Booming dark web gig economy is a rising threat

“I need a site hacker for $2,000,” “Break this site for $10K,” “Can you collect information from our competitors’ websites?” or “Can you delete reviews? Budget $300.”

Posts like these, in which individuals try to hire black hats, have flooded some of the most active hacking forums on the dark web. Most such messages are about attacking websites, buying and selling customer databases, or gaining access to corporate web resources. Most people want to buy, but a few also sell. Both new and experienced cyber criminals advertise what they can offer, revealing their expertise and their willingness to break the law.

Researchers at security company Positive Technologies analyzed the top ten most notorious forums on the dark web, and said that, in the past year, they have seen an increase in posts like these. More than eight million users are registered on these forums and have published over 80 million messages in total. 

“We looked at hacking services that would present a threat to the security of corporate websites or web applications,” Vadim Solovyev, senior information security analyst, says. “We have noticed a surge of interest in website hacking.”

Roman Sannikov, director at Insikt Group, Recorded Future, says that his company also noticed an increase in such activities on the dark web. It started even before the pandemic, but it further intensified as more employees switched to working remotely.

Breaking a regular website usually costs below $10,000, while custom databases are priced between $100 and $20,000, or between $5 and $50 per 1,000 entries, the Positive Technologies report said.

As always, some hackers who offer their skills like to brag about their strong work “ethics.” “I offer a service for targeted hacking of the resources you are interested in on the network […] No payment – payment only after providing evidence that accessed the database, filled shell or a compromised server,” one of the ads reads.

Services bought and sold on the dark web 

The vast majority of the posts, 90%, come from people interested in buying hacking services, while 7% are written by criminals advertising what they can do. The remaining are for selling hacking tools and programs (2%) and for finding accomplices (1%)—people willing to share their experience with “like-minded professionals.”

Solovyev says, though, that those 7% of posts offering hacking services should not be underestimated, as it’s difficult to know how many customers they attract. Usually, the services offered on these forums are highly specialized, he says, and very few people can combine various competencies. “If we are talking about hacking websites, some [black hats] are good at hacking websites to get access to them, while others know what can be done with these accesses,” he says.

Positive Technologies

Recorded Future’s Sannikov agrees. “Once the individuals gain unauthorized access, they frequently don’t do anything with it themselves, that is outside their specific area of expertise,” he says. “Instead, they sell the access to others, who then extract sensitive information, drop malware, create a botnet, or lock systems.”

When Positive Technology researchers looked at ads posted by buyers, they noticed that 69% were related to website hacking, while 21% were aimed at obtaining user or client databases from a target—the kind of information competitors and spammers are usually interested in, according to Solovyev.

Positive Technologies

A few people, about 4% of the total, wanted to inject malicious code into websites, a behavior that might be connected to watering hole attacks or web skimmers. A smaller group of criminals (3%), looked for someone willing to hack a website to delete specific data, such as negative reviews about a company. Lastly, a further smaller class of posts offered ready-made programs and hacking scripts for sale.

Websites a popular attacker-for-hire target

Solovyev is not surprised that users on hacking forums want to target websites. “When companies launch websites, most often security is not the number one concern,” he says. “We would like businesses to understand that website and user security should be given serious attention because a company’s reputation, business stability, and customer satisfaction depend on it.”

Hacking a website can cost as much as $10,000, according to the ads found by Solovyev’s team. However, some buyers budget only a few hundred dollars for such jobs. The market is diverse, and anything that can be bought for criminal purposes, will be, possibly at a bargain.

Positive Technologies

People want to acquire web shells, access to the administration interfaces of websites, or ready-made exploits that can be used to inject SQL code. Web shells (files uploaded to a server that an attacker can use to execute OS commands through the web interface), for instance, can cost between a few cents to $1,000, a price that’s low because the privileges obtained are limited, Solovyev explains.

Dark web market for personal data is thriving

Among the most common ads are those that target online stores. Hacking these companies usually costs between $50 and $2,000. Attackers often want to inject malicious JavaScript code into websites to catch data entered by shoppers. “Customers register on these websites by leaving their personal data. They make purchases by entering credit card information and use cloud services to store information,” Solovyev says.

