The global cybercrime economy is large, lucrative and growing fast. According to Dr. Mike McGuire, Senior Lecturer in Criminology at the University of Surrey, cybercriminals are increasingly shifting their focus to the corporate sector, creating custom-built hacking services designed to infiltrate specific enterprises and specific sectors of the economy. A comprehensive new 32-page report (“Behind the Dark Net Black Mirror”) authored by Dr. McGuire and sponsored by cybersecurity firm Bromium highlights the growing number of hacking services and Dark Net tools specifically designed to attack the enterprise, all with the goal of transferring wealth from the corporate sector to shadowy groups on the Dark Net.
Over a five-month period (November 2018 – March 2019), McGuire’s team analyzed more than 70,000 Dark Net listings to see what hacking services were being sold, which enterprises or sectors were being targeted most frequently, and which hacking tools were emerging as the most popular for cybercriminals. McGuire’s team studied 15 leading Dark Net platforms (including Dream Market, Empire Market, Agora and Ramp), and obtained membership to three of them, in order to study first-hand how these shadowy actors coordinated their activities and reached out to potential buyers. In total, “Behind the Dark Net Mirror” includes insights gained from over 30 interviews with Dark Net participants, as well as insights from top security researchers.
Key findings of the Dark Net report
In the past, cybercriminals might have been content to target individuals or smaller businesses. But now, they are setting their sights on deep-pocketed enterprise targets, where the payoff from a single attack is much greater. In fact, as the report makes clear, 40% of Dark Net vendors are selling targeted hacking services designed with Fortune 500 and FTSE 100 companies in mind. At this point, custom-built, bespoke malware now outnumbers “off-the-shelf” malware by a margin of 2:1.
Adam Laub, SVP of Product Management at STEALTHbits Technologies, comments on the shift to enterprise-based hacking: “The findings should really come as no surprise. If I were an attacker, I’d be targeting large enterprises too. While big companies may in theory have access to better or more resources than their smaller counterparts, it’s much easier to hide amidst the crowd in environments with so many moving pieces, and thus, a much greater propensity for open doors to exploit. What you’ll find in a large enterprise is more predictable. Sure, they’re moving to the cloud like everyone else, but the good stuff is still largely on-premises, running off of dated and well-known technologies that attackers are comfortable working around. That’s not to say smaller organizations aren’t worth the time or effort, but bigger outfits have bigger everything – bigger file repositories, bigger databases, bigger customer lists. If you’re a serious cybercriminal looking to score big, then hunting whales seems like a logical choice.”
Overall, there has been a 20 percent increase in Dark Net listings for hacking services since 2016. However, much of this new uptick in activity is largely invisible to the average web user. As the report makes clear, the Dark Net is fast becoming the “Invisible Net,” inaccessible to major search engines like Google, and out of reach of law enforcement officials. One major reason for this is the phenomenal rise in end-to-end encrypted communications platforms, such as Telegram. Using these services, cybercriminals can easily converse about hacking services for sale without any worry of law enforcement getting involved. During the Dark Net study, for example, the researchers say that 70% of the Dark Net vendors contacted specifically asked to conduct conversations on encrypted chat or other communications platforms.
The study also put together what the researchers call a 3D Dark Net threat assessment tool. The goal was to analyze the 12 broad categories of hacking services used to disrupt the enterprise (e.g. infection attacks such as malware and botnets), and then see how these hacking services are used to precision-target specific industries. On the Dark Net, the four most popular industries or verticals for bespoke attacks include banking (34%), e-commerce (20%), healthcare (15%) and education (12%). The most expensive hacking services encountered by the researchers were custom malware creations (priced at around $1,500) designed to infiltrate bank ATMs. But not all hacking services listed for sale are expensive – stolen credentials and customer lists are so inexpensive that it’s easy to see why the cybercrime economy is growing so fast. For just a few dollars, any hacker now has the ability to target huge, multi-billion-dollar enterprises.
Implications of the Dark Net report
So, faced with these growing threat vectors, what can enterprises realistically do to protect themselves from Dark Net vendors? One key strategy, according to the report, is much greater intelligence-sharing between enterprises and law enforcement authorities. Many enterprises have completely ignored the shadowy world of the Dark Net, but as the researchers note, the Dark Net is a growing threat to the enterprise, and needs to be taken seriously. It’s important to understand the motivations and capabilities of your adversaries.
For example, one major change in cybercriminal activity is the shift to “platform criminality.” Just as corporations like Uber and Amazon create massive platforms to involve as many people as possible across the broader Web, so too, are cybercriminals. And, in many ways, these Dark Net platforms are the “mirror image” of legitimate cyber platforms. According to the UK researchers, though, these Dark Mirror platforms are “nefarious, unregulated and dangerous.”
Ray DeMeo, Co-Founder and COO of Virsec, comments on this shift to platform criminality: “It sounds perverse to say, but the cybercrime business is growing up – becoming more sophisticated, efficient, and compartmentalized. Specialists are focusing on specific pieces of the supply chain, such as password theft, memory attacks, ransomware, and selling personal data in bulk. As part of this, many resources on the Dark Web have become Amazon-like, relying on building ‘good’ reputations with high-quality stolen data. You can literally shop for stolen credit cards, find a very competitive price and get guarantees or credits if a certain percentage don’t work – all for a few Bitcoin. In this context, it’s no surprise that sophisticated hackers are systematically trying to break into top enterprises – they’re following the money.”
Another important implication of the report is that enterprises need to move beyond basic threat detection. The reason is simple: as malware and other forms of hacking service become customized for specific enterprises and specific sectors, they also become harder to detect. Bespoke malware or targeted espionage attacks are a major danger to the enterprise. And, make no mistake about it, these hacking services are sold openly and in volume. According to the researchers, 60% of the cybercriminals that reached out to them to sell network access tools or corporate espionage services offered access to 10 or more enterprises. So this is clearly not just a single lone hacker who somehow managed to break into a single corporate network – this is a sustained hacking campaign designed to break into top Fortune 500 or FTSE 100 corporate networks.
Going forward, it’s clear that enterprises need to do more to combat these Dark Net threats to the enterprise. Dark Net hacking activity is on the rise, and is becoming much more focused on extracting wealth from the world’s richest corporations. To ignore this threat is to expose one’s corporation to a myriad of legal, regulatory and cyber risks.