Supply chain operations can be vast. While globalization and digital technologies are making the world a smaller place in many ways, they also increase the number of potential vulnerabilities that security teams and supply chain managers must monitor. Current threats to the logistics sector include climate and weather events, piracy, terrorism, DDoS attacks, malware and data breaches.

The range of potential threats is exacerbated by the vulnerabilities of the supply chain and the sheer size and scope of the operations involved. For example, around 90% of the entirety of global trade flows through only 39 bottleneck regions. An effective attack on any of these 39 traffic-heavy logistics hubs would have far-reaching consequences impacting billions of dollars of trade.

One example is the Hong Kong-Shenzhen freight cluster, a critical gateway for global manufacturing and trade, through which tens of millions of tonnes of container and air freight move annually. Additionally, there are a number of geographic chokepoints, such as the Panama Canal and the Strait of Malacca.

It is no longer merely the threat of attacks to these areas, which could halt a vast amount of freight. Incidents, such as the grounding of the Ever Given in the Suez Canal in 2021 and the drought that restricted movement through the Panama Canal in 2023-24, demonstrate that these geographic chokepoints are increasingly vulnerable.

If this wasn’t enough, digitization has increased the number of threats that logistics companies need to consider. This increase in vulnerability needs to be addressed through effective security measures, such as real-time data collection using Open Source Intelligence (OSINT) software.

How can transport and logistics companies secure their supply chains?

Ensuring secure passage

One of the key concerns – and one of the oldest – that logistics and transport companies have to contend with, is tangible and physical security threats; terrorism and piracy being the obvious examples. The rise in extreme weather events, such as hurricanes and droughts, also places pressure on logistics routes. Organizations need real-time information to carefully and continuously assess the threat level, implications and risks surrounding these physical security concerns.

These analyses help organizations to develop mitigation strategies. They also help to establish contingency plans for worst-case scenarios. Organizations need to be able to adapt and respond quickly to events as risk levels change. Supply chain managers across all industries need to consider higher transportation costs, longer travel times and potential issues in meeting schedules when alternative transportation routes are used.

These strategies depend on continuous visibility of current and emerging threats. Without this response, planning is compromised. Being caught unawares could have far-reaching and even devastating consequences. And, in some cases, business models based on time-critical deliveries may be squeezed out of the market.

Keeping cyberspace safe

Cybersecurity is a concern that should be receiving increasing attention as cybercriminals continue to evolve their tradecraft.

In 2017, a cyberattack cost shipping giant Maersk upwards of US$300 million. A vicious malware called NotPetya took down Maersk’s IT systems. Maersk was handling roughly one container ship into port every 15 minutes. So, it's easy to imagine the logistical nightmare that ensued as the company was forced to turn to manual processes to keep things moving.

The Russian military developed NotPetya to target businesses in Ukraine – but the malware quickly got out of hand. Soon, it was spreading around the world, taking down networks and causing billions of dollars in damage and lost revenue. In this scenario, Maersk was simply collateral damage.

More recently, Expeditors International were affected by a cyberattack that forced them to shut down their operating systems, disrupting their services for more than three weeks. Expeditors later revealed the attack had cost them $60 million in lost revenue, investigation and remediation.

Transportation is already heavily reliant on Information Communication Technology (ICT), with virtual threats growing in frequency and complexity. For this reason, cyber threats are an increasing concern across multiple industries. Additionally, for transportation and logistics, cyberattacks designed to induce physical damage are an increasingly common attack vector.

OSINT software for a more secure future

Some organizations operate with hundreds of individual suppliers. If any supplier is disrupted, consequences across the supply chain could be costly. Expeditors International and Maersk are just two examples of this.

Investing in live threat detection doesn’t just reduce risk; it also keeps operations running smoothly and predictably. When it comes to security and supply chain management, it’s especially important to look at future scenarios and manage security proactively. Reacting to crisis situations is not enough. Companies must find the right combination of preventive and reactive measures to achieve the optimal level of supply chain security.

Executives should also keep an eye on so-called wildcard events. That means examining the potential financial impact, the relative vulnerability of their business model, and their company’s ability to respond to low-probability, high-impact events.

As supply chain threats multiply, staying ahead of the intelligence flood becomes more difficult. Signal’s tools cut through the noise by using AI to perform tasks, such as triaging alerts and providing contextual SITREPs for possible threats. This sort of practical application of AI creates efficiencies within security teams, without compromising the crucial situational awareness needed to keep logistics lines open.

How Signal is already helping secure logistics supply chains

• Signal alerts a customer to a supplier’s merger. They can find new suppliers in a timely fashion, preventing disruption and revenue loss.

• Signal provides data on severe weather warnings that affect multiple suppliers and disrupt transportation routes.

• Confidential data is found for sale on the dark web, allowing the organization to act quickly for threat mitigation.

The dark web has grown in popularity over the years, as people become increasingly technologically savvy. Using a darknet browser like Tor or I2P enables users to remain anonymous while browsing the internet.

 People seek anonymity online for many legitimate reasons. For example, they might have concerns about large companies' abilities to track their online activity, or they might not feel comfortable giving Google all their data. Alternatively, they might live in a place with restrictions on freedom and free speech and necessarily turn to dark web anonymity to access world news or freely share journalism.

However, that same anonymity also protects criminals. It allows them to operate across borders, organize crime and trade in illegal items, both physical and digital. Dark web forums also host discussions on topics including extremist ideas, hate speech, threats of violence, or even plans for cyberattacks.

This wide range of dark web activity is a key concern for security professionals. By monitoring the dark web with OSINT tools, such as Signal, security professionals can discover exploit kits targeting their organization, get early alerts of data breaches, and even prevent physical attacks on assets or employees.

In this article, we examine a few of the more common dark web forums and explore how security professionals can utilize OSINT tools, such as Signal, to more efficiently and effectively monitor threats on the dark web.