His team noticed that databases that are already hacked can be priced as high as $20,000, or up to $50 per 1,000 entries. User entries usually contain information such as username, email address, full name, phone number, home address, date of birth and, sometimes, even social security number. “The traditional buying and selling of stolen or leaked databases is still widely common due to the potential criminal opportunities that could stem from them,” according to Stefano DiBlasi, threat researcher at Digital Shadows. “For example, financially motivated adversaries can exploit stolen credit card details extracted from a database to launder stolen money. Additionally, personally identifiable information can be leveraged by cybercriminals for various purposes, including unemployment and tax relief frauds, as well as identity theft and account takeover,” he says.

For these reasons, DiBlasi says the database market is thriving more than the market for website hacking, which is instead characterized by high demand and low supply.

How to mitigate the cybercrime-for-hire risk

Of course, companies should be monitoring dark web ad postings for requests or offers that target them or their industry. Beyond that, here’s what experts believe organizations should focus on:

Improve website security Solovyev’s team found many ads that targeted web resources. Companies, he says, don’t protect these enough, and the consequences can be devastating. If the web service is hosted on a server connected to the internal network, the attacker could theoretically penetrate the corporate infrastructure. “If a hacker gains control over a web resource, he or she can change the information on it, place malicious software, and intercept credit card numbers that users enter when paying for goods and services,” he says.

Moreover, a previous report published by Positive Technologies in August 2020 showed that 86% of the companies that were pentested proved to be vulnerable because of their insufficient protection of web applications. “Web applications are often created in-house by companies with little to no experience in developing commercial software and consider security only as an afterthought if at all, so it’s no surprise that websites have become an entry point of choice for cyberthieves,” Solovyev says.

Hacking a company’s web applications can lead to data leaks or privacy regulation violations, but an attacker can also use that organization’s resources as a platform for spreading malware or for storing tools that will be downloaded during other attacks. 

Review approach to web application security The likelihood that a company will become a victim of an attack has increased significantly because criminal groups no longer need to hack sites purposefully: They can simply buy a bundle of accesses on the dark web in one piece, Solovyev says. He believes that companies may find themselves “under intensified attacks by low-skilled hackers who en masse search for known vulnerabilities on websites.”

“To minimize attacks on web resources, organizations should employ a comprehensive approach to web application security that includes detailed analysis and testing, as well as implementing technologies such as web application firewalls or proactive protection against attacks,” Solovyev says. When building a security system, he recommends following the principles of a risk-oriented approach, that accounts for the magnitude of negative consequences that the company can tolerate.

Guard against phishing and business email compromise Recorded Future’s Sannikov argues that one of the biggest areas of concern for organizations should be phishing and business email compromise. “With so much information available through compromised credentials via things like sniffers and web injects, as well as documents leaked on extortion sites, it has become much easier for threat actors to access employee accounts and then move laterally through the company to perform privilege escalation or business email compromise,” he says.

“Also, with the documents leaked on extortion sites, threat actors can more easily develop convincing lures to target the partner organizations of victim companies. If a threat actor finds an invoice from the victim to a third party, they can easily spoof it and send it to the same individual at the third party who was working on it in the first place,” says Sannikov.

He advises companies to stay informed and keep track of all the web injects advertised on the dark web platforms. “Keeping an eye on the extortion sites to see if a third party you are working with has been victimized will help you put red flags around any communication or interaction that you may have had with that company,” Sannikov says.

Patch and follow good security hygiene         DiBlasi adds that black hat hackers are often opportunistic and will likely attempt to target the “low-hanging fruit” first. “The most effective way to prevent these attacks is to ensure that your company is a hardened target by installing updated security patches and implementing best cyber hygiene practices,” he said. “Additionally, having an in-house or outsourced cyber threat intelligence team can support the security teams’ efforts to prioritize security measures and mitigate potential threats.”

According to DiBlasi, companies operating online should always assume cybercriminals are actively targeting their data or will in the future.