Financial firms continue to move to digital-first deployments, as retail branches close, and people shift to remote work. This shift makes understanding and preventing even common darknet, or dark web, threats a priority.

Financial cybersecurity investment institutions need to understand what the dark web is, provide their security teams with the tools to explore it safely and prioritize areas of concern. Taken together, these actions can limit risk and improve regulatory compliance.

About the Darknet

Originally designed to hide users’ activities and identities, the dark web, also known as darknet, quickly became an obstacle as malicious actors leveraged tools, such as The Onion Router (TOR) to create a digital marketplace where nothing was off-limits or beyond reach. From illegal items to stolen data, there’s a good chance someone on the dark web has obtained, or has access to exactly what bad actors are after.

Not surprisingly, financial data remains one of the most popular purchases on the dark web. Credentials for high-value bank accounts start at just $500, and credit card data is sold in large volumes at low cost. Financial firms are often forced to close compromised accounts and refund fraudulent transactions, since there is little recourse when it comes to finding the origin of this pilfered information.

Dark Web: The Deep and the Darkness

No discussion of the dark web is complete without a quick primer on the difference between deep and dark deployments.

The deep web is classified as data that isn’t indexed and readily available online. While this type of data makes up 90% of the internet at large, the dark web accounts for just 0.005%, or around 8,400 live sites.

Financial firms regularly interact with the deep web. It’s where secured client data and essential enterprise assets are stored. The deep web is fundamental for finance and critical for consumer confidence. If secured financial information was readily available with a simple online search — which still happens with alarming regularity — clients would quickly abandon banks in favor of more secure alternatives.

The dark web, meanwhile, is a place without rules or regulation. Both legal and illegal activities exists side-by-side, unchecked by regulatory or operational obligations on the dark web. And, accessing the darknet isn’t complicated. Users typically leverage the Tor Browser to encrypt and obscure their location and IP address. Still, it’s nothing like the surface web.

The Economies of the Dark Web

The darknet isn’t just a free-for-all of fraudulent transactions and stolen credentials. As noted by Financial Management, this twilight trading ground has developed its own economy. It is one that follows the laws of supply and demand and sees criminal ‘vendors’ fighting for market share by offering top-tier products, lower prices and enhanced customer service.

This creates a kind of paradox. While the dark web economy doesn’t match the rest of the web in terms of design, it displays the same type of inventory and incentive tools and strategies as more common businesses. As a result, it’s critical for financial firms to take the same approach to dusk economies as those in the daylight, discovering as much information as possible.

This requires a shift in thinking. Rather than waiting for malicious actors or dark web buyers to compromise financial networks, banks must take an intelligence-based approach to data discovery. What information is available on the dark web? How much (if any) client data has been compromised? How have the bad actors made it available to potential purchasers?

Equipped with actionable insight, financial firms can begin developing proactive incident response. That could mean anything from changing account details before compromises happen to deploying security tools that better defend against theft. With the dark web now governed by supply and demand, making supply worthless is the quickest way for banks to boost their defense against shady economies.

How Your Cybersecurity Team Can Fight Back

It’s one thing to recognize the need to improve data gathering on the dark web; it’s another entirely for banks to put policy into practice.

So, how do financial firms actively protect themselves against bad actors?

It starts with an understanding of current infosec expectations, such as those described in the FFIEC Information Technology Examination Handbook. These guidelines can help banks identify potential weak points across current efforts to manage protected information. From there, they can implement effective network and access controls.

By knowing which areas need the most work, financial firms can prioritize essential infosec investments. No single dark web cybersecurity solution is enough to combat all emerging threats. Instead, organizations must adopt defensively diverse portfolios that include:

Expert Insight

Uncovering tactics and technologies used by darknet attackers is critical to improving current defenses. Human experts are the best defense. Banks must invest in security professionals capable of creating and cultivating dark web personas themselves. By becoming a trusted member of this shadow community, firms have a better chance of finding stolen data before it can be used to infiltrate accounts or compromise key systems. Then, they can integrate collected intelligence into existing defensive frameworks.

Active Listening

It’s not enough to know that data has been compromised or if attackers are attempting to breach financial networks. Firms need to know what’s being said about them on the darknet and how stolen information is being used.

For example, if banks can identify a cache of pilfered business account credentials for sale and observe interest from other users in purchasing this data, they can proactively close and re-secure these accounts to limit potential risk. With enough lead time, it’s also possible for teams to create honeypot accounts that allow attackers in but keep them contained. This, in turn, provides IT teams valuable threat vector data.

Machine Learning

While human desire and demand form the foundation of dark web functions, even the most experienced infosec experts can’t cover the entire economy at once. Advanced machine learning and artificial intelligence tools can help bridge the knowledge gap by analyzing current compromise patterns and predicting potential outcomes. This way, banks can identify top compromise targets and deploy purpose-built protections to limit the risk of darknet disclosure.

A Mirror, Darkly

As dark web economies evolve, a malicious mirror emerges. Fraudulent financial transactions have their own economy that mimics above-the-board deals. To deliver dark web security, organizations must look into the abyss, learn from it and leverage operational insight to defend against fraud.

More from Advanced Threats

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today