Dark Web — Tor Use is 50% Criminal Activity — How to Detect It

May 25, 2016 by Bill Bosen

Dark webThe Dark web is a collection of thousands of websites that use anonymity tools such as Tor and I2P to mask their IP address.

Tor was intended to offer anonymity and protection for legitimate purposes. But it’s also a significant haven for criminal activities. Detecting when your users are coming from a Tor site is critical.

I’m occasionally asked about anonymizers and specifically “Tor”. So in this post I’m providing a short explanation of the service and why it’s important to understand the ramifications of its use.

Tor, otherwise known as “the onion router” because it uses multiple layers to hide the IP address and identity of senders, is a service that anonymizes the location of users and encrypts their communications. Tor users can safely communicate with others without disclosing their true location or identity. This is a very valuable service for crime reporters or whistle blowers that need to remain anonymous for their own safety. However, as you can imagine the network is also full of illicit and illegal activities because criminals can use it to operate without detection.

Dark Web Criminal Activity

In the first study of its kind, researchers at King's College London recently researched the Tor service and found that 57 percent of the sites designed for Tor facilitate criminal activity, including drugs, illegal weapons, illicit finance, black market sale of user IDs and passwords, even murder for hire. These “onion sites” are often called the “dark web” or “deep web.”

Unless you’re in the business of collecting data from anonymous users, when someone using the Tor network connects to your site it usually means trouble because the user is trying to hide his or her true location and identity. So it’s important to know when such a connection occurs so you can monitor the situation and the user’s behavior.

There are a couple of ways security software can determine if a user is connecting via the Tor network. The first way is through their IP address. The list of Tor relays is public, so you can check whether the user is coming from a known Tor relay. It’s actually a little bit trickier than that, but a quality security package should be able to alert you if user behaviors include connecting via a Tor network.

The second way is by looking at various application-level characteristics. For example, a good security system can distinguish the differences between a standard browser and a Tor Browser because among other things,Tor software won’t respond to certain history requests or JavaScript queries.

In summary: although not all Tor usage is by cybercriminals, a huge percentage of it is. Organizations need to be able to detect when user behavior involves connecting via Tor so they can carefully monitor the user’s actions and be prepared to take appropriate precautions.

 


The opinions expressed in this contributor article are solely those of the author, and do not necessarily reflect those of Fortscale.

Follow Fortscale online at LinkedIn, Twitter & Facebook.

 


 

  

Subscribe to Email Updates

Read Next

New Call-to-action