Every large company or organization should have at least one member of its IT department responsible for regularly monitoring actions on the deep web. Such monitoring could save a company millions of dollars. Here’s why. First of all, the more employees you have, the more potential problems you have. Some employees may feel they are being treated unfairly or paid too little. Other employees may want revenge for a dismissal or other perceived wrong, and still others may simply want to make a little extra money on the side. The deep web is waiting for them. Here’s what I found for sale at one specific point in time when I did some exploring on the deep web.
“Admin passwords for all computers at Marquette University”
“This is an unreleased paper for a new method to losslessly compress data. Samsung and BBC want to use it for their next video coding standard (H.265 / HEVC)”
“Data of 3800 undergrads at affluent american university – email, phone, student id, more”
“Thousands of email addresses and passwords used to register on Sony Pictures, many of whom use the same passwords for their email addresses where you can steal a variety of services they own from them. You can easily make your money back from this file.”
“ip server locations of the pentagon defense network servers.”
“Large .gif picture detailing hundreds of IP addresses of commercial businesses, military offices and some more shadowy Israeli addresses that I’m more hesitant to look into.”
Again, all of this information was available at one point in time. It changes daily, if not hourly. You can also find blueprints, specifications of a variety of products, and other information you would not want a competitor to know about. Is it valid? Well, that’s up to you to figure out. You’d have to contact the seller and verify the information. It may not even be a bad idea to hire someone familiar with navigating the deep web. This would be, yet, another step towards the eventual unification of the deep and shallow web.
Of course, you’ll also find stolen credit card information on the deep web, but how do you know if your stolen information is there or not? Good hackers will leave almost no trace after a hack and some companies are not even sure if they’ve been hacked at all. Even if their security was breached, they will often state that they are not sure if client information was compromised. However, there is a way to find out. Companies or banks can go to the deep web and see what large batches of recent credit cards are being made available. Sometimes banks will buy some of these cards and check them against a company’s database to determine if this might be their stolen information. What can they do if this really is a client’s stolen data? They can either buy back all of the cards, which, at times, may be cheaper than reissuing new cards, or alert big online merchants to be wary of certain purchases. Apparently, this is how banks verified the Target breach.
But first things first. How do you even get this information? How do you even get to the deep web? First of all, you need to download the Tor bundle. I admit being somewhat nervous about doing this (yeah, and what else is in the bundle) but I can affirm that all has gone well. The Tor browser allows you to surf anonymously, and only anonymous surfers are allowed to browse deep web sites. The interface is intuitive as it is based on Mozilla Firefox architecture. It gives you anonymity by bouncing your communications through nodes around the earth, making it impossible for anyone to watch what your real IP address is doing. You don’t know the real address of the sites you visit and they don’t know yours. I will address the true security of this later but, even if it has defects, it is still the best available browser for maintaining your privacy. Yes, you can use it as a regular browser if you like. The one negative is that it does take longer to access sites, but I don’t find this a major drawback.
Just because you now have anonymity doesn’t mean your problems are over. You have to find the deep web or ‘onion’ sites (they all have the ‘.onion’ extension). To do this, search for the Hidden Wiki (currently, located here, though its address changes frequently). You will then find a list of services and sites. Again, many will be dead links. It does take patience to find what you’re looking for. For this post, I’m following the financial trail that begins with your company or organization’s personal information files being hacked.
The criminals who steal your clients’ personal information must work fast. Any identity has a market value. Currently a Twitter account costs more to purchase than a stolen credit card because it may include information that could allow hackers to compromise numerous sites. Newly acquired credit cards will receive higher prices, as there is a greater possibility that these cards will still be active. After a large breach, like the Target attack, prices for cards are low because the market becomes flooded. It’s simple supply and demand.
Because of the low prices after such a breach, hackers have trouble selling exploit kits because why waster your time and do all that work to hack a company when prices are so low? This is why it is rare to see two large attacks occurring close together. It’s better business to stagger such hacks waiting a year or two in between. This should make big retailers emit a sigh of relief. You still have time to shore up your network with top-notch security. (see Inzero’s hardware-based protection, for example.)
Newly acquired card information is then sold to brokers, mainly in the deep web, who buy the information in bulk. These brokers then sell the information along to the most important people in this network, the carders. The carders are the ones who verify the authenticity of a card by actually trying to use it to make small purchases. They can either use the cards themselves or sell them to others, usually with guarantees of their authenticity. If the buyer finds a card has been blocked, the carder will replace it with a valid one. Reputation is everything on the deep web.
Using the original card is risky because it may draw attention to the user. A better method is to use the stolen card to recharge (transfer money) to another card that is not stolen. Then, this recharged card can be used to purchase products or, more commonly, gift certificates/cards, as this puts another layer of protection on the process. If this is all done fast enough, this pathway will be too obscure to trace. Eventually, the person with the gift card will use it to buy hard goods, often electronic goods which sell quickly. (Imagine Target’s embarrassment when they found that their stolen credit card information was being used to buy gift certificates…from Target.) But the people who use these cards will not have the goods delivered directly to them. They will have them sent to them indirectly through reshippers, who will repackage the goods and send them to the original buyer or directly to buyers on ebay. Reshippers are often ignorant of the roles they play in this scenario. Ever see those ‘make money from home’ advertisements? Well, some of them are recruiting people to act as reshippers. In any event, once the buyer has his untraceable package, he can advertise his merchandise on the deep web or even sell it on ebay. The price? Yes, too good to be true. In the original box and guaranteed to work at 50% of the normal retail price. Any problems and they will replace the product.
If you’ve shopped on Amazon, you’ll have no trouble using these big deep web sites. You will have a shopping cart and you can see customer ratings. The only difference is that you will need bitcoins (฿). All products are delivered to an address of your choice. Some say it’s just better to have a package sent to your home address, because it attracts less attention. However, if you prefer to be on the safe side (or are ordering large shipments) you can have your purchase sent to a drop address (like an abandoned house). If you do not have a drop address, the company will supply you with one in your area. Sometimes a ‘nature drop’ can be arranged. Your package can be dropped in the woods in some remote area. You will then be sent a message with the GPS coordinates. Now, that’s customer service. Except for the way the goods were procured, the business model is well-developed.
But what about bitcoins? Isn’t that an impediment to using the deep web? Well, not for those who use the deep web regularly. Yes, the currency is volatile, like most new currencies are. But just as the normal US citizen doesn’t care about a weak dollar until they travel abroad, no one worries about the price of bitcoins until they cash out. In its basic form, a bitcoin is nothing more than a computer file. Just as you have to believe that that green piece of paper you have actually has value beyond the paper, you have to believe that the computer file you have is worth more than the code. Is it anonymous? Is it untraceable. No, not really. Otherwise, you would be able to make copies of these computer files and be a millionaire. A chunk of code identifies the owner and trail of each coin. The coin’s address is publicly known and your IP address can be traced…unless, of course, you use Tor. Nonetheless, services are available, and more are appearing everyday, that can hide you and your transactions. In short, bitcoin is on the way to achieving a greater degree of anonymity. However, the bitcoin, as a currency, is still undergoing its birth pains. I suspect that it will inevitably gain in acceptability as its weakenesses get shored up. That is when the anonymity of the deep web will become too attractive for regular companies to resist.
I think it should now be clear that the deep web should not remain as a foreign territory to major companies or organizations. However, maybe there is something here that the more entrepreneurial businesses can exploit. It is just a matter of time. My next post will explore these possibilities as well as reveal a few pioneers who are already doing business there.