BLOG

Dark Web vs. Deep Web: Uncovering the Difference

9 minute read

Ask the average person to explain the world wide web and their definition will probably include the web browser they use to access the Internet, the search engines like Google that they use to find relevant content, Reddit or other forums, and their favorite websites for news, entertainment, and social media.

These sites are only a small part of the web, called the surface web. This is the portion of the world wide web that:

  1. Can be accessed using conventional browsers like Safari and Chrome, and
  2. Has been indexed and made searchable by public search engines like Google and Bing.

While the surface web is by far the most familiar and accessible portion of the world wide web and is home to the public-facing websites of brands you know and love, it only contains 0.03% of all information on the WWW.

So where is the rest of the web content? Hiding inside of the deep web and dark web, which together comprise the 99.97% of web properties, content, and data and can’t be accessed using Google and other conventional search engines.

In this post, we’ll discuss the differences between these two portions of the web, how each one is accessed, what kinds of information and resources they contain, and how to counteract cyber threats that emerge from these hidden corners of the Internet.

Get your copy of the report, Fact vs. Fear: Dark Web Threats Teams Need to Focus On.

What is the Deep Web?

The deep web, also known as the hidden web or invisible web, is the unsearchable portion of the world wide web. 

The deep web consists of websites and pages that are not indexed by search engines, and therefore cannot be searched or easily discovered by the public. Some of these pages are not indexed because search engines simply haven’t found them yet, but the majority of the deep web is intentionally hidden by developers to prevent private data from being exposed to the public.

Content and pages behind a login screen are considered the deep web
Content and pages behind a login screen are considered the deep web

What’s on the Deep Web?

The deep web includes all web pages that are not indexed by search engines. Resources hosted on the deep web often fall into one of the following categories:

  1. Contextual web pages, whose content varies depending on the context in which the page was accessed.
  2. Dynamic pages, whose content is generated dynamically as the result of filling out a form or submitting a search query.
  3. Limited access content, a category for pages that use technical methods to block search engine crawlers from indexing them.
  4. Private websites, a large category which includes all websites and areas of websites that require member registration and login.
  5. Enterprise data, including private databases and files deployed in the public cloud.
  6. Scripted content, a category for pages that can only be accessed through links produced by Javascript.
  7. Software-gated pages, which may not be accessed with a conventional browser application and may only be accessed using specialized software programs.
  8. Unlinked content, a category for web pages that have not been found by search engines because there are no other pages linking to them.
  9. Web archives, a category for web pages that are no longer available, but whose past versions can be viewed using a web archiving service.

The scope of this list reveals the true magnitude of the deep web. 

Corporate intranets, public cloud deployments, members-only websites and forums, private email and chat inboxes, web service accounts, private social media content, electronic bank accounts, electronic health records, and huge volumes of enterprise data are all hosted on the deep web. It’s important to note that not all information on the deep web is nefarious in nature, as it is primarily used to protect data. 

What is the Dark Web?

The dark web includes all content on the internet that exists on darknets, overlay networks that use the internet but can only be accessed using specific web browsing software, authorizations, and encryption. Most darknets are small peer-to-peer (P2P) networks, but there are also larger, well-known darknets like Tor, Freenet, and I2P.

During the fall of the Silk Road marketplace in 2013, media outlets repeatedly used the term “dark web” in reference to the Tor network on which Silk Road was hosted, and which can only be accessed using the encrypted Tor browser. As a result, many people believe that the Tor browser is the dark web, when in reality, it’s only one part of it.

.onion site that is used for legal purposes, posting news articles
.onion site that is used for legal purposes, posting news articles

What’s on the Dark Web?

Users can only access the dark web using a specialized web browser like Tor that encrypts web traffic by hiding user and website IP addresses to enforce anonymity. The anonymous nature of the dark web has made it a safe haven for criminal activity, including both low-level and organized criminals who wish to sell their products and services online while escaping accountability from law enforcement.

