The Dark Web is the mucky underbelly of the Internet. This is a lawless domain, where the rule of law doesn’t exist, and anything goes.
If you’ve got the money, you can get your hands on narcotics, fake passports, firearms, even hitmen. And according to Israeli threat intelligence firm Sixgill, many are using it to obtain fake diplomas, and hire hackers to penetrate university computer systems and alter grades.
As Sixgill CEO and Co-Founder, Avi Kasztan says, “Cyber criminals have created a digital marketplace where unscrupulous students can purchase or gain information necessary to provide themselves with unfair and illegal academic credentials and advantages”
The market for fake diplomas is a booming one. Sixgill has identified multiple vendors selling degrees and accreditation that seemingly looks legitimate. One selling a fake London Metropolitan University diploma proudly boasts about the quality of the paper and the embossed seal, and how it’s the “identical size to the original”.
The vendor states that it is “Perfect to be used at places where they just do cursory inspection (eg: where they just look at the seal and appearance of the degree itself, without doing any cursory checks).”
Perhaps what is most striking is the diversity of fake degrees available. While there are some from prestigious institutions like Oxford University, Cambridge University, and Harvard, the majority are from ordinary schools, like Liverpool John Moores University, Middlesex University, and the University of Northern Iowa.
In addition to the fake degrees, there were also counterfeit drivers licenses and passports, and forged professional certifications. The above image shows someone selling an IFAP certificate, which is a health and safety qualification that is recognized in Australia. Another is an IAWC Certificate, which shows the holder is a qualified well driller – a seriously dangerous profession.
Like most things on the Dark Web, these diplomas are priced in BitCoin – a decentralized cryptocurrency that allows anonymous payments. When converted into dollars, these range in price from $200-400. Payment was made through an escrow service, in order to make sure that the customer pays, and the counterfeiter actually sends the goods.
Slightly reminiscent of Ferris Beuller, Sixgill identified a flourishing market for hackers who would target universities in order to change grades and remove academic admonishments.
One person posted that he was looking for an “… experienced hacker in Apache or LDAP server, who understands systems invasion” in order to “… change a few notes in my university system”, while another wanted to find out how much it would cost to “… get the login password for a university administrator.”
In one forum thread, a student was used to plant a hardware keylogger on their teacher’s computer, and to bug their office. To accomplish that, the student was advised to buy a lockpicking kit and the exact make and model of the lock used in his teacher’s office, and to practice picking it.
Sixgill also identified someone selling a guide on how to hack university grading systems for as little as $15.
This research was the product of Sixgill’s proprietary monitoring system, which tracks activity on closed, open, and hybrid Dark Web forums, where it then collates and analyzes to create profiles and patterns of users. This, Sixgill says, allows them to identify and track potential hackers based on their activities.
Above all, it shows the terrifying ease in which these documents can be faked, and how grades can be manipulated. While hackers and counterfeiters are stacking thousands of dollars, if someone gains employment in the fields of medicine or engineering with faked credentials, the consequences could be lethal.