Companies and the financial professionals that work with them have many risks to worry about, but few can seem as menacing and as alien as the so-called ‘dark web’.
The internet can be described as an iceberg: the websites most people use regularly are the tip, but there is an entire other, much larger world submerged below. Part of this is the dark web, which can only be accessed through anonymous network software and special technical skills. An example is Tor (The Onion Router), which was developed by the US Naval Research Laboratory, released to the public in 2003 and was designed to prevent browsing activity from being traced back to the user.
Such a protected corner of the cybersphere is especially useful for cybercriminals. ‘Tor allows you to browse anonymously and put up websites anonymously so that no one can tell where those websites are physically located in the world,’ explains Joss Wright, a research fellow at the Oxford Internet Institute, at the UK’s University of Oxford. ‘The only way of accessing those types of website is through the Tor browser. The “dark” part of the dark net is you can’t tell who’s using it or running it, which makes it a perfect setting for illegal activity.’
One problem for law enforcement in major economies and corporations is that dark net servers are usually located in developing world countries or those that are not necessarily sympathetic to Western law enforcement, such as Russia and China, notes Roman Sannikov, director of Eastern European research and analysis at Flashpoint, a US-based cybersecurity firm.
‘I don’t believe there’s any liability for a country that hosts dark net servers, other than the fact that outside countries can exert some pressure to have the servers shut down,’ he says. ‘The company that hosts the servers is also not necessarily responsible for what’s on it. Obviously if they get subpoenaed, they are supposed to comply with those and take them down, but that’s usually the extent of it.’
Sannikov stresses that the dark net is not explicitly malicious. ‘You’re not necessarily going to find bad people breaking the law there,’ he says. ‘There’s certainly a lot of people, such as researchers, on these forums that are interested in studying various issues of internet security. But that being said, it’s a good way of doing something that is illegal and hiding from the law.’
Expanding on this is Ken Deitz, chief security officer at SecureWorks, a US-based information security and cybercrime company. ‘It’s an area where people can go to get in touch with buyers and sellers of information and goods that have been stolen or are illegal,’ he explains. ‘It contains the marketplaces where people go to monetise the things they’ve stolen by committing fraud.’
Comprehensive threat assessment
As for the risks posed by the dark web to companies and public sector organisations, EY’s Darren Desmond, assistant director of fraud investigation and dispute services, says: ‘Organisations should consider the dark web as a specific, standalone risk. However, not every organisation will have the same risk profile and so a comprehensive threat assessment should be conducted.
‘Handling sensitive data, particularly as a data processor or data controller, can make those in finance or the accountancy profession an attractive target to criminals seeking to use the dark web to monetise a valuable data asset.’ He says. ‘With the move to “cloud computing”, the likelihood that criminals will seek to target this type of data also increases. Organisations should also continue to focus on getting the basics of security right, until they have identified a specific threat from a dark net site.’
But Desmond adds: ‘The perception that the threats from the dark net are greater than those posed by the so-called “clear net” is simply inaccurate. Whilst there are undoubtedly criminal elements operating within the dark net, the large majority of threats that organisations face are created and generated within the open internet.’
Bart Parys, threat intelligence researcher at PwC, says: ‘Essentially, the dark web acts as a virtual black market and forum used by criminals and hackers. Stolen goods, compromised databases, valuable personal information and identity documents – like credit cards or passports – are offered for sale on the dark web, as well as malware and exploit kits. ‘It isn’t accessible to just anyone, though, and its contents aren’t easy to find, as they’re not indexed by search engines,’ Parys adds. ‘Often you have to be invited by someone in the inner circle to access sites.
‘Even with some of the more open forums, before being able to download or buy items you often need to first ‘prove your worth’ to the group by posting valuable information.’
Parys stresses that it’s important that accountants implement a ‘cyber-aware’ policy. ‘Even if you have the best technology, people are still the weakest link,’ he says. ‘Ensuring everyone in a business knows that they play an essential part in the protection of their and their client’s information is key. They need to know about basic cyber hygiene principles, such as having strong passwords, keeping software up to date and using only known and protected Wi-Fi networks, as well as the firm implementing tools and policies around things like access and bring-your-own-device (BYOD).’
BYOD policies allow employees to use their devices to access privileged company information and applications. Parys recommends that stringent security measures accompany such policies to prevent information falling into the wrong hands.
And this really is a good idea. People would be amazed at what cyber criminals can monetise, Deitz says. Drugs, weapons, human and wildlife trafficking, and child pornography are some of the more unpleasant things that can be found on dark net marketplaces. But information is also highly sought after: material such as social media usernames and passwords, as well as hotel and airline points, are readily sold in addition to the more conventional credit card information, bank account details, social security numbers and emails.
These forums and marketplaces are also places where criminals can find people to collaborate with, says a cyber security researcher who wishes to remain anonymous due to ongoing cyber investigations.
‘You can find people that have different abilities, like those who can orchestrate phishing attacks, SMS spamming and other various fraudulent or hacking skills, for hire. You can put together campaigns based on what’s out there,’ the researcher says.
When it comes to combating fraudulent schemes facilitated by the dark net, Deitz recommends that businesses and institutions implement key threat detection technologies and advanced malware protection in all their systems to uncover malevolent anomalies and act on them before they attack.
Sannikov adds that information is key to protection, and that law enforcement authorities and governments need to better develop their cyber investigative skills and/or work with expert companies. ‘Especially in the high-level forums, there’s a certain type of operational security where people won’t openly reveal what they have,’ he says. ‘It’s done through trust circles of people who have worked together, know each other or have previously communicated. This is where companies like ours come in.’
Mandy Kovacs and Andrew Burnyeat, journalists