The Dark Web is one of the best known places where ordinary computer users can interact with the criminal underground. It can be accessed via the Tor Hidden Network via numerous relay servers found all over the world. It provides a sense of anonymity however this is not always guaranteed. Whatever the reasons for accessing it readers should be aware of the security risks, best practices and other useful advice that is needed to safely interact in this network.
Before Entering the Dark Web
To access the Dark Web users will need to have the necessary software to access it — the Tor Browser. It should be downloaded only from it’s official site as there are many fake copies of it that might include spyware or other types of viruses. The users can compare the checksums posted on the site with the downloaded files to make sure that they are legitimate.
The Tor browser represents a compilation of several technologies in one bundle:
- Mozilla Firefox ESR — The Mozilla Firefox ESR web browser is the conservative and long-term support branch of the popular desktop variant. It is used primarily by government agencies, schools and universities as it carefully follows a release plan that can be easily followed. The point releases of the Firefox ESR packages are limited to the high-risk/high impact security vulnerabilities.
- Torbutton — This is the component that takes care of application-level security and privacy concerns in Firefox. To keep you safe, Torbutton disables many types of active content.
- TorLauncher — The launch script which executes the Tor startup sequence.
- HTTPS Everywhere — This is another extension that encrypts the communications with many of the major websites.
What Can You Expect on The Dark Web
Upon entering any of the malicious dark web sites readers should be well-aware that the shops, communities and sites are being kept there for a reason. The Dark Web is synonymous with crime and many of its popular offerings can be categorized into one of the following types:
- The Malware Markets — They represent hacking shops from where malware code can be purchased. If the code is sold by the criminals themselves then they usually offer customization options. The resulting viruses are based on code of famous or new ransomware families however at the same time they do exhibit a different infection sequence. They are also the primary source of acquiring new threats.
- Illegal Trade Markets — The Dark Web is the premier location where counterfeit goods and illegal substances can be marketed. The various underground sites operate thousands of transactions for anything from psychoactive drugs to passports, fake money and pornography.
- Services — Many services that may seem unthinkable can be offered and sold for the right price. There are numerous reports that we have reviewed over the years — theft, hacking, drugs transportation and possibly even endangering the lives of people.
Be Vigilant of Dark Web Fraud
The Dark Web is no place where the users can have trust in the pages. We remind our readers that the majority of the underground markets are built on crime and fraud and that they should not expect that any goods or services that are bought will be delivered. In many of the markets the administrators (owners) use some kind of a reputation system in order to attract merchants and buyers. Many users report that their purchase orders have never been delivered. And as any network the dark web contains its own series of scams.
The most effective and prevalent scams are the ones that are found on the hacker underground markets. Registered users can receive fraudulent private messages that are based on several pre-existing scenarios.
One of the most frequent ones is the Tor Browser Warning — Some users receive messages stating that their browser bundle is outdated. Security reasons may be quoted and the users will receive a download link to a “newer version”. It most cases this will install spyware or a ransomware infection onto the systems.
Another popular scam is the fake service offer which was popular a few year ago. The particular example is a dark web site that offered “hitman services” to prospective buyers. The scam operation used a fully-functional system that allowed clients to register. They were able to select from different “services” that range from $5000 to $40000. The interesting thing about it is that it allowed “agents” to provide profiles as well. The end goals of the criminals behind it the social engineering of both type of users into giving the owners Bitcoin assets. After the transactions have been complete (and they cannot be reversed or cancelled) the users may receive various excuses for not receiving the “service”.
Hackers can also impersonate law enforcement personnel by sending messages via chats, forums and other online communities. The hackers can also construct fake social engineering sites that showcase notification boxes aiming to manipulate the users into sending money for “privacy guarantee” or filling in their personal details. The collected data can be used for identity crimes and financial abuse.
Dark Web Behaviour — Browse Carefully!
The most important advice that a computer user can adhere to is to be vigilant! No guide or tutorial can prevent the social engineering tricks that can be found everywhere. They attempt to manipulate the users into thinking that they are interacting with an element, however at the same time they may load a dangerous script or malware infection. In discussions or chats the users may reveal information that can directly expose their identity: their name, nick name, address, phone number, interests, location and any account credentials. Other data that may be useful to the hackers includes their hardware configuration and certain operating system strings.
