What the Heck is the Dark Web and Why is my Stolen Data there?

By now, we’ve all heard of the “Dark Web”. We know that we should stay away from it, but we don’t know how we would access it even if we wanted to. We know our passwords and other info may be on the Dark Web, but we’re not sure why that’s such a big deal. This post will explain what the Dark Web is, why you should be concerned about it, and steps you can take to prevent more of your personal information from appearing there.

To understand the Dark Web, you need to understand that the World Wide Web (Web) as most know it is only a very small fraction of the entirety of the Web. The Web we’re all familiar with is referred to as the “Surface Web”. The Surface Web is the portion of the Web that is readily available to the general public and searchable with standard web search engines, such as Google, Bing, or (our favorite) DuckDuckGo. This means that any site that comes up as a result of a search engine search and any website that you do not need credentials to access is considered part of the “Surface Web”. Interestingly, the Surface Web makes up only 3-4% of the Web. The rest of the Web is made up of the Deep Web and the Dark Web. What the heck are those?

The terms “Deep Web” and “Dark Web” are sometimes used interchangeably, but they are not the same. The Deep Web contains mostly benign sites, such as your password-protected email account, certain parts of paid subscription services like Netflix, and sites that can be accessed only through an online form. (Just imagine if someone could access your GMail inbox by simply googling your email address!) The Deep Web is huge: back in 2001, it was estimated to be 400–550 times larger than the Surface Web, and it’s been growing exponentially since then. Let’s say that you go to Google and search “Facebook”. It pulls up a facebook.com search result. So far, you’re still on the Surface Web. You click on the facebook.com link and enter the Facebook Home Page. You’re still on the Surface Web. It isn’t until you enter your username, password, and click login that you are directed to a “Deep Web” page. The Deep Web makes up 90% of the entire Internet, because so much of what is stored online is protected information that requires some form of authentication or knowledge of a hidden web address.

Now that you have a big-picture view of the world wide web and a vague understanding of the Deep Web, we can discuss the Dark Web in depth. The Dark Web is the portion of the Deep Web that is intentionally hidden from search engines. These sites can only be accessed through special browsers that use masked IP addresses to hide the identity of the visitors. The Onion Router (TOR) is one of those special browsers, but it is by no means the only one. TOR anonymizes the identity of a visitor by bouncing the connection off of multiple servers around the world and adding a layer of encryption each time.

In the 90’s, TOR was invented by the US Naval Research Lab to allow intelligence personnel to transfer information securely, keeping their network activity hidden from view. It was further developed by DARPA and made available to the public in 2002. Why would they make it available to the public if they know criminals would use it as a way of evading authorities? It was a strategic move. They figured it would be harder to decipher which information on the Dark Web was created by intelligence officers if there was heavy traffic and loads of information on the Dark Web. The idea is that it is easier to remain anonymous in a sea of anonymous users.

Accessed only by using special software that hides the identity of visitors, the Dark Web is a vast marketplace for anything and everything illegal. Much of it looks very familiar like any other e-commerce site. Sellers often have ratings given by previous buyers. You can even purchase software to set up your own hacking business. Payments to sellers are arranged using bitcoin, a digital currency that all but assures buyers and sellers remain anonymous. Just be aware that some buyers have paid, but not received what they purchased. In these cases there’s nobody to turn to for help. Nobody feels sorry for the criminal that doesn’t receive their illegally purchased goods.

Once you are in this illicit emporium and you have some bitcoin digital currency, buying stolen identities or access to bank accounts is easy. Let’s take stolen credit cards, for example. As when buying anything else online, buyers specify the type of card (Amex, Visa, etc.); the CVV’s or three-digit code on the backs of cards; whether you want associated login and password information; names; expiration dates; credit score; Social Security numbers; mother’s maiden name; credit limits; date of birth; specific geographies of usage; and so on. The cost per card varies with the information the buyer wants. Click “Buy Now,” download your stolen goods, and off you go.

