Brand Protection: How to Monitor Threats on the Dark Web? [Guide]

In the modern web of digital connections, safeguarding a brand’s reputation and sensitive information has become more challenging and yet more crucial than ever before. With the increasing number of cyberattacks, data breaches, and online fraud, organizations are becoming more aware of the need to monitor the dark web to prevent and mitigate these threats. Within these trends, dark web monitoring tools have become a crucial part of cyber protection for organizations of every size and industry.

In this guide, we’ll use our new dark web monitoring tool, Lunar, to show, step-by-step, how to protect brands from various threats that lurk on the dark web. 

For this purpose, we’ll investigate cyber threats against Amazon.

Phase one: Discovery

Step #1 Query definition

The first step before starting the discovery of threats on the dark web is defining a query that will guide us in our initial search. Using Lunar’s AI Search, which turns a simple request into an advanced query, we asked for a general query for “Amazon brand monitoring”.

The AI Search created a query, seen in the image below, which we could adapt to optimize to our search. As you can see, the following query is mainly based on Amazon’s domains and other identifiers, including its subsidiaries:

Step #2: Setting a category

The second step is optional and it involves narrowing down the results that could be retrieved according to different types of threats. We’re able to do that with Lunar by using its pre-set categories which can be seen in the screenshot below.

You can select any of the following categories: Threat Intelligence (mainly hacking-related content), Financial (financial crime such as carding), Cyber Crime (illicit trafficking such as drugs and weapons), Extremism (radical content), or Breach Detection (leaked credentials).

In this investigation, we’ll choose Threat Intelligence.

Step #3: Setting a timeframe

The third step involves setting a timeframe for the results you want to receive, of the data set by the publication date. You can set your own accurate time frame and you can also use pre-fixed time frames such as ‘Yesterday’, ‘Week Ago’, ‘6 Months’, etc. 

Here we will set the search to go 3 months back.

Step #4: Narrowing down the search

After configuring the query, selecting a category, and specifying a timeframe, we ran the search, which yielded over 800,000 results. One of the first, quick observations we can make is that there has been a recent surge in relevant posts (which you can see in the chart), suggesting an unusual occurrence.

However, the volume of results can easily overwhelm even a skilled analyst. This means we’d like to quickly refine our search to get relevant and critical insights. 

There are three effective methods to achieve this within minutes:

1. Keyword optimization – Refine the query by incorporating specific keywords that are relevant to your investigation.
2. Keyword exclusion – Exclude keywords that may generate irrelevant or noisy results.
3. Dynamic filtering – Use the dynamic filters to get results by selected values such as networks, site types, site domains, languages, risk scores, tags, and even extracted entities such as CVEs, IPs, and email addresses, among others.

For the purpose of this investigation, we narrowed down our search by choosing the following filters:

• Site type – Discussions
• Tags – Hacking or financial
• Language – English 
• Risk score – A threshold of 8 and above.

 By choosing these filters we get more relevant and insightful results that could propel our investigation further.

Phase two: Investigation

Once the analyst has fine-tuned their search criteria in order to make the discovery process more efficient and precise, the next step they’ll need to take is to identify suspicious posts that could indicate that there’s a potential relevant threat that merits an investigation. This is an important phase that marks the shift from search optimization to an investigation into cyber threats.

In our investigation into threats against Amazon, we found a post published by a threat actor who is selling illicit access to Amazon AWS SES accounts. This allows the buyers, often threat actors, to send high volumes of emails within specific regions for spam or malicious purposes in violation of AWS’s terms of service. The post was recently published on a known hacking forum ‘Exploit’.

Once we decide this should be investigated, we can develop it into different directions of investigation which can shed light on the threat we have identified.

What can you investigate here?

• Actor profiling – Document any identifiers associated with this threat actor and search for additional contextual information about them, such as other identifiers, their activities in the dark web in the past, or any known affiliations with other threat actors. 
• Establish the level of risk – Check the credibility of the post and of the threat actor by reading feedback about the post author from other dark web users.
• Monitor for other mentions of the compromised accounts – Find any other mentions of these compromised accounts on other dark web forums, marketplaces, or communities.
• Identify other compromised accounts – Search for additional mentions or discussions related to compromised Amazon AWS SES accounts, including any references to the threat actors who are selling them. 

In our investigation, we searched for other posts selling Amazon AWS SES accounts, and we were able to see that the sale of these accounts was widespread over the past year. 

One of the posts we found, which you can see in the image below, also offers these accounts for sale, noting they can be used to send up to 50K mails. This is an interesting post in our investigation since it was written by a different user and on a different hacking forum, but it also mentions the same regions: Oregon, Virginia, and Ireland.

In this case, a thorough search for other posts offering Amazon AWS SES accounts for sale was conducted, revealing an evident trend of similar listings over the past year.

This quick and initial investigation can lead to further investigations with various angles, for instance:

1. Indication that a vulnerability exists – Once we see various threat actors sharing similar access, in volume and region, this could potentially indicate that there is a vulnerability.

2. Involvement of various threat actors – While specific usernames were associated with the posts we found, there is still a possibility that there is a collaboration or information-sharing among the threat actors engaged in similar activities. Alternatively, we could also find that the different usernames are attributed to a single individual.

These are only two brief directions our investigation can take. The depth and scope of the investigations can be easily expanded, like in any other threat intelligence inquiry.

Phase three: Monitor

The last part of our guide discusses the ongoing part – continuous monitoring of threats. Brand protection means you have to stay on top of any threats that may target an organization or business. With dark web monitoring tools, like Lunar, you can set alerts based on predefined queries, which ensures you remain on top of any relevant developments or threats related to your organization.

This alert system helps simplify the process of monitoring developments and threats on the dark web. You can also define a time range, and specify the frequency of your notification, and their priority – making sure you only get the information you need, and when you need it.  

In this instance, we can use the same query we’ve already run before, including the filters we’ve used to narrow down our search. Alternatively, we can focus our search on the trade of ‘AWS SES Accounts’ only, along with a combination of other queries for relevant threats we would like to keep monitoring.

Simplifying brand protection

From identifying compromised credentials to thwarting malicious activities before they escalate, dark web monitoring tools have become a vital layer of defense against threats to brands in today’s ever-evolving cybersecurity landscape. In this short guide, we’ve shown how you can use dark web monitoring tools like Lunar to investigate emerging and ongoing threats to businesses and organizations, with a few steps. 

Ready to make monitoring the dark web easier? Talk to us about Lunar now.