Accessing Dark Marketplaces Anonymously: Demystifying the Dark Web and DarkNets, Part II

Author: Anonymous Hacker, as told to Lindsey Watts

Last week, we heard from an anonymous hacker about what the dark web is, what DarkNets are, and the various associated communication channels. You may have been surprised to learn that there is more than one place for dark marketplaces, and that one can’t just Google “How do I get to the dark web?” to delve into the cyber underworld. At CISO Global, we are incredibly grateful to collaborate with experts who have all the expertise needed to live a life of crime but choose to use their knowledge and abilities for good. Our anonymous source, as well as many members of our security testing teams, could have chosen to participate in dark marketplaces for financial gain. (We hear it’s quite lucrative!) Instead, they choose to give their time to meaningful industry projects, making positive contributions that help balance power and keep criminals at bay. So, to all of you, we extend our special thanks.

On the topic of making contributions, here we’ll jump back into the subject of onion routers.

In the last article, mention was made of TOR (the onion router). This particular topic needs a deeper dive, as there is misunderstanding among some users as to how a TOR works. Some of the “instructions for hacking” articles and videos on the internet lead you to believe that you could simply download a TOR browser and begin a tour of the dark web, navigating as a protected user. That’s not exactly how it works.

The Onion Router (TOR)

TOR browsers provide only three nodes, or connection points, to scramble your IP in order to hide you from other users. This would not be enough to sufficiently protect you, because a user is too easily found with just three nodes. What you really need to anonymize yourself on DarkNets or the dark web is what’s called a proxy chain. I’ll quickly define what a proxy is for anyone who is less than familiar. Some of you may be ready to move on – so feel free to skip on to proxy chains if you like, but if you are even the slightest bit fuzzy, you might benefit from a quick refresher after we discuss garlic routers.

Garlic Router

A garlic router is generally thought of as a more secure methodology for anonymous communications than an onion router. First, an onion router sends each message individually, making it easier to perform traffic analysis on what is being sent and received between two users. Garlic routers, on the other hand, bundle messages together in what are called “pods” (sometimes referred to as “cloves”). Second, garlic routers use a minimum of four nodes, rather than the onion router’s requisite three. As mentioned, the more nodes, the more secure the channel will be. Third, garlic routers add another layer of encryption at each node. So, by the time the message arrives to be opened in plain text by the intended recipient, it has become increasingly more secure as it passes through the communication tunnel. Depending on what type of garlic router you use, there will be a variation in how many tunnels are created for messaging. I2P software, for example, uses four tunnels in its architecture: one send tunnel and one receive channel for each person in the conversation – four in all. This was not developed specifically for nefarious communications. In fact, it can be used for secure information sharing between identity-sensitive applications for any purpose.

How Does a Proxy Work?

A proxy, or proxy server, is a gateway of sorts, sitting between you and the internet. Why is this needed? Because otherwise, you would have to connect directly to the internet with your device, giving you no way to protect yourself from outside users’ ability to view your IP and follow you back to your private or corporate network. A proxy server, or router, is intended to anonymously pass data between users and the internet, or in this case, the dark web. At least, that’s the general idea. The actual reality is that even a very low-level hacker can locate you quite easily unless you jump through a number of hoops – even with three nodes’ worth of scrambling. That’s where a proxy chain comes in.

What’s a Proxy Chain?

When you combine multiple proxies together, routing traffic from one to the next, you have what’s called a proxy chain. Your next question might be, How many proxies does it take to be truly anonymized? That’s like asking how many licks it takes to get to the center of a Tootsie Pop. Each hacker probably has their preferred magic number, but let’s just say you definitely need more than three – and more is better.

