What Is The Dark Web And Why Should My Law Firm Care?

‘Dark web’ is a term that is widely used to conjure up images of a second mysterious yet murky layer of the internet where criminal gangs operate.

The dark web – a set of web pages that aren’t indexed so don’t appear in your search engine – is used by organised crime gangs (OCGs) to trade stolen credentials and data that may be used in a cyber attack against your firm.

Data breaches are reported so frequently in the news these days that people are almost becoming desensitised to the devastating impact that they can have.

Within a year of a data breach, usernames, passwords and personal data will inevitably be for sale on the dark web.

Financial gain is one of the biggest drivers for these types of attacks. Having said all that, it’s fair to note that most of these reported breaches impact data and credentials relating to members of the public, it’s rare that breaches affecting business data are reported on the news.

Why should a Law Firm care?

There are several scenarios where cyber attacks and the subsequent data breaches could prove damaging to a firm.

Scenario 1 – Password Reuse

Recent studies show that 1 in 4 employees in the UK use the same passwords at work as they do at home.

How does a hacker exploit this?

• Hacker causes data breach of seemingly innocuous app. Usernames and passwords were recently stolen from US sports giant Underarmour’s My Fitness Pal app
• Stolen credentials for sale on dark web
• Credentials bought by 2nd hacker
• 2nd hacker researches on Linkedin to discover that this set of credentials belongs to a law firm employee
• They try these same credentials for the law firm’s email account and are granted seemingly legitimate access

This scenario is difficult for the law firm to detect. Credentialed access isn’t picked up by normal monitoring methods easily.

How to protect against Scenario 1

• Train your staff about the dangers of reusing passwords. Get a password manager to make it easier for them to use unique strong passwords for each account
• Implement 2 Factor Authentication where possible
• Talk to Lawyer Checker about password checking and how we can ensure that the passwords used in your organisation aren’t for sale on the Dark Web

Scenario 2- Phishing

How does a hacker exploit this?

Even if credentials aren’t stolen during a breach, a whole heap of other personal data can be. This data can then be cleverly used to extort credentials.

• Hacker causes data breach of seemingly innocuous app. In 2018, Apollo, a sales engagement business accidentally leaked over 126 million records containing email addresses, job titles, place of work and other data
• Stolen data for sale on dark web
• Data bought by 2nd hacker
• 2nd hacker uses data to piece together hierarchy of a particular firm
• Hacker spots that DMARC hasn’t been implemented on the firm’s domain and emails accounts department seemingly from Managing partner to ask for a large money transfer. Alternatively, hacker emails Law firm client, seemingly from solicitor to advise that bank details have changed, and funds must be sent to this new account

How to protect against Scenario 2

• Train staff about the dangers of phishing
• Conduct regular phishing tests
• Implement DMARC on all domains

Both scenarios are too easy to fall victim of.

We are only human, and the cyber criminals will prey on our fallibility.

Ensuring that your firm regularly trains staff to consider these pitfalls could be the difference between extreme reputational damage and securing the sensitive business and client data you hold.