This past weekend, I was in the car with my kids and somehow, I can’t remember how, we got on the subject of the dark web. The conversation bounced around from the Silk Road, to recently seized bitcoin, to stolen passwords, to ways cyber criminals share software and information with each other. Initially, my kids thought I was lying about the whole dark web thing. After some convincing and some smartphone Internet evidence, they let it sink in as real that there is a dark web that’s sort of parallel to the Internet they depend on for basically everything.

I (wrongfully) assumed most people knew about the dark web. Most people do not know about the dark web and, if they do, they don’t really know what is available on it. For both professional and personal reasons, I worry about the dark web a lot.

🦹‍♀ A cybercriminal superstore

The dark web, which can be accessed using special browsers like Tor, is a treasure trove of information, data, and software for carrying out cyber attacks.

Reddit for Cybercrime

The Internet connects people. This can be positive. In the case of the dark web, this can be negative as cyber attackers find like-minded and motivated people. They bound ideas off of each other. They ask and answer questions. It really is a lot like Reddit or other social networks where you share information. The difference is that the information being shared can often be used for illegal purposes.

Data Brokers of Illicit Data

In addition to finding like minded people on the dark web, cyber criminals can also find illegally obtained data on the dark web. Data stolen in breaches, such as usernames and passwords, are widely available. It’s highly likely one of your passwords has been compromised in a data breach and is available for sale on the dark web. This is why you should never reuse passwords.

Hacking Software and Tools

While there are software tools for various types of cyber attacks, the one I’m going to focus on is social engineering attacks. These attacks, which prey on human nature and essentially trick victims into installing malicious software or entering sensitive information, are the most common form of cyber attack and result in the most number of data breaches.

Dark Web Phishing Kits

The dark web has a market for what are called dark web phishing kits. These software packages have everything you need to launch and scale a phishing attack. This includes the software to send emails, the templates for the emails, and even the website templates that look like legitimate websites.

Malicious Software

The dark web also has software that, if installed on a victim’s computer, can take control and access sensitive information, including every keystroke.

No Code / Low Code for Social Engineering

The dark web has made becoming a cyber criminal much easier. The closest metaphor is the no code / low code movement in software development. In software development, no code platforms and tools today allow people to build websites and apps without ever writing any code. This has broken down barriers for tons of non-developers to develop new technologies.

The dark web is doing the same thing for social engineering and cyber crime. Many social engineering, namely phishing, attacks today are launched by unsophisticated attackers using tools that automate much of the attack. This is a major reason for the proliferation of these attacks.

💪 Defend yourself and your team

How can you and your team defend against the dark web? As much as governments have tried to shut down all illegal sites on the dark web, they have not been successful. The dark web is a reality we all have to live with. Here’s what you can do to protect yourself and your team.

• Don't reuse passwords. If you use one password across all your accounts, it’s highly likely that password is linked to you on the dark web.
• Talk about the dark web. A lot of people don’t know about it or don’t think it’s real. Just knowing what is out there will help improve security mindset and behavior.
• Use Haekka! Shameless plug, but everything we do is designed to level the playing field between attackers and your employees.