Skip to content

4 Reasons Why Your Retail Security Team Needs to Be on the Dark Web


Cybercriminals actively use the dark web to plan and execute attacks on retail organizations. To stay ahead of these attacks, retail security teams must leverage tools that allow them to detect potential threats easily and safely. 

Bottom Line:

No retailer is safe from threats. One of the best investments retail security teams can make is monitoring the deep and dark web. Specialized tools give organizations quick access to active criminal conversations. 


Full Article:

Established retailers are well aware that security breaches can make or break a brand’s success. Retail is cybercrime’s most targeted industry—in fact, 84% of US retailers increased their cybersecurity budgets in 2018, according to a report from Thales

New call-to-action

Many cybercriminals use the deep and dark web to discuss strategies, and sell goods and services targeted at exploiting brands. Knowledge is power: accessing this “room” gives retailers a huge advantage by informing their security tactics, techniques, and procedures.

The problem is that dark websites are notoriously dangerous and cumbersome to access. Threat hunting on these platforms takes an extraordinary amount of time, and investigators risk running into harmful content or exposing their presence to cybercriminals. What do retail threats on the deep and dark web look like, and how can retailers access this information safely and efficiently?

What Is the Deep and Dark Web?

people walking shopping street mall retailYou might be thinking, “why are they referring to the ‘deep’ and  ‘dark’ web? Aren’t these the same thing?” These terms are often conflated, but they have important differences and host different threats as far as retail security is concerned.

In a nutshell, the deep web includes any online content that is not discoverable or indexed in common search engines like Google. The deep web comprises about 90% of all web content. It consists mostly of boring or private information, such as banking pages or internet archives—but it also includes forums, classifieds, and paste sites. These sites are frequently used by hackers. 

Dark web threat intelligence: how to discover threats from hidden online sources   <>

The dark web is a small corner of the deep web that is only accessible through Tor, which anonymizes users through a process called “onion routing.” The dark web consists mainly of discussion sites and marketplaces. This is where cybercriminals sell and discuss a variety of illegal goods and services. 

Both of these networks host a number of retail-targeted threats that help businesses understand the current threat landscape and reevaluate their threat intelligence solutions.

Retail Threats on the Deep and Dark Web

After conducting a number of deep and dark web searches on behalf of major retailers, Echosec Systems compiled a list of the most common threats targeting retailers on these platforms.

1. Counterfeit Goods

Counterfeiters make up a $400 billion industry in China alone. Vendors use dark web marketplaces to sell counterfeit goods from well-known retailers. The following is an example of a vendor selling counterfeit designer apparel on a dark web marketplace called Apollon Market. This screenshot is taken from Beacon, a commercially available deep and dark web discovery tool:

screengrab retail blog

Fakes are also present on many popular classifieds sites like Kijiji. Even though these are surface websites, listings are often unindexed by common search engines, making them difficult to find.

2. Gift Card Fraud

Gift cards are extremely popular—an estimated $160 billion industry. There are a number of ways hackers target retailers and their customers through gift card fraud:

  • Hackers obtain an individual’s personal financial information and use it to access credit card rewards program credentials. This allows hackers to redeem account values for gift card numbers, which they can convert to cash or sell on the dark web at discounted rates. 

The following screenshot was taken directly from a dark website selling discounted gift cards from a major retailer in bulk:

gift card screengrab

  • Hackers record gift card numbers while they’re still hanging in stores and monitor their balances online. When those cards are purchased by legitimate customers, hackers immediately drain the balance by converting the card to cash or transferring the balance. Hackers can also use this information to create and sell fake duplicate cards on sites like Kijiji.
  • Thieves steal store merchandise and return items to a different location. Retailers sometimes offer customers gift cards for returning merchandise with no receipt. Thieves then sell these gift cards at a discounted rate on classified or third-party gift card sites.

There are thousands of listings on the dark web selling discounted virtual gift cards, gift card converters and checkers, and how-to guides for committing gift card fraud. Unindexed deep web forums are also used for discussing gift card fraud strategies or advertising services. Here’s a post discovered using Beacon on a deep web forum (details exposing the retailer are blurred):

retail screengrab

3. Data Breaches

Retailers now operate in an age where data breaches are inevitable. Most cybersecurity experts believe it’s a matter of when, not if, organizations are targeted by hackers.

Breaching a major retailer means that hackers can access and exploit internal customer, employee, or executive information. Data breaches jeopardize existing access control systems, and have huge ramifications for brand reputation.


Hackers often turn to the dark web to discuss strategies or to advertise their services. One way to detect a breach’s early stages is by discovering company emails on unindexed text-sharing sites like Pastebin. This is all easily discoverable information using a deep web search tool.

beacon screengrab

4. Theft 

Loss prevention is at the forefront of retail security strategies. According to the National Retail Federation, retailers lose over $50 billion annually to in-store theft. Unsurprisingly, thieves turn to anonymous forums on the deep web and dark web to discuss shoplifting strategies. These discussions are useful for improving a store’s physical security.

The following is an example of a response from a user on Dread requesting shoplifting advice for a major retailer. Dread is the dark web’s equivalent of Reddit:

retail blog screengrab

What Should Retailers Do About It?

retail security data protection loss preventionGreat—now that you know all this is happening behind your business’s back, what can be done about it?

The first step is accessing this information safely and efficiently. As we mentioned earlier, finding relevant dark web intelligence requires a lot of time—the equivalent of finding specific information in a disorganized library with no dewey decimal labeling. Dark web investigators also run the risk of unintentionally viewing disturbing content, or exposing themselves even further to hackers.


Deep web discovery tools like Beacon allow security teams to find specific information on deep and dark websites. Users can search for content by keyword or image detection, and narrow down this vast data pool using parameters like site type (e.g. marketplaces, discussion forums). Even though Beacon provides Tor links for each result, text-based content is displayed within the platform so users don’t have to visit dark websites directly. Intelligence analysts can find critical information implicating their brand in a matter of minutes.

Retailers use discovery tools to find perpetrators and take that information to law enforcement. They also use content to inform security processes. For example, after learning how gift card fraudsters operate, a retail chain might keep gift cards locked in cabinets, redesign card security features, or change their return policies. Hackers constantly evolve to outsmart new security strategies, so it’s crucial that retailers keep up with deep and dark web activity. Discovery tools can be integrated into existing operational intelligence systems. This gives retailers real-time access to live threats and faster incident response times.

Data breaches: finding threats on the hidden internet   <>

An added benefit of accessing cyber threat intelligence is brand reputation. Retailers can use this information to better educate employees and customers about active security risks, and ensure them that advanced security procedures are in place. This is critical for establishing brand trust and customer loyalty in a world where cybersecurity is increasingly important to customers. 

In Summary

No retailer is safe from threats—whether it’s an in-store shoplifter or a hacker targeting your CEO’s personal information. One of the best investments retail security can make is discovering strategic intelligence on the deep and dark web. Discovery tools give brands quick access to active criminals. Perhaps more powerful than that is retailers becoming a fly on the wall in the “room” that is the dark web. Understanding how cybercriminals operate is critical for adapting vulnerability management processes, preventing threats, and ultimately reinforcing customer loyalty.