About dark web forums as data sources

Because of the anonymity afforded by the dark web, people feel comfortable discussing all manner of things. As such, the dark web – especially dark web forums – is a valuable source of intelligence for security professionals. Monitoring these channels can help expose real and potential threats, ranging from planned attacks, both physical and digital, to fraud, data breaches and more.

Below, we examine 7 of the largest dark web forums that professionals should be aware of as potential sources of security data.

BreachForums

Despite multiple takedowns by law enforcement and rumours that it may now be a ‘honeypot’ (a site compromised by law enforcement or security researchers), BreachForums and the mirror sites that pop up are still a major threat. BreachForums and its mirrors are still one of the most visible places for selling or leaking corporate databases and credentials. If your company data is compromised, it is highly likely it will appear here.

DarkForums

This is a relatively new forum, emerging as a successor to BreachForums. With a rapidly growing user base, this English-language site specializes in data leaks, malware and access sales.

Cracked / Nulled

Cybercriminals mostly use these forums to trade and purchase leaked or hacked information. Despite a significant law enforcement action in mid-2025 (Operation Talent), these forums still have millions of members. They are able to remain in operation in much the same way as BreachForums, by spawning mirror sites.

Dread

Dread is a forum on the darknet that mirrors Reddit’s functionality. It provides the same familiar community discussion boards. The forum takes many ideas from Reddit, such as sub-communities and user moderation responsibilities. The site mimics this functionality without any JavaScript. The primary goal of Dread is to offer a censorship-free forum; however, it also provides hacking guides, software and carding tools, as well as drugs and stolen data. Dread also serves as a place for news on the latest dark web marketplaces.

XSS

A longstanding Russian language forum. XSS has a reputation for high-quality content and is a closed forum with restricted access to approved members. Access to compromised systems is frequently sold and traded on this site.

Exploit

Exploit has been in existence even longer than XSS, for many of the same reasons (high-quality content and restricted access). Due to its longevity, most types of cybercriminal activity can be found in dedicated sections.

RAMP

This is another Russian-language forum that has quickly gained prominence on the dark web. It functions as both a forum and a marketplace for criminal activity with a particular focus on financial fraud.

Other prominent forums

Other active forums with substantial membership include:

• LeakBase

• Crax

• Germania (a German-language forum)

• Infinity

• HackForums

• Sinister.ly

• Mirror sites for older forms, such as RaidForums, also persist on the dark web.

The dark web is no longer the only location for this type of activity. Apps such as Telegram and Discord, which sit on the unindexed deep web, are also becoming increasingly popular for cybercriminals to trade exploits, swap information and organize activities.

Related: How Can 4chan be Used as a Data Source for Security Intelligence?

Why dark web monitoring is difficult

Security professionals face numerous challenges when it comes to monitoring the dark web. For a start, there is the sheer volume of posts. With each of these forums and marketplaces operating across numerous time zones, they experience continuous activity. The most popular get tens of thousands of posts a day. Manually monitoring these sites is just not a feasible task.

Secondly, the fluid nature of the dark web community means that forums and marketplaces are forever becoming the victims of law enforcement action, internal troubles or scams. For example, XSS may have become compromised even as this blog is being published. These forums and marketplaces are like a Hydra – when one is cut off, new sites or mirror sites sprout up almost immediately.

Thirdly, the more explicit dark web forums and marketplaces (such as XSS or Exploit) will require you to create an account and may even go some way to verifying that you have the necessary skills to be allowed in. While the anonymity of the dark web means administrators of these forums likely can't work out exactly where you came from or what your true purpose is on their platform, those that are interested might attempt to determine your real identity. When creating an account, it’s essential to make sure it holds no relevance to any other online account you have, if you want to maintain your complete anonymity and avoid becoming a target of those same criminals you are looking to monitor.

Once inside, you must remain active on the platform without arousing suspicion; otherwise, your hard-won access could be revoked.

Finally, a lot of hackers on the dark web would be more than willing to turn their talents and attention to you, should you accidentally cross them. Some websites will infect your device with malware, so treat all links or downloads with suspicion. Additionally, clicking those links may take you to disturbing material. So, unless you’re confident you can safely and securely navigate the dark web, it may be better to look for safer, more efficient alternatives.

How Signal makes dark web monitoring safer and smarter

The Signal OSINT platform works by continuously scanning the surface, deep, and dark web. You can run custom Boolean searches across multiple data sources. These search results can then be filtered using our advanced AI and natural language processing (NLP), which enables you to search across languages, determine location, analyze copy in images and even assess the emotional intent behind text through our NLP software, Spotlight.

The benefits of having a tool like this for monitoring the dark web include efficient, continuous monitoring and assessment of a multitude of sites, allowing security teams to monitor more of the web to catch more threats faster. Because Signal’s searches are across the dark web, rather than specific sites, they do not rely on security teams having up-to-the-minute intelligence about which forums or marketplaces are active and popular. Additionally, security professionals can access this data without ever having to hunt down and access the various dark web forums and marketplaces, which is both more secure and much more time-efficient.

This lets you automate dark web monitoring – cutting costs, while expanding coverage and relevance.

Dark web marketplaces are online platforms, where people can buy and sell illegal goods and services while remaining anonymous. The offerings include leaked credit card details, exploit kits, hackers for hire and advertisements for hitman services.

Because of the range of goods and services available, as well as the conversations that occur around these transactions, dark web marketplaces can be immensely valuable sources of data on criminal activity. As such, they are typically under intense scrutiny from both law enforcement and security professionals.

These marketplaces have become increasingly sophisticated, with slick user interfaces that resemble familiar online storefronts, such as Amazon, along with seller ratings and escrow services for secure payment. This makes the barrier for users lower than ever before.