Users should be aware that using any direct P2P networks may give out their IP address thereby exposing their computer’s location and other data. This is possible due to the fact that the software clients are programmed to ignore proxy settings and make direct connections.
The Tor Browser will block browser plugins from being executed directly (Adobe Flash Player, Quick Time and etc.) as they often are manipulated by the web content to reveal data about the computers. All traffic is encrypted when possible by using the “HTTPS Everywhere” plugin which forces the secure HTTPS connection. We remind our readers that is is done a per-case basis as not every site supports the technology.
The Tor browser users are also advised never to download files from the Dark Web as they may contain malware of various types. There are three categories that are most commonly used by the hackers:
- Documents — Documents of various types (text files, spreadsheets, presentations and databases) can contain macros (scripts) that can lead to virus infections. Once they are opened a notification prompt will be spawned which asks the victims to enable the scripts.
- Executable files & Application Installers — The criminals can embed the virus code into software installers or directly in randomly-named executable files. The criminals typically target software that is popular with end users: creativity suites, productivity tools or system utilities. The criminals may distribute them as cracked or pirate versions.
- Illegal Files — Computer viruses are mainly distributed using keygens, “bank card generators” and other tools that are popularly being advertised on the Dark Web.
If by any chance email messages must be exchanged clearnet addresses must never be posted under any form! This includes all popular free email hosting services (Yahoo, Gmail, Outlook and others), as well as personal sites or services such as Proton Mail. This is in order to evade any cross-reference linking of the users.
Remember that all cryptocurrency transactions must be performed anonymous cryptocurrency. Bitcoin transfers are discouraged as they can be used to track both the senders and receivers of the transfer. Secure alternatives are Monero, ZCash and DASH.
Additional Dark Web Security Precautions
In certain situations computer users can rely on an extra measures by using a virtual machine OS or a live distribution like TAILS. The reason for this is that this measure can effectively viruses and malware that specifically target the operating system. If properly configured most incoming threats can be disabled by simply shutting down the system.
TAILS is a preferred solution by many users as it is configured not to use use the computer’s hard disk drives even if a swap partition is identified. The whole live cd package is executed in the RAM. Upon reboot everything will be erased from memory, this leaves no trace that the Tor browser has ever been run on the system.
Even though the TOR relays use a secure mechanism an encrypted VPN connection is still recommended. This procedure is required in order to protect the end nodes and the point of connection from network traffic analysis. This can secure the users from analysis from the Internet Service Providers (ISPs) as they alone have the capability to scan all traffic (incoming and outgoing). They can use advanced analysis software in order to construct a profile of their client’s habits. If this information is cross-referenced with their activity then a detailed profile about them can be constructed. By routing the TOR traffic through a VPN connection this would not be possible.
A very serious issue is the use of persistent tracking cookies. They are installed by Google and other related services and construct a detailed profile of the victims. Even when using TOR they will still register and maintain an Unique User Identifier (UUI) which can be cross-referenced to already existing ones. This includes all of the following instances:
- Cookies — All accepted cookies (those that override the plugins) are a collection of tracking instruments that by themselves are grouped depending on the scope of collected information. The most common type is used to record the site interactions which are automatically reported to the hosts. This includes user clicks, reservations, form filling and etc.
- Cookie-Like Features — Cookies are not the only web tracking technology that can collect information about the users. The Adobe Flash plugin contains a feature called “Local Stored Objects” which is the equivalent technology to cookies. Mozilla Firefox also has a built-in mechanism called “DOM Storage” which stores pseudo-cookies.
Mozilla Firefox users can disable the DOM Storage by typing in about:config in the address bar. Users will need to enter “filter” and press RETURN. This will display an option called “dom.storage.enabled”, users will need to change it to “false” by right-clicking on it and interacting with the “Toggle” switch.
Adobe have posted an elaborate tutorial on how to disable Flash cookies. The security experts state it would be best to follow through the tutorial and set the Local Stored Object space to 0 .
A lot of people use PGP/GPG keys in order to showcase a certain identity. This practice should not be used on dark web as the key signatures contain meta data that can reveal information about their personal identity. Furthermore the hackers can attempt to spoof it in various online crimes.