Cybercriminals are increasingly using dark web forums to recruit employees and contractors willing to help them achieve their goals, according to a report published on Tuesday by security firms IntSights and RedOwl.
The anonymity provided by the dark web has attracted many people offering their services as insiders. IntSights has monitored hundreds of dark web forums and tens of black markets in the past few years and determined that discussions about insiders nearly doubled from 2015 to 2016.
Over the course of two years, researchers identified roughly 1,000 references to insiders – each reference represents a unique forum post, including cases where insiders are not the main topic of a thread.
While insiders were mentioned only a few times in the beginning of 2015, the number increased considerably in the second half of 2016.
Experts have identified three main types of activities: insider trading, retail insiders, and what they refer to as “weaponized insiders.”
In the case of insider trading, while there is some activity on general forums, researchers found that the most profitable schemes are discussed in smaller, closed groups. Only people who can prove their capabilities can become members of these exclusive groups.
One such forum, named “KickAss marketplace,” specializes in various types of insider trading. The website’s operators try to maintain high standards and a 1 BTC ($980) membership fee must be paid by users who want to join.
According to researchers, there are roughly five posts per week on the KickAss forum and transactions total 40 BTC (roughly $39,000). The site’s administrators claim some members make over $5,000 per month using the leaked information.
The most common types of insiders offering their services on dark web forums are low-level employees (e.g. cashiers) who can help with carding activities. These retail insiders can provide credit card data or they can help fraudsters purchase items using stolen cards.
In one such scheme, a fraudster was trying to recruit a retail insider who could help them buy iPhone 6 phones from a known retailer. The recruiter offered the insider £100 ($126) for each successful purchase.
Sophisticated threat actors are seeking to recruit insiders they can arm with the tools and knowledge necessary to help them steal data, commit fraud and cover their tracks.
In one example provided by IntSights and RedOwl, a cybercriminal was looking to recruit someone who could plant malware on a bank’s systems, particularly devices that access accounts and conduct wire transfers, and they were prepared to pay seven-figure amounts per week for ongoing access.
“The higher employees rank in a given organization, the less common they will be in the black market, and the higher their damage-potential becomes,” researchers told SecurityWeek.
The complete report, which also includes recommendations for enterprises looking to build an insider threat program, is available for download in PDF format.