5 dark web marketplaces

People have been organizing illicit trades via the internet since the 1970s. Those early examples were through closed networks, with actual exchanges of money and goods usually taking place in person. With the advent of cryptocurrencies, it has become easy to complete online trades without leaving a trail. As a result, the online trade of illegal goods has become increasingly commonplace, and vast dark web marketplaces have emerged.

The very first of these marketplaces to pair the darknet with Bitcoin was the Silk Road, created by Ross Ulbricht in February 2011. Over the following two years, the Silk Road set the standard for dark web marketplaces. By the time it was shut down in October 2013, and Ulbricht arrested, the site had traded an estimated $183 million worth of goods and services.

Torzon Market

Torzon is one of the largest general-purpose darknet markets still active in 2025. It offers a familiar mix of narcotics, fraud tools and digital services. The site operates on Tor and supports Bitcoin and Monero, utilising escrow to facilitate transactions. Torzon also imports vendor feedback from other platforms, providing some continuity for buyers and sellers who have migrated after past shutdowns.

STYX Market

STYX has carved out a role as a hub for stolen data rather than drugs. Its listings focus on stealer logs, initial access and financial credentials, making it highly relevant for financial security professionals. Unlike older drug-oriented markets, STYX looks more like a specialized cybercrime exchange than a bazaar.

STYX is a great example of a ‘new model’ market with a searchable structure and trusted vendor processes, which helps buyers quickly filter for fresh data. The market grew through 2023-24 and remains active in 2025, underscoring how access and credentials have become commodities on par with drugs in the dark web economy.

Russian Market

Often written as RussianMarket, this is the largest marketplace for stealer logs. It aggregates credentials, cookies and session data harvested by malware such as RedLine, Raccoon and Vidar, and sells them in bulk. This makes it both a goldmine for attackers seeking account takeovers and a persistent monitoring target for security professionals.

Researchers estimate that millions of logs are for sale, with new ones added daily. Its endurance shows how cybercriminal demand has shifted from physical contraband to stolen identity data. For enterprises, Russian Market illustrates why compromised credentials remain one of the most common entry points for intrusions.

2easy

Sometimes branded 2easy.shop, this site has become known as the budget marketplace for stolen logs. Rather than focusing on premium access, it thrives on low-cost, high-volume sales. Individual log packages are often priced between $5 and $25, making them accessible to a wide spectrum of buyers. 2easy's persistence highlights the democratization of cybercrime. Criminals no longer need large budgets to obtain working credentials, just a few dollars.

BriansClub

BriansClub is a long-running carding shop, best known for selling stolen credit card ‘dumps’ and CVVs. Despite a 2019 breach (and law enforcement action) that exposed millions of its records, the shop has remained active and continues to attract buyers in 2025.

Estimates before the breach suggested a nine-figure annual turnover and, while its exact scale today is harder to verify, it remains one of the most recognisable carding brands.

Other markets include Abacus market, BidenCash, Exploit, Exodus Marketplace and more.

The diffusion of dark web marketplaces

With the rise of encrypted communication apps, such as Telegram and even Discord, some of the trade previously undertaken on the dark web has ‘surfaced’ to the unindexed deep web. Channels such as CrdPro Corner, AsCarding Underground and Daisy Cloud are flourishing on Telegram, with thousands of users in each channel trading everything from logs to bots. These channels often operate as subscription services, providing fresh dumps of material daily.

How to keep track of evolving darknet marketplaces

There are various active dark web marketplaces. One of our data providers estimates there are approximately 20 active, leading dark web marketplaces and dozens of smaller, additional marketplaces. With the diffusion to the unindexed deep web, this number becomes even greater.

Gaining access and monitoring these darknet marketplaces comes with a unique set of challenges. Firstly, they generally have short lifespans. This could be for a variety of reasons. For example, law enforcement might close them down; or, perhaps to help avoid this fate, they frequently change their domain address. It could even be because the admin implemented an exit scam, as happened with Empire Market, where the admin team is estimated to have made off with approximately $30 million worth of Bitcoin in August 2020. Almost none of the marketplaces featured in the 2020 version of this article are in existence now.

Due to this short lifespan, security professionals need to constantly be on the lookout for the next big marketplace. However, because of the illicit nature of the dark web, many websites don’t want to be found; as such, there is no easy way to navigate the dark web. Each website can be thought of as an independent silo. Darknet websites rarely, if ever, link to one another. To find forums and marketplaces on the dark web, as well as in the deep web, you need to know what you’re looking for and how to look for it.

Finally, once the relevant sites have been located and access gained, there is still the serious challenge of monitoring the dark website to gather usable intelligence effectively. Doing this manually requires vast amounts of resources; however, you also can't simply scrape the website, as such activity can quickly get you banned from a site.

This is where Open Source Intelligence (OSINT) tools like Signal come in.

The role of OSINT tools when monitoring the dark web

OSINT tools allow security professionals to effectively and efficiently monitor the surface, deep and dark web. Using Signal, you can create targeted searches with Boolean logic and run the results through intelligent filters powered by our advanced AI. The process can be automated with real-time SMS and email alerting.

This reduces the need for skilled professionals to spend all their time manually monitoring the entire web and assessing the associated risks. Additionally, it reduces the inherent risk of accessing criminal forums and marketplaces. Instead, security professionals get hyper-relevant alerts that can quickly be assessed and acted upon without ever actually having to go onto the dark web or painstakingly gain access to marketplaces.

This approach is vastly more time-efficient and allows you to put your web monitoring on autopilot; reducing costs, while simultaneously increasing efficacy. As cyber-criminals embrace new technologies, it’s becoming increasingly necessary for security professionals to do the same to stay ahead.

Increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips. Gather actionable intel in real-time.

