The Rise of Hacking as a Service on the Dark Web

Next: This Week: Halloween on the Dark Web
Previous: This Week: Dark Web Jail Time and Facebook...
Hacking is hard.
November 15, 2016

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

Besides the overwhelming amount of perfectly legal content on the dark web, its unsavory side tends to be known for drugs, credit card fraud, and other illicit classifieds.

But what about hacking?

A quick perusal through any popular market or forum will reveal that there is a market for hacking, or “hacking-as-a-service,” on the dark web. Vendors offer distributed denial of service (DDoS) attacks, social engineering, doxing, and more.

But evaluating the legitimacy of the listings in the hacking-as-a-service market is difficult; most posts seem over-zealous (“I can hack anything”) and usually lack the genuine reviews that guide customers in other markets, like drugs and credit cards.

Gaining unauthorized access into others’ networks and accounts can be a profitable venture and much of the illegal trade on the dark web focuses on profit. If hacking services aren’t highly sought after though, it may be because they’re too risky.

When purchasing a hacking service, legal risk is present at nearly every stage during – and after – the transaction. Customers assume the standard risk of communicating and negotiating with an individual offering an illegal product or service. They then proceed to rely on the vendor’s stealth and tradecraft, and these services don’t exactly come with a preview. After the victim is attacked, should an investigation follow, it is not impossible for the attacker, and those who purchased their services, to be brought to justice.

This model stands in stark contrast to some of the dark web’s more established markets. When an individual buys drugs, the risk lies in the purchase and shipping, and disappears once the substance is consumed. Likewise, an individual purchasing stolen credentials from a popular carding site assumes risk in the purchase and delivery of the data, but then is in total control of what they choose to do with it.

However, recent attacks with a strain of malware known as “Mirai” which uses the Internet-of-Things (IoT) to overwhelm servers, may be the catalyst for the maturation of hacking services on the dark web.

The IoT is comprised of common, every-day networked devices that have hardcoded passwords in them, like “root.” These DVRs, cameras, and even crock-pots can be used as part of a botnet to send a massive influx of requests to a site, preventing legitimate users from accessing the information.

Most people aren’t actively checking to see if their gadgets have been compromised, as they don’t seem to warrant the same level of attention one would give to a smart phone or computer. But as IoT malware is continuously improved, taking control of connected - but not personal - devices will be easier, and will introduce less risk. 

These hundreds of millions of devices have no way to be automatically updated, and that isn’t likely to change; the debate for regulation has begun, but legislation will always be playing catch up to security. In the meantime, hackers are already selling space in their coveted botnets on the dark web.

RELATED ARTICLES
analysis March 20, 2019
Trends and Projections: Shifting Law Enforcement

For the first post in the Trends and Projections series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised...

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...