While we aren’t going to name names there’s a large credit company whose name rhymes with “Texperian” that offers free dark web scans. They are extremely misleading and also exploiting peoples’ fears of something that isn’t normally understood outside of privacy enthusiasts, the hacker community, and the curious explorer. So in this post we will talk about a client we helped who signed up for one of these darkweb scans. We will also do our best to demystify what the darkweb is and the questions that are raised when a company is offering these scans.
Client case
A client approached us because they were receiving emails from one of the companies that provide free darkweb scans. It is unknown if they signed up for the scan or the organization sent their communication to them. They printed out the email to show us what it said. It wasn’t much, just that their email address was found. Nothing to go on and nothing indicating where the address was found. And this organization continued to send these emails without as much telling our client where this data resides. Because the term darkweb isn’t explained, other than in ads, that it’s a place where criminals buy and sell sensitive information, there is no education of what the darkweb is. If we’re being honest here, there are forums on the clearnet that sell stolen data, and that’s not being conveyed either by these organizations. After the client signed up with us, we were quickly able to identify that the email address was part of several breaches all through publicly available information. It is our belief that these companies are pulling their data from these very public sources. With this knowledge, it’s now a good place to explain the darkweb a little bit.
Darkweb
Before explaining what the darkweb is (aka darknet), a couple of layers need to be understood. The first layer is the clearnet (aka surface web). This is the Internet that we use on a daily basis. Finding information heavily relies on search engines that look for, and index, newly published websites, images, files, and tons of other stuff.
A layer below that is the deep web. This is where search engines have a difficult time adding things to their search database. This includes items such as email/bank account login pages, administrative logins to servers, databases, and social media.
As with any technology, it’s a double edged sword. It can be used for both good or bad. The darkweb is no different.
When talking about the darkweb, think of it in terms of a private Internet that’s “invisible” and needs special software to access it. It is also part of the deep web because it purposely avoids search engines from indexing any web pages. There are people who turn to this area as a way to bolster their privacy, to circumvent oppressive government censorship, or to conduct sensitive research. This is the side of things that isn’t being brought to light often enough when discussing the darkweb/darknet. Companies and media are only talking about the bad stuff. While important to know, the whole spectrum of those that turn to this space needs to be understood.
Questions raised
There are some interesting questions that are brought up when companies claim they can scan the darkweb to look for your data. Some raise ethical and legal concerns too.
First, here’s how finding information on the darkweb works. While there are some search engines solely dedicated to search the darkweb, the way someone finds information is either by asking people where to find stuff, or by lurking and attempting to put the pieces together alone. Some forums require that X amount of people vouch for you in order for you to join, or you’re required to pay X amount to gain access, or a combination of both. Someone looking to join may also be required to pass a test. This could look hacking a target of the admin’s choosing. This is not to say that some forums/message boards exist that are free to join.
Based on this knowledge, it’s hard to fully believe these companies who claim to be able to scan the darkweb for your sensitive data. They first have to contend with the encryption used by the software needed to access this space. Some of these sites can go down for maintenance, or move if the admin thinks someone is snooping on them, or close shop. With this in mind, scanning may be difficult because the landscape may change frequently, which brings up this next issue.
As mentioned above about forums, if these companies are embedding employees in places such as carding forums, are they obtaining stolen databases of sensitive data to search for your stuff? Are they paying for it? Are they paying for access to these forums, therefore helping to expand an illegal operation? These are the questions that we think about.
Conclusion
It’s sad to see companies using fear to compel a consumer to purchase a product and that’s what if feels like “Texperian” and others are doing. It is our goal to help educate others. We’re hear to listen and to help you.