Ransomware is a form of malware which is installed on a victims device or devices with the main objective of seizing and/or locking away sensitive data. As the name suggests in order for a victim to regain access to their data and systems they need to pay a ransom. More often than not, the two options a victim is presented with when they succumb to a ransomware attack is to either rebuild their systems from scratch and potentially have the attacker leak the data online - or pay up.

As such, it’s unsurprising that, in our increasingly digital age with more and more data on the cloud, that the number of attacks and the success of ransomware attacks is on the rise. Approximately 58% of ransomware victims paid in 2020, compared to 39% in 2017.

Ransoms for these kinds of attacks range from a few hundred dollars to thousands or even millions of dollars payable in cryptocurrency such as Bitcoin. In return for the payout, the attackers will release a decryption key allowing the organization to return to business. Certain industries, such as government organizations and hospitals are more susceptible to ransomware attacks due to the nature of the work that they do often being time-sensitive. For example, a ransomware attack crippled a hospital in Germany, leading directly to one patient’s death.  

There are numerous strategies that ransomware attackers employ to gain access to a victims database. One of the most common though is through social engineering tactics, such as phishing emails. Cybercriminals can make these emails look exactly like trustworthy emails from official sources, tricking victims into downloading compromised software onto their device. 

Because of the nature of social engineering tactics, and the evolving cyber threat landscape no organization can ever be fully secure from malware threats. Below we outline 12 of the biggest ransomware attacks that occurred in 2020.

12 Ransomware Attacks that Happened in 2020

1. ISS World 

Estimated cost: $74 million 

In February of 2020 ISS world, a Denmark based company went down due to a ransomware attack. Thousands of employees were left without access to their systems and emails. This cost them an estimated $74 million which includes regaining control of the affected IT systems and re-launching critical business systems. 

2. Cognizant

Estimated cost: $50 million

A ransomware attack on the organization Cognizant in April of 2020 is said to have cost the company over $50 million, potentially as much as $70 million, including legal and consultation costs and data recovery costs, along with the financial loss reflected in their second-quarter earning in 2020.

3. Sopra Steria 

Estimated cost: $50 million

The company Sopra Steria revealed that they were hit by hackers using a new version of the Ryuk ransomware in October.

They estimate that the fallout, including dealing with the various systems that went out of action, is likely to have a gross negative impact on operating margin of between €40 million and €50 million.

4. Redcar and Cleveland Council 

Estimated cost: $14 million

Redcar and Cleveland Council in the UK suffered an attack on their systems in February of 2020 costing the council an estimated $14 million.  The ransomware attack is said to have disrupted the company’s network, tablets, computers, and mobile devices for 3 full weeks. The council announced that in March, that it could take months for a full recovery and estimated the overall costs to be between $14 - $21 million.

5. Software AG

Estimated cost: $20 million

Software AG is the second-largest software vendor in Germany. They were reportedly hit with the Clop ransomware in an attack in October of 2020. The company disclosed that the ransomware attack disrupted a part of its internal network but didn’t affect customer services. The cybercriminal group responsible demanded a $23 million ransom.

7. Travelex

Estimated cost: $2.3 million

It was reported that Travelex the money exchange firm was hit with a file-encrypting malware attack which shut down its internal networks, website and apps for several weeks. Reportedly Travelex paid a ransom of $2.3 million in BTC to the dark actors to regain access to their data and restore services.

8. University of California San Francisco (UCSF)

Estimated cost: $1.14 million

UCSF was targeted by a malware attack which encrypted servers used by the school of medicine impacting students in June of 2020. The ransomware was prevented from travelling to the core UCSF network and causing more damage. The authorities negotiated with the cybercriminals and UCSF ended up paying approximately $1.14 million in ransom of the $3 million demanded. 

9. Shirbit Insurance 

Estimated cost: $1million

After a cyberattack on the Israeli Insurance provider Shirbit in December of 2020 the attackers demanded roughly $1 million in Bitcoin. In order to pressure the company into paying they demanded immediate payment or an increase in the ransom cost, doubling after 24 hours. Additionally, to show they weren’t empty threats they dumped the first 300 records online, again threatening to dump additional records every 24 hours until they received payment.

10. Communications and Power industries 

Estimated cost: $500,000

California-based Communications & Power Industries (CPI) makes components for military devices and equipment, like radar, missile seekers and electronic warfare technology. The company counts the U.S. Department of Defense and its advanced research unit DARPA as customers. Reportedly, CPI paid $500,000 to obtain the decryption key to unlock their servers and return services.

11. Grubman Shire Meiselas & Sacks 

Estimated cost: $365,000

Grubman Shire Meiselas & Sacks is a law firm that specializes in law for those in the media and entertainment industry. Their clients consist of a range of A-list celebrities and, with such high profile individuals on the line, the stakes for them were extremely high. They were targeted and files encrypted by REvil ransomware. The firm agreed to pay an estimated $365,000, however, the attackers started demanding more afterwards and the company has since kept quiet on what it has or is willing to pay.

12. Tillamook County 

Estimated cost: $300,000

Tillamook county in the US was attacked by cyber attackers in January. The attack interrupted their email network, phone systems and website. After exhausting alternative options, they estimated the costs to restore service would cost well over $1 million and take several years and opted instead to pay the $300,000 ransom. 

Keeping your data and organization secure

1. Never click on suspicious links or any links attached in unsolicited emails. 

2. Back up systems and data continuously. Create a separate data-backup in an external hard drive that is not connected to your computer, so that you don’t have to pay the ransom if a ransomware attack happens.

3. Never disclose personal information over the phone or over email. 

4. Educate employees of cybersecurity best practices and social engineering tactics that may be used against them.

5. Limit employee access to sensitive data to reduce attack surfaces.

OSINT Tools and Mitigating Costly Ransomware Attacks

Early warning of data beaches through OSINT tools can help you predict and prevent cyber attacks as well as enable organizations to take mitigating actions faster. While open-source intelligence tools can’t prevent ransomware, they can help organizations reduce the risks and potential damages. 