What does stolen data cost to buy?

How much do these cards cost on the Dark Web? The variations are wide, and also fluctuate depending upon the supply of stolen cards. So if there were a major hack resulting in the compromise of 10 million cards, the price could plummet if the cybercriminals flood the market. But generally speaking (and these figures are derived from a number of publicly available sources), the cost of stolen credit card data is roughly $8-$22, or the bitcoin equivalent thereof. These prices tend to be higher for stolen European Union, Canadian and Australian credit cards. Buyers pay the most for cards with a complete set of information about the cardholder. However, credit and debit cards are not necessarily the usual target of cybercriminals and fraudsters today. Increasingly, the targets are the password-protected online payment service accounts. Unlike with credit cards where the cost per card is determined by the different factors the buyer selects, the cost of this stolen data is related largely to the balances in the online accounts. As you might expect, the price for bank login credentials is another matter. They can be had for as little as $100 for access to accounts with $2,000 or less. Or they can cost upwards of $1,000 for access to accounts with $15,000 or more.

Infographic displaying the cost of common Deep Web data sold by Dark Web vendors.
This is how much it costs hackers to purchase account credentials, SSNs, and health information on the dark web. It’s a drop in the bucket and the return on their investment is significant.

A strong market for stolen health information

Both credit card and bank access data have a shelf life, which ends abruptly once the victims discover they’ve been hacked. But there is another record of digital identity that has more permanent information, and that is any kind of personal health information or PHI, including the very valuable electronic medical records or EMR. These contain highly sensitive information about an individual’s health history. And as such, they can be used to blackmail individuals; to publicly humiliate certain people; to undertake massive insurance fraud with fake claims; and to create many other forms of chaos and harm to victims.

Like other stolen digital data, the cost of such health records is subject to the same supply-demand dynamics as any other traded goods. According to Michael Ash, associate partner of Security Strategy Risk & Compliance at IBM, a stolen EMR could earn up to $350 on the Dark Web.

However, due to a large number of such records having been stolen recently and then dumped onto the dark web for sale, prices have dropped, according to recent research. Also, law enforcement authorities have stepped up efforts to locate and apprehend both buyers and sellers of this highly personal health information, which has spooked some buyers. Thus recently, some EMR have been purchased for as little as $100 a piece. But as mentioned, this is a highly dynamic market in which prices of stolen digital data will vary over time, often wildly.

By now, we’ve all had at least 1 account credential stolen or we’ve been notified that our favorite password has been listed on the Dark Web. Why should you care? I know many of you like to think that it doesn’t matter and that your account is not interesting to hackers because you yourself are a “nobody”, but that is simply not the case. Your personal information, health records, SSN, and seemingly irrelevant account credentials cost almost nothing to a hacker and can cost you thousands of dollars in the end. If you’re one of those people that uses the same password across multiple sites and your Netflix password is breached, a hacker can use those same credentials to log into your bank account and take as much as they want from you.

What can you do about it?

  • The single best defense for protecting these assets remains high quality, virtually bullet-proof passwords.
  • Once you create those great passwords, make sure to routinely change them. Consider a password manager to keep track of these strong, secure passwords.
  • Double up on your security by enabling 2 Factor Authentication (2FA) wherever possible. This way, if your password is compromised the hacker would need to possess something of yours in order to gain access to the account.
  • Implement user training and education ASAP. Sixty percent of low level employees are targeted, because they are more likely to fall victim to social engineering and phishing attacks.
  • Follow compliance best practices for your industry. Medical-based companies that handle patient information have special requirements for storing and handling data. It happens more than you think and the targets are not large. The fines, lawsuits, and publicity are extremely damaging and time-consuming.

Let us help you implement each of these things. Call us at (504) 372-1372 and we can discuss what a partnership with us can do for your business. We’d love to help!

Please refer to our previous blogs about creating strong passwords, 2FA, and Password Management. We’ve linked them below for your convenience.