These terrifying ads selling violent services don't show the true secret of the 'dark web' - that criminals behave a lot like regular companies
- Take a peek at some actual ads for services on the dark web.
- What you can't see is that these cyber criminals behave among one another in much the same way legit businesses behave to legit customers, a security researcher tells Business Insider.
If you're a criminal hacker you probably spend a lot of time on the "dark web."
That's the corner of the internet where hackers do things like sell stolen credit cards; buy "exploit kits," aka software products that help them hack; hire "botnets," or networks of hacked computers that can be programmed to do their misdeeds; or even hire a contract killer. The dark web is not accessible through a regular browser.
If you are a cyber security researcher, like Ziv Mador, you also spend much your time on the dark web, infiltrating the online criminal networks, studying them, and using your knowledge to help businesses defend against them.
Mador has spent two decades doing that. He's currently a lead researcher for security company Trustwave and previously spent 14 years working in computer security at Microsoft.
One of the most surprising findings in his years on the dark web is that these criminal organizations operate with a code of ethics much like the same ethics used by legit businesses, he told Business Insider.
"These are vivid communications, very functional. These are communities where cyber criminals exchange a lot of information and are very helpful [to each other ] if they are looking for a piece of information," he described.
So just like a programmer can get advice from fellow programmers on Stack Overflow or an IT pro can get product recommendations from others in IT on Spiceworks, cyber criminals will freely help one another solve problems or find products to do their own dark sites on their community websites.
A trustworthy reputation
There's a good reason for this: their street cred is their most important asset.
"Their reputation is very important to them. Much like it is in the business world," Mador says. "Even though they are involved with criminal or shady activities, they have their own rules of engagement and it's very similar to what people in the legit world do."For instance, they don't share another's contact info without that person's permission. Spamming each other is a no-no and, above all else, they can't cheat or con one another.
Should they violate these ethics of behavior they would face any number of repercussions.
For one, they would lose customers to their competitors. "They are very competitive," Mador says.
Or, if they've really angered their fellow hackers, they could be "doxed," Mador says, meaning everything about their their real-life identity would be published for the other hackers to see. Unmasking a hacker's identity, especially in relation to a pissed off customer, is dangerous for them on all sorts of levels.
They are also price competitive with the products they sell. For instance, a handful of gangs sell exploit kits and compete aggressively on price and features. These kits must always be up-to-date on the latest security holes that can be used for hacking.
For the criminals that specialize in running botnets, networks of hacked computers for hire, they offer sophisticated realtime customer data analytics tools, similar to what any app developer wants from a cloud provider
"They have administration panels where their customers can login and see live data on infections," he describes.
Violence for sale
Even services that advertise a terrifying list of violent services are often run with similar code-of-conduct considerations.
For instance, these criminals often post a price list for the explicit acts of violence they will do from burning the car of an enemy to breaking bones.
When offering a hitman for hire, some outfits advertise the money saving option of hiring a novice who might fail. That could cost $5,000 compared to $200,000 to hire the most experienced killer on the roster.
Being a researcher on the dark web takes a level of courage but also patience, Mador says. It can take years to infiltrate such websites, getting criminals to trust that the fake identity of the researcher is indeed a fellow criminal and not the account of a researcher or law enforcement officer.
But once there, security researchers use their fake identities to monitor the underground, learning about things like stolen passwords, new types of malware and "what the next attacks are going to look like," Mador says.
He also shared with Business Insider a few examples of actual ads pulled from the dark web.