OSINT tools can be used by organizations to monitor their supply chains, allowing them to learn of potential disruptions in real-time and enabling them to implement contingency plans fast. 

Additionally, organizations can use tools like Signal to monitor for ransomware and malware currently being used. This can help security teams determine emerging threats being used against other organizations in their industry to better inform ongoing cybersecurity best practices.

Ultimately, by using OSINT to monitor darknet forums and market places security professionals are able to learn about the newest strategies being employed, the most recent weaknesses being exploited, and the most current software being utilized. Armed with this knowledge they are much more able to develop effective countermeasures as well as actively prevent ransomware infection.

Whether they like it or not, many organizations have been forced to adopt work from home practices to continue operating. Working from home isn’t new. In fact, between 2005 and 2017 the numbers of people that were able to work from home grew 156%. However, it has generally been seen as a bonus rather than a given and more traditional workplaces have been resistant. 

Despite the fact that 49% of office workers have never experienced working from home before, this experiment has largely been a success. Empowered with communication tools like Slack, Microsoft Teams, Google Hangouts. and Zoom, teams have had deep connectivity even from their own living rooms and many organizations have actually seen increased productivity.

Even so, the challenges of working from home are enormous and are invariably compounded by technological difficulties and poor home security practices.

Security teams, in particular, are feeling the pressure. With numerous workers now operating outside the corporate network security controls, new attack vectors have been opened up which are being exploited by cybercriminals.

Cybercriminals Taking Advantage of the Pandemic

Several security providers have put together data sets which show clear spikes in malicious activity since the beginning of the pandemic. McAfee created its own coronavirus dashboard which shows malicious detections quickly growing from the hundreds into the thousands over the last six months. The most common threat type has been Trojans with Spain and the US being clear outliers in the number of threats detected.

As of August, there were nearly 2 million malicious detections against over 5,500 unique organizations. McAfee go into detail about the families and types of attacks that they’ve seen a spike of cases in since the pandemic began.

WFH challenges for security teams

We’ve established that cybercriminals are taking advantage of the security breaches created by a sudden adoption of working from home but what is it exactly that makes working from home lees secure and what exactly are the security flaws threat actors are targeting?

Working from home doesn’t necessarily mean working from home, it could also mean working from anywhere and many workers have already figured that out. This means workers can (in theory) escape their houses and head out to cafes, restaurants, libraries or other public spaces with free WiFi networks. Zoom, with its virtual background feature, has incidentally supported this. The key issue with this is when workers operate on unsecured open networks. 

Ultimately security professionals have to try and ensure device security and data protection in the work from anywhere model - a challenge made significantly harder with over 50% of employees using their own devices during this period. IT teams have tried to make the security transition easier, with some 70% increasing VPN use among employees, however, 1 in 4 workers according to the Morphisec report were unfamiliar with their company’s security protocols.

This challenge for security professionals has resulted in the majority of security professionals seeing a sizeable increase in workload since their companies began corporatewide remote work. And while most of the transition to WFH went smoothly, respondents reported an increase of security incidents, with the top issues including a rise in malicious emails, non-compliant behavior by employees and an increase in software vulnerabilities.

What can be done to improve WFH security?

Security teams have had years to develop best practices for combating the ever-evolving cyber threat landscape. The sudden move to work from home though has shifted power away from them and brought a greater reliance onto workers who simply do not have the expertise to maintain proper cybersecurity protocols. 

Worryingly, 20% of workers said their IT team had not provided any tips as they shifted to working from home. This has opened exploitable attack vectors and introduced new challenges for security professionals. This though isn’t to say that there is nothing that can be done.

Step 1: Control the WFH Environment

This is all about educating employees about best practice and the reasons for these practices when working from home. For example, informing them not to use open networks.

Step 2: Control the WFH Computer

It’s a good idea to supply the computer being used so that you can install the proper security softwares and control access to sites which might offer security risks as well as maintaining control over permissions.

Step 3: Improve your Phishing Responses 

The crossover between home life and work life extends beyond the location. People are more likely to spend time on social media networks and working on private projects than they would be if they were in the office. This opens them up to more phishing campaigns so it’s important they know how to avoid falling for them.

Step 4: Restrict Remote Access to Sensitive Documents and Data

Lockdown permissions and access to sensitive documents and data. If they really need access they can communicate this need with you directly and you can ensure it is done securely and safely. 

Step 5: Monitor Surface, Deep and Dark Web for Emerging Cyber-Threats

Use an OSINT tool like Signal to monitor for cyber threats, planned attacks and data breaches.

Step 6: Encourager VPN Usage

VPNs are a simple and easy way to improve security. It’s worth ensuring the company has a quality VPN service that doesn’t slow a users internet connection unnecessarily as this might persuade workers to turn it off.

Step 7: Don’t Allow Split-Tunnels

Split-tunnelling allows a user to access networks through both the encrypted VPN service and a potentially unsecure network simultaneously.

The Role of Threat Intelligence for Improving Work From Home Cybersecurity

One of the key benefits of using an OSINT solution like Signal is the ability to create customized searches with Boolean logic to uncover hyper-relevant threats in real-time with SMS and email alerts. 

Ways that this has been used in the past to improve cybersecurity include:

• Early detection of data breaches. The average cost of a data breach in 2020 is $3.86 million. The earlier you catch a data breach the faster you can take action to mitigate the associated financial and reputational damage.

• Discovery of new cyberattack strategies, exploit kits, phishing tactics which were talked about or for sale on the dark web.

• Organizations have uncovered attacks that are yet to be carried out. This is true for both physical attacks against an asset or person as well as cyberattacks. For example, details of a phishing strategy and the targets within the organization were discovered after being talked about in a darknet forum. 

