Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/6/2019
01:15 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Inside the Criminal Businesses Built to Target Enterprises

Researchers witness an increase in buying and selling targeted hacking services, custom malware, and corporate network access on the Dark Web.

The Dark Web, long known as a hotbed for buying and selling stolen credit cards, fake passports, drugs, weapons, and other contraband, is a growing market for cybercriminals seeking to target organizations with custom malware, access networks, and disrupt operations.

Dr. Mike McGuire, senior lecturer in criminology at the University of Surrey, has written a series of reports detailing investigations into the darkest corners of the Web. The pool of research, sponsored by Bromium, is broadly titled "Into the Web of Profit." Its latest installment, "Behind the Dark Net Black Mirror: Threats Against the Enterprise," digs into business-focused activity.

The idea behind "Into the Web of Profit" was to research the myriad ways cybercrime is changing and the different ways cybercriminals make money on the Dark Web, which generates $1.5 trillion each year. McGuire admits he didn't intend to focus on businesses when he started.

"It wasn't initially the idea to look directly at the enterprise here," he explains. "But as I started to dig into the data, I realized just how central the enterprise was to this whole process."

McGuire's report examines how "platform criminality" – a form of cybercrime resembling platform-based business models similar to Amazon's and Uber's – is informing a new wave of cybercrime targeting enterprise victims, with data as its top commodity. In the report, Bromium CEO Gregory Webb calls this infrastructure a "candy store" for those hoping to steal intellectual property, trade in corporate secrets, interfere with operations, and spy on their targets.

"What they're after is increasingly less old-fashioned cybercrime," McGuire says. "What they want is operational information, they want revenues as well ... it's almost like a second level of the market." The enterprise is being mined in different ways, he notes. It's all corporate data, but different forms of corporate data have different price tags when sold on the Dark Web.

Risky Business
Compared with 2016, researchers found a 20% rise in the number of Dark Web listings that could potentially harm the enterprise: more targeted malware-for-sale, enterprise-specific DDoS services, corporate information for sale, and brand-spoofing phishing tools.

Sixty percent of listings (drugs excluded) represent opportunities for direct, immediate harm to enterprises, such as network compromises, suspension of online services, and financial loss. Another 15% represent chances for indirect harm, including brand reputation damage. Malware (25%), distributed denial-of-service (20%), and remote acess Trojans (17%) are the most common network compromise services. At least 60% of vendors asked about network access offer access to more than 10 business networks.

The market for specialized tools and data used in targeted attacks is growing. Custom malware outsells off-the-shelf malware 2-to-1, McGuire reports, noting a higher demand for zero-day and polymorphic malware, as well as malware tailored to specific industries. He also points to a greater demand for attacks against specific employees: Sellers offer data on financial performance, security systems, internal product manuals, and other sensitive information.

A Gray Area
Contrary to popular belief, the Dark Web is "not just a den of criminal activity," McGuire says, and it presents businesses with an opportunity to learn more about the threats they face. But some companies toe the legal line when it comes to interacting with Dark Web sellers and collecting information on their competitors, or sharing customer or employee blacklists.

Competitive intelligence, or when businesses try to figure out how their rivals operate, is easily translated to the Dark Web, he explains. Information on others' security weaknesses can be used to undermine them in the market; evidence of counterfeit products can damage their authority. Forums can be used to spread rumors or share consumers' opinions, he adds.

Undercover researchers posed as representatives for a midsize organization and contacted 20 Dark Web vendors to ask whether they could obtain specific "items of interest," including data on product trials, employee lists, annual accounts, directors' salaries, and exec travel plans.

When they requested Dark Web hacking services targeting companies in the FTSE 100 or Fortune 500, about 40% of their attempts received positive responses. Prices for services ranged from $150 to $10,000, depending on the company involved. Espionage services (access to the CEO, for example) were offered to researchers for fees ranging from $1,000 to $15,000. Some vendors were suspicious when researchers wouldn't pay up; others refused to respond.

Still, "in a lot of cases they just came back and said they could get that information for us," McGuire says.

Businesses also dabble in sharing blacklists of rogue websites, new malware threats, or problematic customers and employees. Exchanging these lists is "at the boundaries of legality," says McGuire, who calls it "a gray line between intelligence and overly engaging in espionage."

The so-called "greynet" is a term used to describe business activity that isn't quite illegal but not quite legal, either. Engaging in such "semi-licit" activity could risk brand damage or attract attention from law enforcement. Organizations must tread carefully on this quasi-legal ground.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NathanDavidson
50%
50%
NathanDavidson,
User Rank: Apprentice
6/13/2019 | 3:28:17 AM
Protect from our end
Isn't it scary to know that the dark web has had much more traffic than previous years? It simply means that cyber attackers are on the loose and rapidly growing in numbers. There really isn't a concrete way for us to stop them so the only way out would be to protect ourselves from our end. Increase our security settings and prevent as much attacks as possible.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7472
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
CVE-2019-12839
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
CVE-2019-12840
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
CVE-2019-12835
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.
CVE-2019-12830
PUBLISHED: 2019-06-15
In MyBB before 1.8.21, an attacker can exploit a parsing flaw in the Private Message / Post renderer that leads to [video] BBCode persistent XSS to take over any forum account, aka a nested video MyCode issue.