The dark web is a part of the internet that is not indexed by traditional search engines and requires specific software, configurations, or authorization to access. It’s a haven for various forms of cybercrime and illegal trade, including narcotics, weapons, and other illicit items. In the aftermath of data breaches—often stemming from phishing attacks, exploited vulnerabilities, and malware deployments—threat actors sell this stolen data on the dark web. More specifically, the dark web is where ransomware actors, such as BlackCat, BianLian, and LockBit, operate. These syndicates post data stolen in ransomware and extortion attacks, such as personal information, asset access, or credentials, creating a perilous digital landscape.

A key commodity on the dark web is those previously mentioned stolen credentials. Threat actors use stealer malware like RaccoonStealer and SolarMarker to harvest credentials, which are then sold. These can include usernames, passwords, session tokens, and browser information. Cybercriminals leverage this data for espionage, destructive purposes, or to continue the cycle of ransomware and extortion. Such activities can lead to targeted spear-phishing attacks, SIM-swapping to bypass multifactor authentication (MFA), and other sophisticated cyberattacks.

Users often become vulnerable to dark web threats due to factors like third-party vendor breaches, the use of weak or reused passwords, and a general lack of awareness about the severity of email-based cyberattacks. The ramifications of a cyberattack originating from the dark web can be severe. A single compromised credential can escalate into a widespread security breach spanning many accounts and companies. Such breaches drastically heighten the risk of credential compromise, credential stuffing, spear-phishing, business email compromise (BEC), and other serious cyberthreats.

For instance, a hacker with access to an employee’s Microsoft 365 account could:

• Gain legitimate access, enabling them to quickly gather intelligence and form different paths within an attack on the company
• Test those login credentials on other platforms used by the employee, potentially enabling them to access personal information, make fraudulent payments, and more
• Use the trusted account to spear-phish other employees, harnessing the employee’s familiarity to increase the chance of others falling for the scam
• Leverage this access to perform BEC attacks or exploit vulnerabilities through social engineering tactics

The 23andMe cyberattack in October 2023 exemplifies the devastating impact of dark web activities. In this incident, cybercriminals accessed personal information from about 6.9 million users—nearly half of the company’s customer base. By leveraging 0.1% of compromised user accounts, around 14,000, the attackers were able to gather further access to system data. This attack, a classic case of credential stuffing, involved the use of credentials from previous data breaches to infiltrate unrelated services, highlighting the interconnected risks in the digital world.

If you discover that your credentials, or those of an employee or a customer, have been compromised and surfaced on the dark web, our Security Operations Center (SOC) team suggests that you:

• Change your passwords to strong, unique ones per platform
• Monitor your credit reports
• Consider replacing your credit cards
• Enable MFA whenever possible
• Continue to scan the dark web for your data’s presence

As a first step in enhancing your visibility into online vulnerabilities, Blackpoint has released Dark Web Scan. This complimentary partner feature allows them to scan the dark web for compromised domains and email addresses directly within the Blackpoint Cyber Portal. In turn, they’ll be able to address risks at an early stage and keep their clients further left of boom. By integrating Dark Web Scan with Blackpoint’s Managed Detection and Response, Cloud Response, and Managed Application Control, Blackpoint empowers our partners to stay ahead of advanced cybersecurity threats, ensuring robust protection across all work environments and accounts.