• Monitor employee online activity. For example, this can allow security teams to identify employees who have been targeted and even blackmailed by cyber attackers for access to company data.

The dark web isn’t inherently bad or evil. It’s not illegal to be anonymous on the web. However, the unfortunate truth is that there are plenty of people who are willing to take advantage of the anonymity lent by the dark web and to undertake some form of illicit activity.

Cybercriminals use the dark web as a means to communicate about all manner of activities, from planning cyberattacks to the selling of illegal goods or stolen data.

On top of this, with distrust growing towards governing bodies and large corporations around data privacy dark web communities are thriving. More people are becoming familiar with the dark web for both legitimate and illegitimate reasons, a fact that should cause security professionals increasing concern.

On the flip side, many security professionals actually shy away from the dark web. It is an online region surrounded by an ether of mystery and myth. However, while certain parts of the dark web should only be accessed with the utmost skill and caution, the basics of the dark web need to be understood by all members of the security community.

The difficulties of accessing dark web forums

There are numerous challenges that security professionals face when they come face to face with the dark web. The first of which is actually finding the dark web forums where illicit activity is taking place.

The first step to locationg dark websites is through various directory lists. These easy to locate sites and forums, however, are unlikely to be where the really important things are happening. Instead it’s more likely to be filled with amateurs and more innocent activity. Additionally, these lists often become outdated quickly as dark web domains change frequently.

In order to locate more relevant darknet forums for the purposes of security research, there are strategies which can be employed, for example, snowball sampling.

Snowball sampling is a method which involves creating a web crawler that takes a root URL and crawls the website for outgoing links. Generally, this will then return a large number of dark web URLs. This works particularly well for dark web forums as people often link to other sites in comments or posts. Done incorrectly though could draw attention to your bot and have the admin block you.

The dangers of accessing dark web forums

Accessing the dark web should be done with care and caution. It is in some ways like the last frontier, the wild west. It provides a training ground for new techniques and strategies for experienced and inexperienced hackers alike. For a security professional, getting to know these new techniques is vital for the efficacy of your security strategies.

A few key safety concerns and the dangers of the dark web are as follows:

• Breaking the law. Law enforcement officials operate on the dark web to catch people engaged in criminal activity. Like others on the dark web, law enforcement can do their work under a cloak of anonymity. It’s important to remember that you can be prosecuted for things you do on the dark web and thus to behave in an appropriate and legal manner.  

• Viruses. Unsurprisingly a lot of hackers on the dark web would be more than willing to turn their talents and attention to you should you accidentally cross them. Some websites will infect your device with viruses and any and all links or downloads should be viewed with suspicion. There are a lot of viruses to watch for, from ransomware to spyware and everything in between. Additionally, if you do click any links you may be taken to the material you don’t want to see that many people would find disturbing. 

• Webcam hijacking. It’s smart practice to cover your webcam with a piece of tape or plastic when you’re not using it. This is because some people may attempt to gain access to your device’s webcam by using a remote administration tool (RAT). The risk of this happening increases exponentially when you enter the dark web.

Remember: You use the dark web at your own risk and you should take necessary security precautions such as disabling scripts and using a VPN service.

Why do security professionals need to surveil dark web forums?

We’ve talked about the dangers and difficulties of accessing and finding relevant dark web forums for security research. Why though should accessing these dark web forums be a priority for security professionals and how can one effectively monitor these forums for potential threats?

Identify new hack strategies. 

The dark web is where many cyber criminals go to learn as well as to purchase things like exploit kits. Monitoring the dark web, being able to investigate and understand the methods and mindsets of hackers is essential to enable security professionals to develop counter strategies.

Discover physical threats or plans against your organization or executives.

Terrorist organizations, violent far-right dissenters, and others who intend to commit or openly discuss violence against others can be found on dark web forums. One example of this is the shooting which took place in a mosque in New Zealand on the 15 March 2019 which killed 51 people.

This attack was talked about before and during the attack on forums such as 8chan. Pictures of the weapons that would be used were shared along with a 74 page manifesto. Conversations around the event appeared with numerous like-minded individuals actively in support.

This is an extreme, worst-case scenario. But it absolutely highlights the necessity for security teams to have the tools to effectively monitor dark web forums.

Listen and filter noise around your organization’s name. 

There is a lot of noise on the internet. Inevitably some of it may be about your organization and it’s more than likely that not all of it will be good noise. Because of the nature of dark web forums, there is an increased likelihood of discovering negative noise about or relating to your organization.

With the right tools, such as Signal paired with our emotional analysis tool Spotlight, you can identify persons of interest and more closely monitor future activity around them. 

Additionally, discussions around stolen data for sale, as well as things like exploit kits are often discussed on the dark web. Identifying these threats as soon as they appear will allow you to take appropriate action to mitigate these threats and reduce any potential damages.

Dark web monitoring solutions: Signal OSINT platform

With an ever increasing amount of Cyber activity it is more important than ever for organizations to mitigate the potential risks of cyber threats, attacks, and data breaches. As the traditional Physical Security and Cyber Security worlds converge, Signal cyber feeds provide the ability to expand areas of interest and boost potential Cyber threat intelligence.

Cyber feeds that are accessible with a Signal subscription include:

• Onion/Tor – Anonymous network requiring Tor browser (AKA as Dark Web)

• I2P – Invisible Internet Project

• ZeroNet – decentralized web-like network of peer-to-peer users

• Open Bazaar – a fully decentralized marketplace

• Telegram – a cloud-based instant messaging and voice over IP service

• Discord – a VOIP application and digital distribution platform

• IRC Chat – instant relay chat

The information available on these additional Cyber feeds can help identify a number of potential scenarios including;

• Hacking for hire

• Compromised accounts & servers

• Sale of financial data

• Sale of counterfeit and/or stolen goods

• Money laundering

• Sale and/or publication of personal information such as SSN, email, phone numbers

• Discussions on and/or exposure of data breaches

Related: What is OSINT and how is it used for Corporate Security?

