The Case for Taking Down Dark Web Sites

Taking Down Dark Web Sites May Cause Headache for Both the Bad Guys and the Good Guys

Ever since the first dark web monitoring services became available, around 2005, consumers of such services often asked – why aren’t these websites being taken down? After all, the sites that comprise the dark web are platforms and tools for illegal activities.

The answer, which used to satisfy most, was that these sites are intelligence sources and taking them down means that the criminals will congregate somewhere else, somewhere that may not be known to those who monitor them.

These sites are intelligence sources for both law enforcement and security vendors, without them there is less intelligence to prevent fraud, recover credentials, and reveal the true identity of criminals.

It’s law enforcement’s main goal to apprehend criminals, and considering it takes time to build a case of evidence, dark web boards can be a treasure trove of leads and relevant data for a case, one that keeps growing as criminals post new content. It makes sense for them not to touch a board until they are ready to make their move and apprehend the bigger players on a certain site, usually an international operation involving multiple local agencies.

For security vendors, it’s just operationally expensive – if a site goes down, it may come back somewhere else in a different board format, which means the vendor will have to develop new crawlers. Alternatively, it may now be protected by a new bot detection service, which will have to be circumvented, or worse – not come back at all.

These are all good reasons, supporting the notion that dark web monitoring should be performed with the smallest disruption as possible. However, there is a case to be made for adopting the other strategy – disrupt the dark web as much as possible – and it seems that unlike the early days of dark web monitoring, it is not one that is discussed at all.

So why, despite all the reasons above, should we consider trying to take down dark web sites? To answer that, we first need to talk about what the dark web is.

Sites on the dark web, specifically the part focused on cybercrime, consist of three main types – forums, marketplaces and tools.

These three types are essentially variants of the same thing – facilitating the trade of items and services between criminals. As pulling off attacks or scams can be a complex matter that requires understanding in multiple areas (for example, launching a Phishing attack requires knowledge of coding, obtaining a webhosting server, spamming, etc.), instead of learning everything on their own, criminals go to these resources to fill in their gaps. This is done either by purchasing a missing tool or partnering with someone else. In other words, the dark web’s main contribution, as a whole, to the criminal ecosystem is its ability to dramatically lower the bar of entry to cybercrime.

Don’t know how to code a ransomware? Not a problem, you can just buy one in the dark web from someone who does. You’re a hacker with access to compromised credentials but don’t know how to use them? Not a problem, through the dark web you can sell them off to those who do.

Access to the dark web means the ability for many unsophisticated individuals to enter and participate in the world of cybercrime – and the majority of the criminals are indeed that – technically unsophisticated. Without the access to the tools and services provided in the dark web, they could not launch attacks on their own, or will have to resort only to basic ones such as 419 scams.

This is the driving force behind the strategy of taking down dark web sites – they are not just intelligence sources to security vendors and law enforcement, they’re also sources for criminals. Take away those sources, and they will either have to find another platform to fill their gaps or they will have to remain constrained only to low-level attacks that they know how to fully perform on their own. 

There is another question that is pivotal to this discussion – is it even feasible? We all know that most dark web sites are using TOR to mask their location or are hosted on bulletproof hosting services. Can we even take them down if we wanted to? The bad news is that we will never be able to fully take down the dark web, or even a large proportion of it. The good news is, that we don’t have to in order to see the strategy’s positive effects.

Just like the denizens of the dark web vary in sophistication, so are the sites that are part of it. There are forums that are clearly reserved only to the elite criminals in that world, hosted on secure bulletproof hosting service that will never adhere to any takedown requests. However, there are many forums that are catering to the more upstarting fraudsters. These are often characterized with a lot of freebies such as free stolen credit card credentials and more of a business-only approach. These sites are not necessarily hosted in hosting services that will ignore takedown requests, but instead are hidden behind anti-DDoS services that hide the host’s IP address. The most popular anti-DDoS services are legitimate companies, located in Western countries.

It is not just about forums – many sites on the dark web are automated vending carts for compromised credit card credentials, or compromised accounts. Criminals can purchase these credentials from the site completely automatically, 24×7. Account checking and credit card checking tools are also widely available. Most of these are not hosted on TOR and their location could be reached following an investigation. 

In most likelihood, applying this strategy will start a new arms race with the criminals – most sites that would be taken down will pop up somewhere else, with better location masking, on TOR or hosted on a bulletproof hosting service. However, this means that over time the dark web will consolidate to specific hosting locations and IP masking methods, which would make it easier to target as a group. Furthermore, one must remember that when a community goes down, even if it pops back up again, it may not be the same again – they’ll have to round up their existing users and get them to use the new site, that is assuming they kept a decent backup of their data, otherwise they’ll have to start everything again from scratch.

The suggested strategy is one that probably will not be subscribed to by law enforcement, who need and want their time to investigate, or security vendors. However, one must remember that while law enforcement’s work is important, it never really shook up the criminal ecosystem as a whole and the current strategy of how the dark web is being monitored mainly benefits the large organizations that can subscribe to intelligence services.

Taking down dark web sites may cause headache for both the bad guys and the good guys, but it can also have a profound positive effect on the fight against cybercrime as a whole, for all organizations, as it can take many criminals or would-be criminals out of the equation. 

RelatedDemystifying the Dark Web and Mitigating Risks

RelatedStudy Finds Rampant Sale of SSL/TLS Certificates on Dark Web 

RelatedKeeping it on the Down Low on the Dark Web 

view counter

Idan Aharoni is the Co-Founder & CEO of threat intelligence provider IntelFinder. He is a cyber security and intelligence veteran, with over 15 years of experience developing and managing cyber intelligence operations. In 2019, Idan received a “Legends of Fraud” award for his role in creating one of the world’s first fraud intelligence services, which monitored the Dark Web on behalf of financial institutions worldwide, as part of his work as Head of Cyber Intelligence at RSA, The Security Division of EMC.

Previous Columns by Idan Aharoni:
Tags:

http://feedproxy.google.com/~r/Securityweek/~3/G9-7fkmPZGE/case-taking-down-dark-web-sites