nature of how the dark web gets, I would like to wrap this blog post up by stressing that anything you do with the knowledge you learnt here is your own responsibility. Stay safe out there!