Sites on the dark web are marketplaces for emerging cyber threats. As such, these are rich sources of intelligence, often relevant to a broad spectrum of potential targets.

Signal’s AI and emotion analysis paired with customisable alerts allows you to identify potential relevant threats from sites on the dark web to other threat sources, enabling you to more quickly identify, profile, and mitigate risks to your organization.

Cybersecurity Threats from the Dark Web

With enough knowledge, you can create actionable insights. To understand and counter cyber threats we need developed intelligence and actionable insights and details of those threats.

Three of the main forms of threat identified on the dark web are: 

• Physical threats. 

• Data for sale online. 

• Fraudulent activity.

What we know is that the darknet contains difficult-to-locate hacker websites and tools which are the basis of cybersecurity threats. To understand how to counter these cyber-threats, we need to develop intelligence about the details of those threats.

Before we start looking at how that intelligence is gathered, let’s look first at what sort of things we are looking for. 

Content to Look out for on the Darknet

The darknet isn’t itself criminal or illegal. Rather it provides a platform of anonymity which makes it a very attractive prospect for criminals. There have been cases where contract killers have been hired, or terrorist cells have organised attacks.

On top of this, the darknet hosts various items related to cybercriminals as well as the more traditional criminal activities. It is worth noting though that the majority of traffic that goes through Tor browsers is not criminal activity.

1. Malware

You don’t need to be a proficient software coder any longer to become a hacker. Malware, and things like phishing and exploit kits, are freely available to purchase on the dark web if you know where to look.

2. Data for Sale

It’s common to discover stolen data for sale on the dark web. This often includes non sensitive data such as account logins and email addresses which will be used in credential stuffing attacks. However, more concerning is the amount of credit card and PII (Personal Identifiable Information) that can be found for sale.

Read: Mitigating the threat of credential stuffing.

3. Cyber Security Vulnerabilities

Another item hackers and cybercriminals sell on the dark web are “exploits”. These are when exploitable vulnerabilities in a companies security is discovered. Then the cybercriminal sells the exploit to a hacker who can use the information to create tailored malware.

On a positive note, it has been found that the number of exploits for sale on the dark web have declined in recent years. One potential reason for this decline is due to an increasing number of companies offering a bug bounty program. These programs offer a legitimate financial reward to those that discover potential security flaws.

4. Distributed Denial of Service (DDoS) BOts and Tools

Kaspersky has found that cybercriminals are reaping rewards of up to 95% profit by selling DDoS-as-a-service. Cybercriminals offer a sophisticated pricing plan for customers wanting to attack websites. Cheap and dangerous darknet botnets, for sale from $20, can cause havoc.

5. Discussion Forums for Cyber Criminals

Hackers come together on darknet forums to plan, share details, and exchange goods and information. And while the use of a Tor browser grants them anonymity, discovering their conversation allows security teams to potentially spot threats as or even before they are emerging.

What is Darknet Intelligence?

The darknet hosts a huge amount of valuable insights and data that could make all the difference to your security teams success. Understanding the kind of information you are looking for and how the dark web is used by cyber criminals allows you to effectively monitor criminal forums on the dark web and evolve effective plans to counter impending threats.

However, there is one fundamental problem. How do you do efficiently scan or monitor the dark web? 

Due to the nature and structure of the dark web, finding relevant sources, gaining access to criminal forums, and obtaining information is a huge undertaking that requires specialised knowledge. 

Manually Gathering Darknet Intelligence

Skilled security analysts can spend time building up knowledge around darknet based threats, locating relevant forums and gathering access via pseudonyms. Understandably this approach is wrought with difficulties such as:

• Expense.

  A skilled security analyst is expensive, the average salary being over $99,000 a year. And there aren’t that many out there. By 2022 there will be an estimated shortfall of around 1.8 million skilled cybersecurity professionals. 

• Efficiency.

  The darknet is disparate and deep. The names dark web or darknet are themselves misnomers. They suggest that the dark web exists somewhat like the World Wide Web in a state of connectivity. However, many of the websites on the dark web, especially the criminal ones do not want to be found. They aren’t indexed and other sites don’t link to them. Many of them require you to form an account and to be vetted by admin before you can gain access. 

  One individual is going to have an incredibly hard time finding, gaining access to and manually monitoring relevant dark web sites. One solution could be employing a team of security analysts - however, that brings us back to the first point; expense.

• The changing nature of the darknet.

  Sites on the darknet come and go quickly. Again this is especially true for the criminal websites that you would want to be monitoring. This means that anybody wanting to monitor these sites would need to regularly research and find the same sites as well as continuously looking for new ones.

Thankfully, there is an alternative and you don’t need to waste hours of a skilled analysts time trawling through an almost endless see of data in the dark. This alternative requires you to utlize automation tools such as Signal or our recently launched product LERTR. 

Automating Darknet Intelligence with Signal or LERTR

Darknet intelligence-gathering tools work by running automated searches of darknet websites and forums. Using Signal you can create customised alerts filtered via specific keywords, phrases or even locations. We also have a built-in translation tool so that data can be searched across languages and automatically translated into your default language.

On top of this, you can run alerts through our emotional analysis tool to determine how much of a threat any particular alert is. Finally, get our optional Sapphire bolt-on and utilise our skilled data analysts to further refine your results. 

This approach allows your leave your dark web monitoring on autopilot and not only effectively reduce costs but vastly increase the scope of your monitoring ability and the overall amount of hyper-relevant intelligence at your fingertips.

All of this allows you to gather actionable intel in realtime.

How are data breaches of non-sensitive data used by cybercriminals?

