Paper leaks on the dark web have sent chills down the spine of thousands of students across the country over the past few weeks.
Nationwide protests erupted over allegations of irregularities in examinations after the National Eligibility cum Entrance Test (NEET) for medical aspirants was leaked on the dark web. Similarly, with University Grants Commission National Eligibility Test (UGC-NET) leaked on Telegram, it raised concerns about growing instances of exam malpractices in India.
Beyond just examination malpractices, cybercriminal activity on the social media platform has shot up 53 per cent between May and June 2024, as compared to the same period in the previous year, according to Kaspersky.
The dark web, which allows individuals to conceal their location or any other identifiable attributes, along with Telegram is being used to plot fraud schemes, distribute leaked databases, and trade criminal services, such as cashing out, and forging documents, among others.
Telegram’s low barrier attracts cybercriminals
A study by cybersecurity firm Kaspersky shows that Telegram has a low entry barrier to sign up on the platform, and cybercriminals can easily create an account and subscribe to criminal sources to conduct malicious exercises.
“(Telegram) is marketed as the most secure and independent messenger that does not collect any user data, giving threat actors a sense of security and impunity. Moreover, finding or creating a community on Telegram is relatively easy, which, combined with other factors, allows various channels, including cybercriminal ones, to gather an audience quickly,” said Alexey Bannikov, analyst, Kaspersky Digital Footprint Intelligence.
Seven stages to dark web monitoring
To mitigate risk involving the dark web, the Moscow-based firm’s study lists seven stages of dark web monitoring.
This includes preparation, detection, analysis, containment, eradication, recovery and post-activity.
Several cybersecurity professionals and teams can mitigate risks involving the dark web. Teams may include analysts tasked with cyber threat intelligence (CTI), a security operations centre (SOC), and an Incident Response (IR) team.
Firms can deploy infrastructure such as a virtual private network (VPN) and register special accounts on forums for intelligence purposes.
Similarly, companies can create alerts when names of respective firms are mentioned on the dark web, or details about the domain they work in get reflected on the darknets.
If names of companies are not directly mentioned, one can identify the threat based on company geolocation, industry, size, revenue, or list of systems.
Identifying and analysing leaked data
Data can be leaked or sold from compromised accounts, remote access, or from company information systems itself, the study notes.
Furthermore, if the data is being sold, one needs to check the date of the offer, publication date, and analyse the offer price. Based on the data collected, one can understand the level of threat a particular firm may be facing.
The study points out that key elements to look out for include account names, data samples, systems and applications, protocols, among others. “If there are no signs of abnormal access to the system, investigate the hypothesis that access is being sold by an insider. Identify personnel with the required level of access, and check their activities,” the study mentions.