You’re Never Really Invisible – or Invincible

The other reality to contend with here is that you can always potentially be found by someone who knows what they are doing. Skilled hackers, like me, know how to maintain a higher degree of anonymity than dabblers, but it’s still important to understand that anything – any action taken on a digital device, can potentially be discovered if someone really wants to find you. Last year, presumably to send the message that enforcement agencies are “upping their game”, a handful of notorious underworld hackers were arrested. Law enforcement, government agencies, and branches of the military employ their own digital forensics units, stacked with people whose ethics drive them to fight the bad guys. All that is to say, every action leaves digital traces, and there’s no guarantee that someone won’t find you someday.

Anonymity Is King

Nevertheless, DarkNets are designed for anonymity. The idea that you can speak, be spoken to – pass information, and neither party knows exactly who the other one is creates a situation where people who want to protect their identities can communicate. You could be holding a conversation with someone connecting in from Germany, but who is actually your next-door neighbor – perhaps even physically sitting within 50 feet of you.

Also, No Advertising

As a point of interest, there is very little capability for advertising on DarkNets. You can’t Google sites like you can on the world wide web, and the sites are comprised of mixed characters. You have to know exactly where you are going in order to get there. The good part of such a setup is that your kids won’t accidentally land on the dark web while playing games on their laptops. The downside, for criminals, is that there is no way to run ads, put up digital billboards, or list services in a catalog.

If They’re So Hard to Find, How Do People Conduct Business on DarkNets?

DarkNets rely on word of mouth. That word of mouth is not passing between random people, though. A recommendation is only going to be given by/to someone who has been vetted and shown to be trustworthy (in a dark, underworld kind of way). In that world, paper credentials mean nothing. You earn trust among hackers and criminals the hard way, and people are not going to give up their sources – or favorite dark marketplaces – unless they perceive you can be trusted.

To be successful in a DarkNet, you/your dark marketplace would need to establish a strong reputation for delivering, keeping your word, and being worthy of fear/respect. Further, DarkNet marketplaces have phenomenal customer service. They stand by their products and do what they have to in order to maintain a strong reputation. If business drops in sales, they can’t just do a marketing campaign. So, their customer service tends to far exceed that of what we call “Clearnet” sites. They depend on recurring customers and good reviews, people who privately share their sites among trusted friends. Dark marketplace owners will ensure, one way or another, that the goods or services their customers contracted for are delivered as promised.

What Does That Mean for You?

When you understand how commerce works in DarkNets, you can see that people aren’t just out there selling worthless data. If they are selling your stolen credentials, for example, they are going to sell the “good stuff” – the credentials you’re using right now, not your Yahoo credentials from seven years ago. And if they are taking the trouble to breach your network, they want your most valuable assets. We’re not talking about people who just launch a bot and take what they find. There are very targeted, intentional actions and extremely valuable data (or access to your network) being bought and sold (in marketplaces they have taken great risk to establish).

An Important Mindset Shift

When you grasp that kind of commitment and motivation, you understand that while traditional lists of best practices are excellent places to start in your security strategies, actually protecting yourself will take a mindset shift. One can’t think in terms of, “Did I lock the doors and windows?” You need to truly understand how many ways – all the methodologies – someone can get into the house. Then, you will be thinking about how to architect a much safer house.

Also, rather than checking off items on a list and accepting or ignoring any remaining risks, you will change the way you think about risk, altogether. You might start thinking in terms of eliminating the possibility of entry to the maximum degree possible. For example, “How can I use segmentation to keep unnecessary users out of our corporate assets, completely? Could I replace plain text data that I still need for analytics with a worthless digital token? Am I sure I even need to have this data to begin with? How can I cut a digital asset off from internet-connected users?”

This is an entirely different approach to security, and you can see why hackers laugh at someone who would say that their compliance is evidence of their security posture. Checking boxes is not the same as reducing and removing risk.

When The Picture Starts to Become Clear

DarkNets are not playgrounds. Still, it’s important to understand how it all works. If you grasp that hackers are just people who understand the inner workings of technology better than you do, you’ll be in a better position to make the kinds of strategic decisions that will help protect your organization from them.

If you would like to talk with someone who can help you identify gaps in your strategy to mitigate risk, you can reach out to us here anytime.