When it comes to cyberattacks having detailed situational awareness and the ability to quickly sift through open-source data and information on the surface, deep, and dark web allows businesses and financial institutions to quickly determine potential risks and take necessary precautionary actions fast. This can help mitigate threats posed by cybercriminals, reducing the security spending and costs surrounding the fallout after criminals successfully commit fraud through the use of leaked data.

In this article, we explore a growing concern for a number of businesses which poses increased year on year risk, with increasingly costly repercussions - credential stuffing. We answer the following questions and more: what is credential stuffing? Why does it pose a severe security risk? And how can dark web monitoring and social media monitoring be used to mitigate the threat of data breaches?

What is credential stuffing?

Many businesses assume that non-sensitive customer data has little value to a cyber-criminal.

In fact, in a recent study, it was found that a number of businesses didn’t even password protect cloud-stored customer data. Meaning anyone could have come along and downloaded the entirety of those databases.

What is even more worrying, is that many data breaches go entirely undetected. 

Credential stuffing is a tactic growing in popularity that weaponises non-sensitive stolen credentials (eg. usernames and passwords) against websites and mobile applications. Large volumes of stolen account logins are tested against other website login pages to gain unauthorised access to accounts, in order to commit fraud. 

The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.

Whilst the strike rate is low - think a few successes for every thousand attempts - there are billions of stolen credential pairs in the hands of cybercriminals. 

In 2018 there were 2.8 billion credentials stuffing attempts reported in the US alone. And this number is only rising. Which goes to show just how much of a threat credential stuffing has become.

On top of this, a skilled hacker, using a throttled bot with multiple Autonomous Systems Numbers (ASNs) and IP addresses can remain undetected for long periods of time, allowing them to try potentially millions of login combinations without anyone knowing anything untoward is happening. 

What are the cybercriminal’s goals?

“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves.” - Source

Obviously, the most valuable data for cybercriminals is going to lead them to bank account and credit card details. These they can use directly to access a persons money. In 2019 though, there was a significant decrease in the amount of sensitive data exposed. Going from a reported 471 million records in 2018, down to 164 million in 2019. It’s worth noting though that the Marriot breach in 2018 did skew the records there with over 300 million sensitive records exposed in that single data breach.

However, there are numerous ways a cybercriminal can benefit from accessing another persons account data through credential stuffing of purportedly non-sensitive data. These strategies will be tailored to the sites they gain access to and can lead to various forms of identity fraud and phishing scams.

Part of the reason this indirect strategy is growing in popularity with cybercriminals is that sensitive data is becoming better and better protected by corporations and financial institutes. However, this somewhat simplistic approach creates a serious vulnerability to any company. 

Credential stuffing is costing businesses millions each year. Not just in the follow-up costs of a cyber attack and the ramifications of fraud, but from increases inIT security spending, potential lost revenue from lost customers, and application downtime. This, according to one study by Akamai is costing companies an estimated $4 million a year.

Who is most at threat?

When it comes to what this looks like in real life you only have to take a cursory glance at the numbers to have cause for concern. In 2019 it was reported that a total of 869,857,509 records were stolen by cybercriminals in the US - and it’s likely that many more stolen records went either undetected or unreported.

The majority of that data, around 750 million records, was non-sensitive data, that will largely find its way to the hands of cybercriminals who will use it for credential stuffing. 

The credential stuffing technique can be used against any company with a login page. 

“Up to 83%  of people - according to 2018 research - use the same password for more than one account.”

Consumers face growing complexity in password requirements, with various length requirements, plus symbols and numbers - this has actually encouraged many users to find a single password that fits the bill and they’ve then reused that password or variations of it across numerous account logins. This is then paired with a growing number of individuals who have access varying levels of technology and might not know how to best protect their data.

What can be done to mitigate the threat of credential stuffing?

People are always talking about having better online security but no one ever talks about what happens after a data breach or after being hacked. 

As the old saying goes, “hope for the best, but plan for the worst.” A growing number of companies are on the receiving end of cyberattacks and it is leading to an increasing number of data breaches. 

Shoring up online and cybersecurity is absolutely vital. However, it may well not be you who is hacked, instead a victim of the credential stuffing technique. One thing to do is to require two-factor authentication. But even this isn’t flawless as the hacker may well have access to that user’s email account as well. 

So, what can businesses do to mitigate the growing threat of credential stuffing? Often hackers responsible for the data breach won’t use all the data themselves. Instead, they’ll turn to the dark web where they can anonymously sell the data instead.

This is where threat intelligence software like Signal comes in. Signal allows for users to monitor the dark web without needing a Tor browser. With threat intelligence software like Signal one can do much more than just monitor the dark web though.

Users can set up alerts for keywords and monitor dozens of channels instantly generating alerts for users based on their search queries. What this means is that as soon as leaked data goes up for sale on the dark web - or as soon as anyone talks about purchasing records gained through illegal or forced access to your database you will know.

You can then take precautionary actions to mitigate the potential threat. For example, warning customers of potentially exposed data so that they can secure any logins with the same password, force resetting customer passwords, and reporting the incident to the authorities.

In one recent example, it was found that an employee of a bank, stole over 3 million sensitive records from their company database. They then went away and bragged about it on social media and on various dark web forums (like 8chan). These set off immediate alerts through the Signal system and action was able to be taken, the data was recovered before it changed hands and the employee faced the legal ramifications of their actions.

Because Signal uses open-source data all evidence and information gathered through its channels are able to be used as actionable intelligence.

Related: Black Hat Brags about Bank Hack Signal Could have Spotted

Detect and remedy data breaches fast with Signal

Get in contact to learn more, or request a demo using the options below: info@signalpublicsafety.com

Resources and Further Research

• akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-2018-credential-stuffing-attacks-report (pdf)

• idtheftcenter.org/2019-data-breaches/ (pdf)