This article first appeared in Digital Edge, The Edge Malaysia Weekly on October 18, 2021 - October 24, 2021
The dark web is often seen as a virtual back alley — a shady place where underground deals are made and criminal gangs plot their next heist. While most law-abiding citizens tend to steer clear of the dark web, the growing number of ransomware attacks and cybercriminal cases has made it far too dangerous to ignore.
According to a May report by Sophos, 59% of Malaysian firms are expected to experience ransomware attacks in the near future. Soon, business leaders may have no choice but to confront these criminals on their own turf, with the dark web being used to facilitate communications and ransomware transactions.
Despite its growing prevalence, local cybersecurity experts are worried that awareness of the dark web is still nascent among the Malaysian public. Hon Fun Ping, CEO of NetAssist (M) Sdn Bhd, estimates that seven in 10 Malaysians are unfamiliar with the dark web.
“I am in a dilemma about this. On the one hand, it is good for the public not to know about the dark web so they do not get curious and visit it unprepared, because it can be quite dangerous. If you access the dark web without sufficient knowledge, you may get compromised and become a target for criminals,” says Hon.
“On the other hand, [the public] needs to have at least a basic understanding of the dark web, because cybercriminal activities and the dark web are closely related.”
So what exactly is the dark web?
To move this conversation further, it is important to draw the distinction between the three levels of the internet — namely, the surface, deep and dark web.
The surface web, sometimes referred to as the clear net or light web, is the portion of the World Wide Web available to the general public that is searchable via standard web search engines. It encompasses what users normally refer to when they mention the internet, including household names such as Facebook, Google and Instagram, down to your friendly neighbourhood e-commerce store.
For the deep web, the Oxford Dictionary defines it as the part of the World Wide Web that is not discoverable, or indexed, by standard search engines. The content is generally intended for private use, requiring special permission to access and is typically locked behind password protection. Examples include the content of your personal email accounts, social media accounts and private databases.
Like the deep web, the dark web is also not indexed by conventional search engines but has additional layers of encryption applied. These websites are only accessible via special software and tools, such as the Tor browser, making it almost impossible for normal users to stumble upon them accidentally while using regular browsers.
Without diving deep into the technical details, the dark web is unique for many reasons. First, the data that flows throughout the dark web is almost always encrypted, making it difficult to access even if criminals manage to obtain a copy of it. Dark web users are also anonymised and are thus difficult to trace.
On the surface web, even if a user uses encryption services to mask the data, internet service providers (ISPs) can still trace the data’s origin and destination. Dark web activities are instead hidden from ISPs, provided that users do not elicit unwanted attention, such as excessively using bandwidth and using a higher-than-expected amount of encrypted traffic.
On its own, the dark web is merely a platform that is not strictly illegal to use per se. There is no Malaysian law governing the use of the dark web at the time of writing. In fact, journalists and dissidents often use the dark web to communicate with one another without fear. It is also used by subjugated people to share their opinions without censorship.
Due to its characteristics, however, the dark web has garnered a reputation for being associated with illicit and unethical activities. Contract killers for hire, online repositories of stolen data and sites housing perverse pornographic content have long populated the dark web. Even Bitcoin had its roots in the dark web marketplace, as the go-to currency owing to its lack of traceability, long before cryptocurrencies entered the mainstream.
Malaysia is no stranger to the dark web either. For instance, in July last year, sensitive documents from the Royal Malaysian Navy were found leaked on a dark web portal. The navy later claimed the documents were obsolete. A similar case happened to Universiti Teknologi Mara (UiTM) in 2019 when the personal records of more than a million of its students were leaked on the dark web.
There was also the high-profile case of Richard William Huckle, a serial sex offender and child rapist, who executed his crimes while working as a freelance photographer and teacher in Malaysia. Reports showed that he circulated photos of his crimes on a dark web portal called The Love Zone.
Why do criminals love the dark web?
Observant readers may notice that the unique properties of the dark web can be replicated on the surface web. Not only does the surface web provide a multitude of encryption tools, but virtual private networks and proxies can also help mask a user’s identity and digital footprint.
In fact, it is not uncommon for cybercriminals to utilise the surface web for their operations. For example, hackers often use websites such as Pastebin to publicise stolen data, share malware source code and even promote their dark web links. Pastebin and other text storage sites allow users to store and publish plain text, commonly used by software developers to share source codes for review.
