Every day billions of searches take place on the Internet table online. Synonymous with Google, this part of the web is indexed by search engines. Try searching for your name and you may come across thousands, if not millions, of results, several of which are familiar to you-your social media profiles, your resume on your employer's website, mentions in the news. The surface, or "clear" web, is only the tip of the iceberg, as large as it may seem. In fact, it represents only 4% of the entire World Wide Web. The larger piece of the Web, the Dark Web, lies beneath the surface and is not indexed by search engines - but it is still just as important for security professionals to monitor it.
What kind of information is rarely seen on the surface Web? Medical records, bank account information, and more. This dark web content is not indexed because it is either password protected, behind a form, or very informative (e.g., tweets), etc. Parts of the dark web are commonly used and are as mundane as the surface content. To say that the dark web is "hidden" is a bit of a misnomer, but you do need to know where the information is located, because Google won't help you discover it. The dark web, which is known to be a secret haven for crime (think: Silk Road), is not entirely true. proPublica, the New York Times, and even Facebook have onion domains for dark web sites.
However, the anonymous and encrypted nature of the dark web does facilitate criminal activity. Virtual currencies, such as Bitcoin, are widely used along with other cryptocurrencies due to their almost anonymous nature. In all my years of monitoring these underground communities, I have seen everything from drugs to weapons to large data sets accumulated from exploits being bought, sold, and traded.
To access the dark web, you must download a browser that makes your communications anonymous, such as Tor. Tor and other dark web networks make it difficult to track users' internet activity, thus masking their traffic. the original technology behind Tor, also known as "onion routing," was actually developed by the U.S. Navy. To this day, nearly half of its funding comes from the U.S. government.
In the wake of COVID-19, cybercrime has increased. A Microsoft report in September 2020 found that total attacks increased by about 35 percent in the first half of 2020 compared to the second half of 2019, with hackers exploiting security vulnerabilities brought on by many companies working remotely. In addition, the number of dark web users spiked during this lockdown period. The increase in cybercrime and dark web users is one reason that keeps security experts up at night.
As scary as it may seem, there is a good chance you have - or are - having personally identifiable information (PII) exposed or sold on the dark web. It's no exaggeration to say that millions of accounts are compromised each year and billions of exposed credentials continue to circulate in underground communities. The 2020 Vulnerability Report shows that more than 18 billion original identity records are circulating in these underground marketplaces. Hackers will use this information, which can be found on forums and private channels, to compile digital profiles of citizens and businesses, fueling a range of identity-based attacks, such as cyber fraud.
One interesting fact that people often find is that these dark marketplaces operate very much like a business. People can leave reviews for websites, report scams to the community, and even correspond with customer support. The average price for different identity record types varies by country, account type, etc., but in 2019, we found Social Security numbers to cost about $67; passports about $53; driver's licenses about $48; credit cards nearly $41; and tax ID numbers slightly less than $29.
While a great deal of data is already circulating on the dark web, there are opportunities to salvage it. The first and easiest step you can take to protect your identity and information is to stop reusing passwords. Everyone seems to understand that reusing passwords is bad, but according to a recent survey by LastPass, most people still do it. Changing just one or two characters in your various passwords is not enough. Use unique, complex passwords for all accounts (a password manager can help), and implement multi-factor authentication whenever possible. If you suspect your password has been compromised, reset your password immediately. Fill out your personal information online as little as possible, and when filling out forms, only fill out what is required (for example, if an address or phone number is not required, don't fill it out). Finally, be cautious when browsing the web-don't visit suspicious sites.