Expert in hacker-for-hire email box compromise. Learn more about these cybercriminals and the threats they represent.
In the world of illegal cyber activity, different types of threatening actors exist. It is becoming increasingly common to read about companies that sell offensive services such as spyware or commercial cyber surveillance. A few more actors are also supported by the government. Yet another class of threatening actors exists, hacker-for-hire dub.
Google’s Threat Analysis Group (TAG) has released a new Report About this kind of threat and how it works, India, Russia and the United Arab Emirates provide examples of this ecosystem.
See: Password Violation: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Who are the hackers for hire?
Hacker-for-hire is an expert in managing account apps (usually mailboxes) and extracting data as a service. They sell their services to people who do not have the skills or abilities to do so.
While some companies publicly advertise their services to those who pay, others remain under the radar and only sell their services to a limited audience.
Some hacker-for-hire structures work with third parties, usually personal investigation services, which act as proxies between the client and the threatening actor. It can also happen that such hack-for-hire companies decide to work with freelance experienced people, avoiding their direct hiring.
For Indian hacker-hire
Google’s TAG has chosen to share details about Indian hack-for-hire companies and indicate that they are tracking an intertwined set of Indian hack-for-hire actors, many of whom have previously been involved with Indian offensive security companies Apin Security and Beltrox (Figure A)
TAG may link former employees of the two companies to Rebsec, a new company that publicly advertises on its commercial website for corporate espionage (Figure B)
For Russian hacker-hire
A Russian hack-for-hire group has been tracked by the TAG team since 2017 and targets daily citizens of Russia and neighboring countries, as well as journalists, politicians and various NGOs and non-profit organizations.
In those raids, the threatening actor used certificate phishing emails that looked the same regardless of the target. The phishing pages on which the victims were taken may disguise themselves as Gmail and other webmail providers or Russian government agencies.
A public website, dating back to 2018, has provided more information and advertising for the service, including email boxes or social media accounts (Figure c)
Often in the Russian cybercriminal underground, the threat actor also garners positive reviews of his services from various well-known cybercriminal marketplaces such as Probiv.cc or Dublikat.
Rent for hackers in the UAE
A hacker-for-wire Team Most tracked by TAG target active, government, education and political organizations in the Middle East and North Africa region, including Europe’s Middle East-centric NGOs and the Palestinian political party Fatah.
This actor uses a custom phishing toolkit, mainly to steal valid certificates from their targets using Google or Outlook Web Access (OWA) password reset lore SeleniumA useful tool for automating tasks in a web browser.
Once compromised, stability will be maintained by providing OAuth tokens to legitimate email clients such as Thunderbird or by linking the Victim Gmail account to another email account owned by the threat actor.
Interestingly, this threatening actor may be associated with the original developer of the infamous njRAT malware, also known as Bladabindi, H-Worm or Houdini-Worm.
Who are the hacker-for-hire targets?
The most common targets for such operations are political activists, journalists, human rights activists and other high-risk users around the world.
Companies, lawyers and attorneys are also at risk because some hacker-hires are hired to target them before or during an expected lawsuit. They can also be targeted for corporate espionage and theft of industrial secrets.
Finally, any citizen can be targeted, as some hacker-for-hire structures compromise at low prices and provide access to anyone, usually a spouse who wants to find information about ongoing issues and such.
How to protect from hacker-for-hire?
Most of these threat actors actually use email phishing as a starting point and usually go no further than email box ups and data exfoliation, which means they don’t necessarily need any malware but use social engineering techniques.
See: Mobile Device Security Policy (TechRepublic Premium)
Raise awareness about email phishing and related fraud attempts. Multi-factor authentication should also be established whenever possible to add a layer of security against those attackers.
Google recommends activating high-risk users Improved protection And Google Account Level Advanced Safe Browsing And make sure all devices are updated.
Finally, you should not authenticate anyone on a web page that pops up by clicking on an email link. The user should always navigate to the valid page of the service and authenticate there without using any links.
Disclosure: I work for Trend Micro, but the opinions expressed in this article are mine.