Fong Choong Fook, CEO of local penetration testing firm LE Global Services (LGMS), believes the dark web will still be the mainstay of a cybercriminal’s toolkit despite the availability of such tools. “The dark web will always have a place because there will still be circumstances in which hackers wish to remain anonymous.
“When it comes to ransomware, hackers nowadays will not just ask for ransom any more. They will make a copy of your files and publish them on the dark web, because it is still the best platform to do so due to its intractability. If they own an onion site, they can host the confidential information for as long as they want.
“Contrast this with Pastebin. The victim can file a complaint to Pastebin and request for its data to be taken down. There are legal means for it to do so. In the end, there are pros and cons for each platform. If the information is hosted on Pastebin, it is accessible to anyone. If [the perpetrator] chooses to put it on the dark web, only people with knowledge of the stolen data can access the information. They serve different purposes,” says Fong.
Cybersecurity firms fight back
Fortunately, activities on the dark web did not go totally unnoticed. When GroupSense was founded in 2014, data breaches were the primary cybersecurity threat. The dark web had witnessed years of consecutive growth, as evidenced in the rising number of Bitcoin transactions and revenues within dark web markets.
This was around the time when Silk Road, the famous dark web marketplace, was shut down for the second time by Europol (the European Union Agency for Law Enforcement Cooperation). The growth of the dark web caught the attention of Kurtis Minder, founder of the Virginia-based cybersecurity firm.
“GroupSense’s original use case was detecting stolen and traded financial data on illicit markets, both on the dark web and clear net,” he says in an email interview.
“We noticed early on that the threat actors and the forums move around frequently. In order to be effective, we had to understand where and why. We also recognised that the kinds of information being traded were variable and vast.”
To keep track of the ebb and flow of information on the dark web, the company developed a dark web monitoring solution. Dark web sites are ingested and analysed using the company’s proprietary cyber reconnaissance platform, TraceLight, which will then alert users when it comes across important findings, such as leaked code, data and intellectual property.
The platform is not only extensible to the dark web, but also all kinds of online activities, such as chat applications, social media, repositories and other digital assets on the clear web.
“The dark web is a small part of what we are monitoring. Our solution is comprehensive enough to cover virtually anywhere a customer’s data might show up without permission. Much of that data leakage is illicit, whether it is stolen or leaked by insiders. But sometimes the data is placed somewhere by mistake, like GitHub or Trello, and is left open to the world,” says Minder.
However, knowing which sites to monitor in the first place is tedious manual work, requiring the assistance of human intelligence operations. “While discussion around machine learning, artificial intelligence and automation is sexy for driving software margins, our real capability is to find the deepest, darkest and most secret places on both the internet and dark web, relying on our incredible analyst teams,” says Minder.
In recent years, local cybersecurity firms have started providing dark web monitoring services as well. NetAssist’s Hon points out that demand for such services has spiked during the pandemic, with institutions demanding dark web monitoring as part of their project tenders.
“I have been in the cybersecurity industry for the past 25 years. Until 2018, there were not many project tenders seen. But now, it has become quite common, with dark web monitoring being part of the package,” says Hon.
NetAssist’s dark web monitoring solution differs slightly from that of GroupSense. The client first provides the intelligence team with a few parameters, which usually consist of the client’s intellectual property, email addresses, domain name and IP addresses. The team then utilises various tools and software to deploy bot crawlers across the dark web, scouting for any information related to these parameters.
For instance, the team may come across a forum user selling account usernames and passwords related to the client, which prompts them to start the investigative phase. Posing as an interested buyer, the team requests a sample of the stolen data to verify its authenticity. Once verified, they will notify the client and formulate the next step.
“The goal here is early prevention — to be ahead of the criminals. Once the data is leaked, there is nothing much we can do except for two things. First, we figure out how these criminals managed to get this data, and identify the current security vulnerabilities. If the leaked data is login information, we also advise the client to renew its passwords to make this leaked database obsolete,” says Hon.
LGMS also offers dark web monitoring services, which it classifies under the broader umbrella of threat intelligence monitoring. Fong says there is value in monitoring the dark web because it allows the company to access zero-day knowledge, which he defines as a security flaw that has yet to be identified or patched by the vendors.
