The "dark web" is a phrase strikes an ominous tone, conveying an impression of a marketplace where anything is for sale: hacking tools, weapons, drugs, child pornography, even freelance assassination services. And according to experts we spoke to, all of that's still true. But something has changed in the way the dark web does business. If there was a time when venturing online to buy these illegal items was like taking your life in your hands in a dark alley, today the experience in quite different.
Take drugs, just as an example category. "The best analogy I can give for the expanse of dark web drug offerings is that it would be like walking into a major supermarket for the first time having only ever shopped at a corner store," says Emily Wilson, director of analysis at Terbium Labs. "Almost anything you want is available from a huge host of vendors—all of whom are competing to assure buyers that their product is the freshest, purest, safest, most readily assured high available. People like to compare and contrast their experiences in detailed write-ups, and the vendors are incentivized to develop loyalty: 'Check out this freebie of my new product,' or 'Hey, sorry about the slow shipping—I threw in a little extra for you.'"
And it's not just drugs where the dark web has gone corporate. It's happening across the board—and what most of the experts we spoke to wanted to talk about was especially the various hacking and shadowy technology services available. In hearing the details, it's hard to avoid the realization that the various criminals on the dark web are taking their cues from the practices of corporate IT.
This graphic design should be familiar to anyone who's bought software online. Credit: John Shier, Senior Security Expert at Sophos
And just as with corporate IT, the illicit offerings from the dark web span from code that buyers have to implement themselves to turnkey solutions and consulting services.
Products: Malicious code for sale, with instructions
Exploits and attack code can be devilishly complex to discover or build from scratch. The dark web provides a marketplace that connects programmers with the needed skills with those with motivations to unleash them. Idol Wulkan, intelligence team lead at IntSights, points to several malware packages for sale on the dark web, including Dr0p1t-Framework, a trojan that downloads other malware, and the Silent Word exploit, which converts a malicious .EXE file into an innocent-seeming .DOC.
Buyers of these exploits don't need to be master hackers themselves. "If you have relatively little technical knowledge," says John Shier, senior security expert at Sophos, "there are guides on how to spread your malware, and also phishing and carding tutorials."
Sign up for CIO Asia eNewsletters.