Threatlist: Targeted Espionage-as-a-Service Takes Hold on the Dark Web

espionage as a service bromium report

One in four underground merchants offer advanced hacking services, once reserved for APTs and well-funded organized crime gangs.

The cybercrime underground has become a service-driven, on-demand economy, including making available targeted corporate espionage services. According to an analysis, about 40 percent of Dark Web merchants offer spearphishing-as-a-service and targeted hacking services, aimed at infiltrating Fortune 500 businesses and other high-value targets.

Typically reserved for well-resourced organized cybercrime gangs and APTs, these types of services are putting big fish on the radar for less experienced hackers, according to Mike McGuire, senior lecturer in criminology at the University of Surrey in the UK. His analysis, carried out in conjunction with Bromium and based on covert discussions with Dark Web vendors and picking the brains of law enforcement, shows that the underground has become a haven for such wares.

“These services typically come with service plans for conducting the hack, with prices ranging from $150 to $10,000 depending on the company involved and the extent to which the malware was customized for targeted attacks,” McGuire explained in the report, released Thursday at Infosecurity Europe.

He also found that custom-built, targeted malware, with threats tailored to specific industries or organizations, is on the rise, and outnumbering off-the-shelf varieties of malicious code on the order of 2:1.

The industries most frequently targeted by malware tools being traded on the underground are banking (34 percent), ecommerce (20 percent), healthcare (15 percent), and education (12 percent) – with targeted malware becoming increasingly popular to improve the effectiveness of campaigns.

“Almost every vendor offered us tailored versions of malware as a way of targeting specific companies or industries,” said McGuire. “The more targeted the attack, the higher the cost, with prices rising even further when it involved high-value targets like banks. The most expensive piece of malware found was designed to target ATMs and retailed for approximately $1,500.”

Further, he found in his meanderings around the dark markets that access to corporate networks is sold openly – 60 percent of vendors approached in the study offered access to more than 10 business networks each. In terms of verticals, banking and finance (29 percent), healthcare (24 percent), ecommerce (16 percent), and education (12 percent) corporate networks were the most common.

“The methods for providing access varied considerably,” McGuire explained. “Some involved stolen remote-access credentials that are for sale for as little as $2, others involve backdoor access or the use of malware. Illicit remote access tools appear to be most popular – we were offered remote access trojans at least five times more often than keyloggers.”

The study also showed that phishing remains a preferred method for infiltrating corporate networks, and vendors are catering to the demand with ready-made tools.

“Purchasing corporate invoices is easy on the dark net, with prices ranging from $5-$10,” said McGuire. “These documents can be used to defraud organizations or as part of phishing campaigns to trick employees into opening malicious links or email attachments, which deliver malware that triggers a breach or gives hackers a backdoor into corporate networks which could be sold on the dark net.”

While the statistics are alarming, Adam Laub, senior vice president of product management at STEALTHbits Technologies, said that the findings should really come as no surprise.

“If I were an attacker, I’d be targeting large enterprises too,” he said via email. “While big companies may in theory have access to better or more resources than their smaller counterparts, it’s much easier to hide amidst the crowd in environments with so many moving pieces, and thus, a much greater propensity for open doors to exploit. What you’ll find in a large enterprise is more predictable. Sure, they’re moving to the cloud like everyone else, but the good stuff is still largely on-premises, running off of dated and well-known technologies that attackers are comfortable working around. That’s not to say smaller organizations aren’t worth the time or effort, but bigger outfits have bigger everything – bigger file repositories, bigger databases, bigger customer lists. If you’re a serious cybercriminal looking to score big, then hunting whales seems like a logical choice.”

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles