Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2019
01:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Inside the Criminal Businesses Built to Target Enterprises

Researchers witness an increase in buying and selling targeted hacking services, custom malware, and corporate network access on the Dark Web.

The Dark Web, long known as a hotbed for buying and selling stolen credit cards, fake passports, drugs, weapons, and other contraband, is a growing market for cybercriminals seeking to target organizations with custom malware, access networks, and disrupt operations.

Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey, has written a series of reports detailing investigations into the darkest corners of the Web. The pool of research, sponsored by Bromium, is broadly titled "Into the Web of Profit." Its latest installment, "Behind the Dark Net Black Mirror: Threats Against the Enterprise," digs into business-focused activity.

The idea behind "Into the Web of Profit" was to research the myriad ways cybercrime is changing and the different ways cybercriminals make money on the Dark Web, which generates $1.5 trillion each year. McGuire admits he didn't intend to focus on businesses when he started.

"It wasn't initially the idea to look directly at the enterprise here," he explains. "But as I started to dig into the data, I realized just how central the enterprise was to this whole process."

McGuire's report examines how "platform criminality" – a form of cybercrime resembling platform-based business models similar to Amazon's and Uber's – is informing a new wave of cybercrime targeting enterprise victims, with data as its top commodity. In the report, Bromium CEO Gregory Webb calls this infrastructure a "candy store" for those hoping to steal intellectual property, trade in corporate secrets, interfere with operations, and spy on their targets.

"What they're after is increasingly less old-fashioned cybercrime," McGuire says. "What they want is operational information, they want revenues as well ... it's almost like a second level of the market." The enterprise is being mined in different ways, he notes. It's all corporate data, but different forms of corporate data have different price tags when sold on the Dark Web.

Risky Business
Compared with 2016, researchers found a 20% rise in the number of Dark Web listings that could potentially harm the enterprise: more targeted malware-for-sale, enterprise-specific DDoS services, corporate information for sale, and brand-spoofing phishing tools.

Sixty percent of listings (drugs excluded) represent opportunities for direct, immediate harm to enterprises, such as network compromises, suspension of online services, and financial loss. Another 15% represent chances for indirect harm, including brand reputation damage. Malware (25%), distributed denial-of-service (20%), and remote acess Trojans (17%) are the most common network compromise services. At least 60% of vendors asked about network access offer access to more than 10 business networks.

The market for specialized tools and data used in targeted attacks is growing. Custom malware outsells off-the-shelf malware 2-to-1, McGuire reports, noting a higher demand for zero-day and polymorphic malware, as well as malware tailored to specific industries. He also points to a greater demand for attacks against specific employees: Sellers offer data on financial performance, security systems, internal product manuals, and other sensitive information.

A Gray Area
Contrary to popular belief, the Dark Web is "not just a den of criminal activity," McGuire says, and it presents businesses with an opportunity to learn more about the threats they face. But some companies toe the legal line when it comes to interacting with Dark Web sellers and collecting information on their competitors, or sharing customer or employee blacklists.

Competitive intelligence, or when businesses try to figure out how their rivals operate, is easily translated to the Dark Web, he explains. Information on others' security weaknesses can be used to undermine them in the market; evidence of counterfeit products can damage their authority. Forums can be used to spread rumors or share consumers' opinions, he adds.

Undercover researchers posed as representatives for a midsize organization and contacted 20 Dark Web vendors to ask whether they could obtain specific "items of interest," including data on product trials, employee lists, annual accounts, directors' salaries, and exec travel plans.

When they requested Dark Web hacking services targeting companies in the FTSE 100 or Fortune 500, about 40% of their attempts received positive responses. Prices for services ranged from $150 to $10,000, depending on the company involved. Espionage services (access to the CEO, for example) were offered to researchers for fees ranging from $1,000 to $15,000. Some vendors were suspicious when researchers wouldn't pay up; others refused to respond.

Still, "in a lot of cases they just came back and said they could get that information for us," McGuire says.

Businesses also dabble in sharing blacklists of rogue websites, new malware threats, or problematic customers and employees. Exchanging these lists is "at the boundaries of legality," says McGuire, who calls it "a gray line between intelligence and overly engaging in espionage."

The so-called "greynet" is a term used to describe business activity that isn't quite illegal but not quite legal, either. Engaging in such "semi-licit" activity could risk brand damage or attract attention from law enforcement. Organizations must tread carefully on this quasi-legal ground.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Moderator
6/13/2019 | 3:28:17 AM
Protect from our end
Isn't it scary to know that the dark web has had much more traffic than previous years? It simply means that cyber attackers are on the loose and rapidly growing in numbers. There really isn't a concrete way for us to stop them so the only way out would be to protect ourselves from our end. Increase our security settings and prevent as much attacks as possible.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27852
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in the survey feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via a textarea field. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2021-3137
PUBLISHED: 2021-01-20
XWiki 12.10.2 allows XSS via an SVG document to the upload feature of the comment section.
CVE-2020-27850
PUBLISHED: 2021-01-20
A stored Cross-Site Scripting (XSS) vulnerability in forms import feature in Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary web script or HTML via the import of a GF form. This code is interpreted by users in a privileged role (Administrator, Editor, etc.).
CVE-2020-27851
PUBLISHED: 2021-01-20
Multiple stored HTML injection vulnerabilities in the "poll" and "quiz" features in an additional paid add-on of Rocketgenius Gravity Forms before 2.4.21 allows remote attackers to inject arbitrary HTML code via poll or quiz answers. This code is interpreted by users in a privile...
CVE-2020-13134
PUBLISHED: 2021-01-20
Tufin SecureChange prior to R19.3 HF3 and R20-1 HF1 are vulnerable to stored XSS. The successful exploitation requires admin privileges (for storing the XSS payload itself), and can exploit (be triggered by) admin users. All TOS versions with SecureChange deployments prior to R19.3 HF3 and R20-1 HF1...