We have been lately witnessing a dramatic rise in the incidences of cybercrime both on the surface web and the dark web. For example, the theft of online account credentials represents an emerging issue, especially on the dark web, where the price of an individual’s online identity averages around $900. Previous research studies analyzed the modus operandi of cybercriminals who obtain stolen online account credentials via surface web sites.
In an attempt to analyze how the same cybercrime unfolds on the surface web and on the dark web, a recently published research study compares the modus operandi of cybercriminals acting on both via leakage of Gmail honey accounts on a group of dark web sites. Results of the study were compared to those of a similar experiment performed on the surface web. Throughout this article, we will take a look at the results of the experiments conducted via this study.
Methodology of performed study:
The study used the same honeypot infrastructure proposed by Onaolapo and colleagues in 2016 to study leaked account credentials on surface web sites. The first step involved creating 100 Gmail accounts, which were referred to as “honey accounts.” The fictitious data used to create these accounts was generated automatically via a database of random personal data. The honey accounts were then populated with large groups of email messages obtained from the Enron dataset in order to simulate a real email account owned by a normal user. Each email account received around 200 email messages sent in batches to simulate an active account that handles considerable volumes of information.
Similar to Onaolapo’s surface web study, the sites chosen for submitting the leaked accounts included underground forums and paste sites. The account credentials (honey accounts) were leaked in different sites to compare malicious activities among them. The honey accounts were also leaked to darknet marketplaces, or black markets.
The paste sites included Insertor and Stronghold. The underground forums and black markets included Silk Road Forum, AlphaBay, and KickAss, which all have many threads discussing illegal activities and data theft. These dark web sites were selected due to their similarity to the sites used for the surface web study, which included pastebin.com, pastie.org, offensivecommunity.net, hackforums.net, bestblackhatforums.eu, and blackhatworld.com.
Activity on the Gmail honey accounts was monitored for a period of seven months.
Results of the study:
The researchers identified 1,092 access incidents to the dark web accounts during their experiment. On the other hand, the surface web experiment, conducted by Onaolapo and colleagues, identified 164 access incidents. It is essential to note that although the honey accounts were leaked on dark web sites, they were not always accessed via Tor. Actually, only 378 access incidents originated through the Tor network.
Results of the study show that leaked account credentials through paste sites receive more access on the surface and dark web, yet the scale of access is extensively larger for paste sites on the dark web. On surface web sites, content related to leaked account credentials is usually deleted from paste sites by owners or administrators of these sites. Oppositely, paste sites on the dark web are not strictly monitored and leaked account credentials remain published for longer periods. When underground forums are considered, exposure is very similar to surface web paste sites. On the other hand, leaked account credentials are less exposed on forums on the dark web because users must create an account and sometimes need a forum invitation to be able to access these forums.
Limitations of the study:
One of the most important limitations of the comparison presented in this study is that the study for the surface web and that of the dark web were conducted in different time periods. As such, the level of activity in both environments would have been highly different from one study to the other. Consequently, data from both experiments is not enough to generalize the obtained results. Authors of this paper plan to further research the subject via designing a honeypot infrastructure for both web environments on other online services to be able to formulate a more accurate comparison.
Another limitation of the study includes the relatively low number of used Gmail accounts. Creating an account requires registering a phone number, otherwise Gmail will consider the created account as spam. Therefore, the researchers were not able to create a large number of Gmail accounts.