Such information is widely circulated on dark web forums and can be a potential goldmine for cybersecurity firms, especially when they have clients that utilise similar software systems with the same vulnerabilities. This allows them to take proactive security measures, before the security flaws are exploited.
After coming across leaked sensitive documents on the dark web, however, Fong is surprised at the client’s typical lack of urgent response in dealing with the issue.
“Clients are much more concerned about credential leaks than any other type of leaks. For example, we have worked with hospital clients, where the patients’ sensitive details, such as home address, blood type and IC number, were exposed on the dark web. To them, this leaked patient data is no big deal because Malaysia lacks regulations to address such situations,” he says.
“However, when we show our clients their leaked staff usernames, emails and passwords alongside the leaked patient records, only then do they realise the severity of the situation. We had to explain to them that they should be worried the moment the patient data was leaked.
“This sort of data was supposed to be within the hospital network. When it is revealed outside the network, it means that the network is already compromised and other sensitive information could already be out there. Sometimes, we have to frame the data leak in a different perspective to make them understand how severe the problem is because normally, people do not take it that seriously,” Fong points out.
Limitations of dark web monitoring
The dark web is notoriously hard to navigate, with many leaked databases locked behind forums and sites that require special permission to access. Dark web links are also difficult to source, with the links themselves constantly being updated, sometimes even on a daily basis.
GroupSense’s Minder points out the many technical challenges of monitoring the dark web. “The volatility, accessibility and reliability of Tor and other dark web network-powered sites are a challenge for collection systems. Furthermore, many of the sites have defence mechanisms to detect and disable the automated scraping engines,” he says.
“Monitoring is just that — observing communications and posts. Threat actors know that companies such as GroupSense are monitoring their communications and so they adapt. Simply querying the dark web for your company name is unlikely to return valuable results.
“This is why the role of an intelligence analyst is so critical. He or she can understand how and what to look for. Furthermore, simply knowing about content on the dark web, even if it is related to your business, doesn’t derive an outcome. Only taking action on that information has a tangible impact.”
In fact, LGMS’ Fong explains that calling the service dark web monitoring may not be entirely accurate as it may give institutional clients false expectations of what the service can and cannot do.
“It is nearly impossible to monitor the dark web as a whole. What we can do is to constantly go out of our way to hunt for intelligence related to our customers, aggressively searching for specific keywords and parameters given by the clients,” he says.
“The dark web is not like the internet, where we can conduct a simple keyword search. Many of these dark web forums are outside of our scope, meaning that we will never have a full picture of what kind of leaked information is out there.”
Attempts to monitor the dark web do not necessarily have to be a solo endeavour either. For instance, LGMS works with threat intelligence feed vendors, who position themselves as threat actors and infiltrate these forums, aggregate the information and offer the constantly updating feed for a fee.
Together with law enforcement agencies, they form a closed community of cybersecurity specialists. It is through these closed communities that commercial services such as LGMS can tap into the feed and offer such value-added services to end-clients.
Urgent need for Malaysian dark web task force
Private cybersecurity firms have taken a proactive approach to monitoring data leaks and breaches on the dark web. However, there is a noticeable lack of law enforcement training when it comes to dark web-related matters.
Datuk Seri Akhbar Satar, president of the Malaysian Association of Certified Fraud Examiners (MACFE) and frequent commentator on dark web-related matters, has long called for the establishment of a Malaysian dark web task force to address this issue.
“When talking about cybercrime on the dark web, normally people are not that interested. But law enforcement officers need to be two steps ahead. I am sure that [the police] have an IT unit, but we must also employ more white-hat hackers and cybersecurity specialists,” he says.
A white-hat hacker refers to an ethical hacker or a computer security expert who specialises in penetration testing to ensure the security of an organisation’s information systems. Crimes on the dark web may soon be too hard to ignore, Akhbar points out.
He says crimes such as snatch thefts and house break-ins are still committed physically. However, he believes crimes will slowly migrate to the dark web within the next 5 to 10 years due to their ease and creativity. Law enforcement authorities need to be well prepared for such an eventuality.
