A Tisket, a Tasket, a Dark Web Shopping Basket presented at Shmoocon2019 2019

by Emma Meriwether,

Summary : We regret to inform you that much of what you’ve been told about dark web pricing–and indeed, data on the dark web–is wrong. Periodically, researchers from cyber security companies publish reports on the going rates for goods and services on the dark web. We studied and compared 22 of these reports, published between 2013 and 2018, with the intent of developing a dark web pricing index. We concluded that even though these reports purport to inform the audience about the value of certain data types, their inconsistent terminology and haphazard collection strategies only add to the already confusing picture of the dark web. While educating end users about the value of their data and about the adversaries exploiting it is a valuable exercise, many of these reports fall into the traps of fear, uncertainty, and doubt (FUD). The inability or unwillingness to accurately illustrate the dark web data economy to an inexpert audience exacerbates the myth-filled public perception of the dark web. To move forward as an industry, we need a consistent, shared taxonomy of digital goods available for sale and the development of a price index (based on a basket of goods and services) to measure pricing fluctuations in a standardized manner. With this development of definitions and measures of sensitive data pricing on the dark web, organizations can collaborate more effectively to combat the threat and minimize the risks associated with dark web enabled fraud.