Content hosted on the dark web includes things like:

  1. Malware – Malicious programs, including software exploits, rootkits, and viruses can be purchased or downloaded from the dark web and used by digital threat actors to launch cyber attacks.
  2. Illicit Marketplaces – Illicit marketplaces on the dark web allow criminal merchants to freely traffic in illegal drugs, stolen goods, and stolen data that may be purchased and used by digital threat actors to commit identity theft and fraud.
  3. Hacking Groups and Services – Hacking groups on the dark web can be hired to launch cyber attacks against a specific target for the right price.
  4. Fraud, Counterfeiting, and Identity Theft – Fraudsters congregate on the dark web to share information and resources, as well as buy and sell fraudulent assets, such as stolen email credentials and fraudulent bank accounts.
  5. Bitcoin Services – Criminals on the dark web often accept bitcoin as payment for goods and services. The widespread availability of bitcoin, along with the anonymity it provides, has made bitcoin the preferred digital currency for laundering money or exchanging illicit goods and services online.
  6. Stolen Data – Personally identifying information (PII) and other sensitive data stolen from enterprise targets is frequently sold on the dark web.

In addition to being accessed exclusively through specialized software, resources on the dark web are also hidden from search engines. Because of this, the dark web is technically a subset of the weep web that belongs to the category of software-gated pages.

Is It Illegal to Access the Deep or Dark Web?

Based on our description of the deep web, it should be clear that many areas of the deep web are completely legal to access – areas like your email inbox, the files stored in your Dropbox account, your business Intranet, and private websites where you’re a member.

Still, it is illegal to fraudulently obtain access to private information and resources on the deep web that aren’t yours (e.g. hacking into the corporate intranet or public cloud of a rival company, executing an email account takeover attack, etc.).

As for the dark web, accessing darknets using specialized software like the Tor browser is completely legal in the United States. 

With that being said, users can always face legal consequences for crimes they commit on the internet, including things like purchasing illicit drugs, accessing banned content, and engaging in piracy or fraud.

Screenshot of thread in dark web forum used to assist criminals committing financial fraud
Screenshot of thread in dark web forum used to assist criminals committing financial fraud

Where Do Cyber Threats Emerge in the Deep and Dark Web?

Cyber threats to your enterprise can manifest in both the deep and dark web. A comprehensive approach to enterprise threat intelligence should include monitoring both of these channels for emerging cyber attacks and potential indicators of compromise.

Here’s what you should be looking for:

Cyber Threats on the Deep Web

Content on the deep web is hidden from search engines, making it more obscure and difficult to find than surface web content that has been indexed by Google.

Digital threat actors take advantage of this by using the deep web to hide malicious or fraudulent infrastructure that can be used to commit scams or cyber attacks. Malicious or spoofed domains created by digital threat actors are commonly hidden from Google in the deep web and used to carry out scams or steal access credentials from victims.

The deep web also includes private forums where hackers exchange tools and information for executing attacks against enterprise targets.

Cyber Threats on the Dark Web

The dark web represents just a small fraction of the deep web and the overall Internet, but it’s the fraction where criminal activity is the most rampant. 

The anonymity offered by dark web forums and marketplaces emboldens hackers, fraudsters, and other digital threat actors to openly offer cyber attack services and sell stolen data. If a digital threat actor steals data from your organization, discovers a software vulnerability or exploit that could target your network, or gains unauthorized access to your systems, they may attempt to monetize the attack by selling access to your assets on the dark web.

Monitoring the dark web gives you the opportunity to recognize when digital threat actors are preparing to target your business and take proactive countermeasures to shore up defenses and safeguard your digital assets.

Protect Your Company Against Deep and Dark Web Cyber Threats with ZeroFOX

ZeroFOX provides enterprises with brand protection, threat intelligence, and adversary disruption capabilities to detect and dismantle threats across the entire public attack surface, including the deep and dark web.

Our AI-driven approach to deep and dark web monitoring gives you critical visibility into the channels that digital threat actors use to deploy threats against your brand, executives, employees, and customers.

Once a threat is detected, our Dark Ops team is there to augment your response with real-time intelligence, bad actor attribution and engagement, breach containment, and IP recovery. Your security team can use dark web detections from ZeroFox to better understand where your attack surface is vulnerable and the source of the data. Finally, you can take steps to mitigate data leakage by implementing security controls like securing vulnerable hosts or notifying users to change their passwords.

See ZeroFox in action