With Just $15 and an Internet Connection, Anyone Can Attack Your Company — Anyone

Hackers have access to sophisticated tech that is easily accessible for as little as $2 on the dark net.
By: | July 29, 2019

With new threats emerging every day, areas of focus for cyber security are top of mind for most businesses. Cyber criminals now make an estimated $1.5 trillion annually by stealing data and selling it on the dark net, and many businesses don’t know just how vulnerable they are.

A recent webinar, “Behind the Dark Net Black Mirror: Unpacking The Hacker Economy,” took a look at these growing cyber threats and tried to offer businesses advice for combating the risks that can originate on the dark net.

The webinar featured criminology expert Dr. Michael McGuire, whose research focuses on the dark net and the hacker economy. His most recent research efforts are focused on how the dark net affects businesses.

McGuire’s study looked at three primary threats: network compromises, financial attacks and data theft.

In the course of this research, he and his team posed as people interested in buying services from hackers, examined nearly 70,000 different dark net listings across 15 different platforms, and conducted interviews with nearly 30 different dark net vendors.

“We wanted to kind of get under the skin of the dark net a little bit more,” he said.

Sophisticated Technology at Cut-Rate Prices

One of the biggest takeaways from the webinar was just how easy and affordable it is for hackers to access malware and other tools for cyber attacks.

McGuire found that malware services cost anywhere between $3 and $40; remote access trojans (RATs) cost between $2 and $30; and targeting services, which focus on attacking specific businesses, were available for as little as $15, though they could also cost upwards of $50.

Many of the packages even came with instructions on how to use the different types of malware. If tutorials were not included with the original malware purchase, they were easy to obtain and cost as little as $6.

Tools for financial attacks were particularly cheap for hackers to purchase, with phishing tools priced at only $5, fake receipts at $6 and employee credentials only for $2.

Corporate Espionage for All?

According to McGuire, these tools are being increasingly used for targeted attacks and corporate espionage. He said that FBI data shows a 53% growth in investigations related to economic espionage in the last couple of years.

“What we found, and what really surprised me looking at the enterprise specific material we looked at on this probably for the first time, was just how targeted it was. It was, again and again, we were offered malware, which we were told could attack the networks or could get under the skin of a particular corporation,” he said.

“What that told us was that this was going beyond purely criminal activity. The volume of targeting services suggests there was a real demand for spying, for espionage on other company activities presumably from other companies as well as cyber criminals.”

The dark net primarily offered targeted data from finance and e-commerce companies, according to McGuire, but he noted that health care and media companies were also at high risk for these kinds of data and information theft.

McGuire reported 65% of the dark net vendors they were in contact with for the study offered information about specific companies.

Take Insider Threats Seriously

One of the most shocking aspects of McGuire’s research was the number of organizations that were threatened by employees giving cyber criminals access to information.

“I think it’s surprising how many people we found who were using encrypted messaging systems in the workplace and providing backdoor access to cyber criminals,” he said.

Additionally, many businesses are not as prepared for insider threats as they should be. According to Forbes, 68% of 437 IT professionals surveyed said their business was either moderately or extremely vulnerable to insider threats.

Seventy-three percent of those same professionals said insider attacks were becoming more common.

Emails a Cinch to Access

Not all insider threats are caused by people with sinister motivations, however. According to McGuire, internal emails put a lot of private company information at-risk. He said corporate emails made up 15% of the data traded on the dark net and that the FBI has seen a 136% increase in business email compromises.

“One of the things I thought was very striking in terms of operational data was the access you could get to business emails, to some of the really sensitive information communications between executives, CEOs, staff members,” he said.

“The content of some of these emails included things like company policy, strategy — high level strategy — there were keywords around payments, hiring, firing, resignation of employees, projects costs and so on”

His team was offered over 200 business emails, and he described the level of information contained in them as “staggering.”

“Quite a few of them had very personal details about office romances that were going on. We had details about team meetings, and some quite unpleasant comments about different members of staff and often how they were performing or not performing,” he said.

“Looking at your emails, being careful about what’s in there is obviously a high priority.”

Put Yourself in an Attacker’s Shoes

McGuire recommended a variety of ways that businesses can go further to enhance their cyber security.

His first recommendation was that companies monitor their employee’s use of the internet, and especially Tor browsers, during work hours. He noted that cell phones should also be monitored as they are commonly used to control attacks from inside the company.

Other recommendations include monitoring emails for sensitive information, making sure your business is up to speed on all the different types of malware and RATs that are out there today, and to make sure all the applications used by the company are secure.

But McGuire’s most important piece of advice for risk managers is to find out for themselves how vulnerable their organizations are to operators on the dark net and what kinds of data the dark net has on their company.

“Just go onto the dark net, have a look at what’s out there, have a look at what’s being said about you. You can actually enhance your security by doing that,” he said. &

Courtney DuChene is a freelance journalist based in Philadelphia. She can be reached at [email protected].

More from Risk & Insurance