Digital Shadows Report: Dark Web's Reaction to COVID-19

Are discussions of COVID-19 as popular on the dark web as they are on the clear web? How are cybercriminals discussing COVID-19?

Digital Shadows researchers set out to answer those questions, as they have observed some cybercriminals attempting to capitalize on fear and uncertainty surrounding the COVID-19 pandemic. Alex Guirakhoo, Strategy and Research Analyst at Digital Shadows, says the Digital Shadows team have also observed some atypical discussions from users including:

Discouraging other users from profiting off the pandemic
Expressing solidarity with countries affected (particularly Italy)
Providing health and safety information

COVID-19 Interest on the Clear Web vs. Dark Web

Digital Shadows’ used Shadow Search to look for mentions of "COVID-19" OR "coronavirus" across dark web sources over the past 90 days, says Guirakhoo. In the chart below, the purple line is the data from Google Trends, and the teal line is the dark web data from Shadow Search.

Digital Shadows Graph

In the past month alone, there has been a 738 percent increase in the number of COVID-19-related terms on dark web sources. This aligns with the spike in Google searches beginning around February 19, notes Guirakhoo.

"It’s important to note that the Y-axis does not represent the total number of searches. Instead, as Google notes, these numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity of the search query, a value of 50 means that the query is half as popular, and a value of 0 means that there was not enough data available. The data pulled from Shadow Search consists of individual mentions of COVID-19-related terms and has been added over the Google Trends axes."

"Another caveat is that dark web ≠ cybercriminality," notes Guirakhoo. While there are several examples of overt criminal activity, as discussed in their previous blog on COVID-19, not all mentions of COVID-19 on dark web sources are criminal. For example, some of these are likely from the dark web mirrors of legitimate social media and news sites.

"This trend should not come as a surprise to anyone. It is expected that the popularity of searches for “coronavirus” will increase with media coverage and as governments address the pandemic," adds Guirakhoo.

COVID-19 Discussions on Cybercriminal Forums

Similarly to how it has affected search popularity on the clear web, the COVID-19 pandemic has impacted the direction of discussions on the cybercriminal landscape, resulting in users creating posts off-topic to typical forum discussions, says Girakhoo.

According to Girakhoo, on Torum, a popular English-language dark web cybercriminal forum, several users have taken to the forum to provide their perspectives on how the COVID-19 pandemic has affected them. One user, “L-47”, only recently joined the forum, seemingly with the express intent to provide first-hand information on the impact of the virus in Spain and Germany. Another user appeared concerned about the supposed lack of activity from forum members. On BlackHatWorld, an ethically-questionable clear web forum, users created similar posts recapping the current situation.

"Likewise, on forums dedicated to the trade and sale of stolen accounts like Cracking King and Cracking Soul, users have created off-topic posts expressing solidarity for the situation in Italy, warning fellow forum members to take extra care of at-risk and elderly family members," Guirakhoo notes.

Unfortunately, there are still individuals that are overtly seeking to take advantage of the current situation for profit (See blog How cybercriminals are taking advantage of COVID-19: Scams, fraud, and misinformation. "But, in a seemingly atypical move for a cybercriminal forum, these attempts are not always well-received. For example, one user took to Torum to ask for advice on how best to take advantage of COVID-19, only to receive responses pleading them not to profit off the pandemic," says Guirakhoo.

"As we’ve seen time and time again, cybercriminals will find ways to take advantage of people’s fears and uncertainties in the wake of major disasters and emergencies. However, the gravity of the COVID-19 pandemic has shown some benevolent reasoning has emerged on some platforms that are typically used for crime: Users urging others to avoid taking advantage of an already dire situation," Guirakhoo concludes.

For the full report, visit Digital Shadows blog.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.