Akhbar gave the example of an overseas cyberattack case that happened in January last year in which Iranian hackers infiltrated a US government website. They posted an image of a bloodied Donald Trump being hit with a fist symbolising Iran, accompanied by pro-Iranian, anti-US messages.
“If they have the ability to hijack the US government websites, imagine what they can do to us. We no longer need an army to attack a sovereign government. You just need a team of cybersecurity experts to attack institutions like the White House, or even Putrajaya, because they are connected to the internet.
“With the Taliban taking over Afghanistan, international terrorist groups now have more power and a formalised structure. What is to stop them from using these structures to destroy whoever is going against them?”
Akhbar urges the government to beef up the existing IT infrastructure within the various ministries and create more public awareness of the dangers of the dark web. He explains that we still have resources and laws in place to deal with international cybersecurity threats, such as reaching out to Interpol (International Criminal Police Organization). However, the government should take steps in the first place to identify these threats, many of which are only found on the dark web.
One immediate step it can consider is revamping its current tender process for IT systems. He says the technology is moving at such a rapid pace that once companies obtain the bids and start implementing the solutions, the hardware and software may become obsolete in just a year or two. Repurchasing and renewing these solutions regularly is also expensive.
Akhbar explains that it is much better for the government to rent or subscribe to such solutions instead of renewing the project tenders once every few years. This ensures that the government has access to the latest and updated resources to combat cybersecurity threats, while reducing its overall expenditure.
The Hitchhiker’s Guide to the Dark Web
Dipping your toe into the murky depths of the dark web can be intimidating. Hence, we at Digital Edge took the liberty of setting up a dark web browsing system so you do not have to. As it turns out, the process is easier than expected.
Setting up the Tor browser
Most online resources point towards the Tor browser as the go-to software to access the dark web, and for good reason. The software has all the necessary tools and measures to allow users to surf the dark web safely. In fact, the browser can be used as a safer, more secure alternative to browsing the surface web compared with the conventional browsers that we regularly use.
The Tor browser automatically clears the browsing history and any cookies picked up during the browsing process, ensuring that third-party trackers do not track the user’s online movements. From the website operator’s perspective, every website visitor that uses the Tor browser looks exactly the same, making it difficult to isolate and identify each individual user’s digital footprint.
More importantly, the Tor browser allows users to access .onion links — the domain name for dark web sites, unlike the standard .com or .net domain names that we are familiar with. Online traffic to and from the Tor browser is relayed and encrypted three times as it passes over to the Tor network, making it six in total when factoring in the encryption and relays deployed by the other end of .onion sites.
For most casual users, keeping the Tor browser’s default settings should not be an issue. But by going through the options menu, users can opt for safer browsing profiles, which include disabling Javascript, fonts, math symbols and images, which malicious code can piggyback on.
At this point, we would like to highlight that the Tor browser is by no means the only browser that enables users to visit the dark web. There are other secure browsers such as I2P, FreeNet and ZeroNet.
In fact, users can still access the dark web using their regular browsers through the Tor2web software. However, using this method does not utilise the Tor network and its accompanying relays and encryption features, making it significantly more dangerous to browse the dark web.
By layering these additional security options on top of the Tor browser, the user should have most of his bases covered — from anonymity to user privacy and computer infection risks. Many of these options may not even be necessary for a casual visit to the dark web, with these features greatly impacting users who intend to communicate and transact frequently on the web.
But for the more safety-conscious users, it is best to dig a bit deeper to see how these various software and security measures will affect one another, to get a better idea of how data is being flowed from your computer device to the dark web server and back.
For a list of “visitor-friendly” dark web .onion links, users can visit the various Hidden Wiki pages, which can be easily found by googling the search term “Hidden Wiki”. These various Hidden Wiki sites provide users with a basic repository of .onion links, such as dark web marketplaces and blog sites. Links contained within these wiki pages change regularly, but they serve as an easy entry point for beginners to the dark web.
Nevertheless, the cybersecurity experts interviewed for this story advise exercising common sense and extreme caution when visiting the dark web, such as not revealing any personal information. A good tip is to adopt a totally different online persona, changing speech patterns and user identity for dark web browsing. Other than that, do stay safe on the dark web, and happy surfing!
Save by subscribing to us for your print and/or digital copy.
P/S: The Edge is also available on Apple's App Store and Android's Google Play.