Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2019
01:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Inside the Criminal Businesses Built to Target Enterprises

Researchers witness an increase in buying and selling targeted hacking services, custom malware, and corporate network access on the Dark Web.

The Dark Web, long known as a hotbed for buying and selling stolen credit cards, fake passports, drugs, weapons, and other contraband, is a growing market for cybercriminals seeking to target organizations with custom malware, access networks, and disrupt operations.

Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey, has written a series of reports detailing investigations into the darkest corners of the Web. The pool of research, sponsored by Bromium, is broadly titled "Into the Web of Profit." Its latest installment, "Behind the Dark Net Black Mirror: Threats Against the Enterprise," digs into business-focused activity.

The idea behind "Into the Web of Profit" was to research the myriad ways cybercrime is changing and the different ways cybercriminals make money on the Dark Web, which generates $1.5 trillion each year. McGuire admits he didn't intend to focus on businesses when he started.

"It wasn't initially the idea to look directly at the enterprise here," he explains. "But as I started to dig into the data, I realized just how central the enterprise was to this whole process."

McGuire's report examines how "platform criminality" – a form of cybercrime resembling platform-based business models similar to Amazon's and Uber's – is informing a new wave of cybercrime targeting enterprise victims, with data as its top commodity. In the report, Bromium CEO Gregory Webb calls this infrastructure a "candy store" for those hoping to steal intellectual property, trade in corporate secrets, interfere with operations, and spy on their targets.

"What they're after is increasingly less old-fashioned cybercrime," McGuire says. "What they want is operational information, they want revenues as well ... it's almost like a second level of the market." The enterprise is being mined in different ways, he notes. It's all corporate data, but different forms of corporate data have different price tags when sold on the Dark Web.

Risky Business
Compared with 2016, researchers found a 20% rise in the number of Dark Web listings that could potentially harm the enterprise: more targeted malware-for-sale, enterprise-specific DDoS services, corporate information for sale, and brand-spoofing phishing tools.

Sixty percent of listings (drugs excluded) represent opportunities for direct, immediate harm to enterprises, such as network compromises, suspension of online services, and financial loss. Another 15% represent chances for indirect harm, including brand reputation damage. Malware (25%), distributed denial-of-service (20%), and remote acess Trojans (17%) are the most common network compromise services. At least 60% of vendors asked about network access offer access to more than 10 business networks.

The market for specialized tools and data used in targeted attacks is growing. Custom malware outsells off-the-shelf malware 2-to-1, McGuire reports, noting a higher demand for zero-day and polymorphic malware, as well as malware tailored to specific industries. He also points to a greater demand for attacks against specific employees: Sellers offer data on financial performance, security systems, internal product manuals, and other sensitive information.

A Gray Area
Contrary to popular belief, the Dark Web is "not just a den of criminal activity," McGuire says, and it presents businesses with an opportunity to learn more about the threats they face. But some companies toe the legal line when it comes to interacting with Dark Web sellers and collecting information on their competitors, or sharing customer or employee blacklists.

Competitive intelligence, or when businesses try to figure out how their rivals operate, is easily translated to the Dark Web, he explains. Information on others' security weaknesses can be used to undermine them in the market; evidence of counterfeit products can damage their authority. Forums can be used to spread rumors or share consumers' opinions, he adds.

Undercover researchers posed as representatives for a midsize organization and contacted 20 Dark Web vendors to ask whether they could obtain specific "items of interest," including data on product trials, employee lists, annual accounts, directors' salaries, and exec travel plans.

When they requested Dark Web hacking services targeting companies in the FTSE 100 or Fortune 500, about 40% of their attempts received positive responses. Prices for services ranged from $150 to $10,000, depending on the company involved. Espionage services (access to the CEO, for example) were offered to researchers for fees ranging from $1,000 to $15,000. Some vendors were suspicious when researchers wouldn't pay up; others refused to respond.

Still, "in a lot of cases they just came back and said they could get that information for us," McGuire says.

Businesses also dabble in sharing blacklists of rogue websites, new malware threats, or problematic customers and employees. Exchanging these lists is "at the boundaries of legality," says McGuire, who calls it "a gray line between intelligence and overly engaging in espionage."

The so-called "greynet" is a term used to describe business activity that isn't quite illegal but not quite legal, either. Engaging in such "semi-licit" activity could risk brand damage or attract attention from law enforcement. Organizations must tread carefully on this quasi-legal ground.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Moderator
6/13/2019 | 3:28:17 AM
Protect from our end
Isn't it scary to know that the dark web has had much more traffic than previous years? It simply means that cyber attackers are on the loose and rapidly growing in numbers. There really isn't a concrete way for us to stop them so the only way out would be to protect ourselves from our end. Increase our security settings and prevent as much attacks as possible.
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...