Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2019
01:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Inside the Criminal Businesses Built to Target Enterprises

Researchers witness an increase in buying and selling targeted hacking services, custom malware, and corporate network access on the Dark Web.

The Dark Web, long known as a hotbed for buying and selling stolen credit cards, fake passports, drugs, weapons, and other contraband, is a growing market for cybercriminals seeking to target organizations with custom malware, access networks, and disrupt operations.

Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey, has written a series of reports detailing investigations into the darkest corners of the Web. The pool of research, sponsored by Bromium, is broadly titled "Into the Web of Profit." Its latest installment, "Behind the Dark Net Black Mirror: Threats Against the Enterprise," digs into business-focused activity.

The idea behind "Into the Web of Profit" was to research the myriad ways cybercrime is changing and the different ways cybercriminals make money on the Dark Web, which generates $1.5 trillion each year. McGuire admits he didn't intend to focus on businesses when he started.

"It wasn't initially the idea to look directly at the enterprise here," he explains. "But as I started to dig into the data, I realized just how central the enterprise was to this whole process."

McGuire's report examines how "platform criminality" – a form of cybercrime resembling platform-based business models similar to Amazon's and Uber's – is informing a new wave of cybercrime targeting enterprise victims, with data as its top commodity. In the report, Bromium CEO Gregory Webb calls this infrastructure a "candy store" for those hoping to steal intellectual property, trade in corporate secrets, interfere with operations, and spy on their targets.

"What they're after is increasingly less old-fashioned cybercrime," McGuire says. "What they want is operational information, they want revenues as well ... it's almost like a second level of the market." The enterprise is being mined in different ways, he notes. It's all corporate data, but different forms of corporate data have different price tags when sold on the Dark Web.

Risky Business
Compared with 2016, researchers found a 20% rise in the number of Dark Web listings that could potentially harm the enterprise: more targeted malware-for-sale, enterprise-specific DDoS services, corporate information for sale, and brand-spoofing phishing tools.

Sixty percent of listings (drugs excluded) represent opportunities for direct, immediate harm to enterprises, such as network compromises, suspension of online services, and financial loss. Another 15% represent chances for indirect harm, including brand reputation damage. Malware (25%), distributed denial-of-service (20%), and remote acess Trojans (17%) are the most common network compromise services. At least 60% of vendors asked about network access offer access to more than 10 business networks.

The market for specialized tools and data used in targeted attacks is growing. Custom malware outsells off-the-shelf malware 2-to-1, McGuire reports, noting a higher demand for zero-day and polymorphic malware, as well as malware tailored to specific industries. He also points to a greater demand for attacks against specific employees: Sellers offer data on financial performance, security systems, internal product manuals, and other sensitive information.

A Gray Area
Contrary to popular belief, the Dark Web is "not just a den of criminal activity," McGuire says, and it presents businesses with an opportunity to learn more about the threats they face. But some companies toe the legal line when it comes to interacting with Dark Web sellers and collecting information on their competitors, or sharing customer or employee blacklists.

Competitive intelligence, or when businesses try to figure out how their rivals operate, is easily translated to the Dark Web, he explains. Information on others' security weaknesses can be used to undermine them in the market; evidence of counterfeit products can damage their authority. Forums can be used to spread rumors or share consumers' opinions, he adds.

Undercover researchers posed as representatives for a midsize organization and contacted 20 Dark Web vendors to ask whether they could obtain specific "items of interest," including data on product trials, employee lists, annual accounts, directors' salaries, and exec travel plans.

When they requested Dark Web hacking services targeting companies in the FTSE 100 or Fortune 500, about 40% of their attempts received positive responses. Prices for services ranged from $150 to $10,000, depending on the company involved. Espionage services (access to the CEO, for example) were offered to researchers for fees ranging from $1,000 to $15,000. Some vendors were suspicious when researchers wouldn't pay up; others refused to respond.

Still, "in a lot of cases they just came back and said they could get that information for us," McGuire says.

Businesses also dabble in sharing blacklists of rogue websites, new malware threats, or problematic customers and employees. Exchanging these lists is "at the boundaries of legality," says McGuire, who calls it "a gray line between intelligence and overly engaging in espionage."

The so-called "greynet" is a term used to describe business activity that isn't quite illegal but not quite legal, either. Engaging in such "semi-licit" activity could risk brand damage or attract attention from law enforcement. Organizations must tread carefully on this quasi-legal ground.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
6/13/2019 | 3:28:17 AM
Protect from our end
Isn't it scary to know that the dark web has had much more traffic than previous years? It simply means that cyber attackers are on the loose and rapidly growing in numbers. There really isn't a concrete way for us to stop them so the only way out would be to protect ourselves from our end. Increase our security settings and prevent as much attacks as possible.
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
New FISMA Report Shows Progress, Gaps in Federal Cybersecurity
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/21/2019
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15516
PUBLISHED: 2019-08-23
Cuberite before 2019-06-11 allows webadmin directory traversal via ....// because the protection mechanism simply removes one ../ substring.
CVE-2019-15517
PUBLISHED: 2019-08-23
jc21 Nginx Proxy Manager before 2.0.13 allows %2e%2e%2f directory traversal.
CVE-2019-15518
PUBLISHED: 2019-08-23
Swoole before 4.2.13 allows directory traversal in swPort_http_static_handler.
CVE-2019-15519
PUBLISHED: 2019-08-23
Power-Response before 2019-02-02 allows directory traversal (up to the application's main directory) via a plugin.
CVE-2019-15520
PUBLISHED: 2019-08-23
comelz Quark before 2019-03-26 allows directory traversal to locations outside of the project directory.