Dark Net Recruitment is Turning Employees into Malicious Insiders For-Hire

We all know the dark web covers a dizzying amount of illegal activity. Known as the go to marketplace for hackers to buy and sell their wares, from advertising their services for hire, to selling sensitive corporate information, credit card numbers, and identity details. What is increasingly concerning is how the dark net is being used to recruit more than career hackers and crypto-geniuses to the security and espionage services of governments. Regular ‘insider’ employees are also being recruited via the dark web to have a ‘second’ job.

There are a growing number of recruitment pages that even resemble regular job search websites. Cyber-criminals often target company insiders because they offer direct access to target data and systems – by stealing or hijacking credentials, installing malware and other malicious software behind firewalls with less risk of detection, and aiding data exfiltration. 

The “dark net” second job
A review of dark web forums shows that cyber-criminals have become more ambitious over time and are playing the long game. Job ads on the dark web actively recruit for ongoing roles where candidates can provide continued access and data.

In 2017, a report by Intsights, a provider of surface, deep, and dark web cyber threat intelligence, noted a forum post looking for direct access to bank computers that tap into accounts and wire transfers, stating, “[t]here’s no limit” to how much money could be made, and “as long as i [sic] continue to have access” the job would pay on a weekly basis. 

In a report from September 2018, CNBC shared one dark web job ad which was looking for bank employees and offered 370,000 roubles (roughly £4,400) per month for one hour’s work a day as remuneration. Trading Economics statistics as of January 2019 show the average monthly wage in Russia is £501, so dark net bank jobs that offer more than eight times the average monthly Russian wage are more than tempting. 

Insiders at technology firms and multi-national companies are prime targets
While banking and financial services are key sectors for cyber-criminals to recruit insiders from, bad actors also target large technology firms and multi-national companies. Global corporations with overseas locations are particularly at risk in locales where salaries are comparatively low and prosecution of cybercrimes is difficult.

In autumn 2018, Amazon reported that it’s investigating claims that company insiders across Asia were leaking data to middlemen who paid for the data and sold it to Amazon marketplace sellers who were then able to gain an unfair advantage. 

Similarly, the US recently charged five Chinese nationals for hacks on unnamed US and French aviation companies, including two insiders who are alleged to have infected the network with malware at the French company’s office in Suzhou, China. Though it’s unknown how long the insiders were working with the hackers, the data breaches are believed to have occurred over five years. 

These examples highlight the fact that the number of insiders recruited for “dark” jobs internationally is growing – and we all need to sit up and take notice.

How it works and why recruitment efforts are expanding beyond the dark web
In 2016, researchers from Digital Shadows reviewed about 100 million websites on the surface web and dark web and found that the process cyber-criminals use to recruit new hires is essentially the same as the traditional one most applicants are accustomed to, including CVs and a job interview. Unsurprisingly, because of the covert nature of the process, names are usually aliases and the customary telephone or Skype interview might be conducted without video or with voice changing technology. Some dark web employers even impose a probationary period! 

However, a series of events has forced the recruitment process to morph in order to continue to be effective. In July 2017, the dark web took a significant hit when Operation Bayonet, a multi-national law enforcement operation, hit the headlines, and the US Department of Justice announced the takedown of the largest dark web market AlphaBay, with the second largest, Hansa following soon after. 

Predictably, new dark markets such as Dream and Wall Street have emerged in their place and are growing in size. But these new markets face the same risks – law enforcement infiltrating the markets or a site owner deciding to shut the site down and steal everyone’s bitcoin, like dark market Evolution did in March 2015.  

As a result, many cyber-criminals have shifted from large forums to chat networks and messaging apps to continue their efforts to recruit insiders. In 2018, Check Point Research revealed that Telegram channels such as ‘Dark Jobs’ and ‘Dark Work’ have sprung up to deliberately recruit hackers and wayward insiders. One job posting on ‘Dark Jobs’ sought employees of Western Union or Money Gram that have access to certain systems and promises $1,000 per day.

What can businesses do to protect themselves from dark net recruits? 
What a user does on the dark web from their own machine at home or via messaging apps on their mobile phone is generally not visible to the company – but actions in the corporate environment are, and at some point, the insider will need to access the corporate system to extract data or infiltrate it for malicious purposes. 

It’s at this point that a company’s visibility into user activity becomes essential, otherwise, no one will spot any out of the ordinary activity and know to ask why a user is uploading files to an IP address outside of the network or installing a remote-control application that has no business on a company server.

Because of the power of their credentials, privileged users have long had their access rights monitored and tracked but employees at all levels – anyone with access to company systems – must be tracked too. Employee activity monitoring can be done in a privacy-sensitive way, using solutions that provide full visibility into user activity but anonymize the data so that there is no infringement on individual privacy. Only when suspicious or out-of-policy activity takes place can an authorized person review that data to determine if a threat to cybersecurity exists.  

Whether insiders are recruited through dark web forums or chat networks and messaging app channels, employment of insiders for dark jobs remains a serious threat to cybersecurity. Businesses need to know the full picture – they need to understand user behavior patterns, have visibility into user activity and the ability to receive real time alerts if employees have stepped out of line with company policy or if they start acting suspiciously; like logging in late at night or moving a particular type of file on the same day each month. Detection is crucial for organizations to protect their most valuable assets, and stop data loss before it occurs, instead of closing the proverbial stable door after the data has bolted.

What’s Hot on Infosecurity Magazine?