The securely encrypted and anonymous nature of the dark web makes it an ideal host for activities related to fraud for one simple reason: it can't be accessed by standard browsers or search engines. Security researchers work hard to stay on top of trends and activities in the dark web to secure users and devices.
Our research team at SecuredTouch is at the forefront of fraud intelligence and research, led by the understanding that this is an essential component for developing technology that better protects against threats originating from the dark web. In order to effectively combat these threats, researchers need to understand hackers' tactics and their mindsets and to achieve this they need to be where they are, in the dark web. By investing in research, we are able to create solutions that better anticipate and protect against new attacks and types of fraud, and ensure our customers that when a new vulnerability is found, they are immediately notified to ensure they are secure.
This post is the first in a series of interviews we conducted with Ido Rozen, Cyber Researcher at SecuredTouch, in order to understand what it is that he and the rest of the team are researching and investigating in the dark web, what they find and what they achieve following their discoveries.
Let’s start at the beginning… what is it that you actually do and what are your main objectives?
Our day to day job involves looking for weaknesses or vulnerabilities that fraudsters might take advantage of, in order to compromise an app or device, and fixing it to make sure the risk is eliminated. Another part of our job is to uncover fraudulent activities, which includes looking for fraudulent devices, fraudulent sessions, and behaviors that are not typical to humans and might indicate malicious actions.
Can you give an example?
Sure. So let’s say a fraudster has a list of credit cards and is trying to complete transactions from their computer. Some sites actually allow you to have multiple chances to perform the purchase, at least at first. At some point, they'll know that you are doing things a normal user wouldn't do and will block your computer, IP address, or device. More sophisticated fraudsters will try to simulate the behavior of a human being, so the vendor doesn't realize this is the same person who performed the same action a few seconds earlier, and manage to bypass fraud detection tools.
What we look for are behaviors or patterns that indicate a fraudulent device or fraudulent session. For example, if you're using a mobile device, we assume you have an iPhone or Samsung or another popular brand name. A device with no name or even a gibberish name could indicate a bot or an emulator. This is just one of many small details that we look for.
Would you say your mission is to prevent specific attacks on specific sites?
Not specific sites, but rather how to recognize attacks and how to find the indicators for an attack, in order to reduce risk and minimize damage. One of the places we go to when trying to find indicators of fraud attacks is the dark web, where we search for programs and scripts used to carry out fraudulent activities. For example, one of our KPIs is to prevent bot attacks on applications. Bot attacks are automated attacks trying to find valid information or credentials out of a list of accounts or credit cards. As researchers, we try to find indicators for bot related activities in the dark web. Then, we try to find out what kinds of tools fraudsters are using to perform these activities. Once we find those tools, we can learn how they're built, how they're used, whether they're designed for specific sites, and how to block them.
What are some of the tools used to carry out these attacks?
Well, people are actually building programs and writing scripts that enable to carry out these attacks and they then sell them on the dark web. This lowers the skills barrier and technical understanding required to use these malicious programs in order to perform fraud, making it easy for more actors to perform fraud. Really good tools have different configurations that are specifically designed for different sites. These are like manuals or recipes for the program. You have to look at these configurations and see what they're making the program do, since they instruct the program how to interact with and attack, a specific site.
What are some of the common myths and misconceptions about the dark web?
The most important one is that the dark web is only for experienced fraudsters. Maybe two years ago, if you were a fraudster, you were most likely a very technical person and you probably had to have some knowledge about programming, networking, and how things work behind the scenes. But today, to be a fraudster you don't need to know all that, the skill barrier is very low. You can pay a few hundred dollars, maybe less, and buy some guides online or buy a program that will do the hacking for you. You can even search YouTube and learn how to surf the dark web in 15 minutes. Still, just because a guide shows you how to do it, doesn't mean you're doing it right, which makes it easier for us to discover indicators of fraud on time.
What does the dark web actually look like? How would you describe it?
Imagine a virtual space split into several rooms. There are rooms that serve different purposes like illicit commerce, where there are discussions about many topics, from fraudulent activities to planning conspiracies. There are also different levels of discussions, based on how fraudulent your activity is – for example, stealing credentials like usernames and passwords, is considered less fraudulent than gaining illegitimate access to credit card numbers.
And how do fraudsters pay for these goods?
They mostly use Bitcoin and other cryptocurrencies; different goods have different prices. Your username and password could go from $0.10 to $1, depending on the type and quality of your account. Fingerprints sell for around $2 each.
Fingerprints? Wow, that's not a lot. How frequent is the sale of fingerprint scans?
It's not that common. Fraudsters prefer finding other ways because the use of fingerprint scanners to make transactions online is still relatively new.
Can you describe a typical fraudster? Do they operate alone or in communities?
They're usually people in their late teens and early twenties. You can tell by the specific language hackers use – young people use abbreviations. They range from loners looking to find or sell hacking services, to members of organized hacking groups. In either case, the dark web is like a community where people discuss problems they're having and how to solve them. There are many clubs and a lot of quid pro quo going on - you help me, and I’ll help you. And now that more people are accessing the dark web, I expect we’ll see more validation processes held against people who are trying to ‘join the club’ and get in on the action.
Stay Tuned for More from our SecuredTouch Team
We’ll be back soon with more to share...