In our first blog in this series, we covered how ransomware groups go about their recruitment, with their large teams comprising many threat actors with niche skill sets. We all know how high-profile, widespread, and lucrative the ransomware industry is. It feels like new groups appear every week. But it’s important to remember that other areas of cybercrime, such as non-encryption-based malware, phishing in its various forms, and credit card fraud are still going strong. Cryptojacking malware attacks grew 300 percent in 2021 alone. Just like the ransomware industry, the threat actors behind these attacks don’t work as one-man armies. The operator of a credential-harvesting botnet may not be the person who developed and prepared it for delivery to the target systems. In the second part of this three-part series, we’ll take a look at how recruitment works for some of the components of the cybercriminal ecosystem that existed long before ransomware: malware development and delivery, phishing, and carding. We’ll identify common trends between them, analyze what’s on offer, and examine how users contract and offer their services.
Malware development and delivery
A ransomware group would be nothing without its ransomware executable, but there’s so much more to malware than just encryption software. From cryptojackers to credential harvesters, banking trojans to botnets, there really is something for every flavor of cybercriminal. The ransomware executable is often the final tool after a whole host of first- and second-stage malware has made its way onto and around a victim’s network, allowing threat actors to gain a foothold and collect sensitive data. Just like ransomware, however, this malware doesn’t simply magic itself up out of the ether. It needs to be developed, obfuscated, and delivered before it can start working, and one threat actor would struggle to complete all these steps on their own.
The first and most involved stage in this chain is malware development. Cybercriminal forums are awash with users advertising and requesting the services of developers to design fresh new malware. Developers may be recruited to work in-house, with a monthly salary and other benefits, or they may be contracted ad hoc, with a one-time payment upon completion of commissioned work.
In most cases, the larger, more sensitive, and technically difficult the project, the more likely the commissioning buyer would want the developer to be working within a team. That way, they can more closely oversee the project and ensure it’s coming along on time and to spec. Projects like these likely involve large botnets, banking trojans, and sophisticated ransomware. Users sometimes list detailed requirements and the salary for the role they’re looking to take on, complete with a long description of the nature of the work. Other times, they provide minimal detail, stating only the coding language the applicant needs to know and promising a “high” salary.
For smaller projects, like a script for automating logs checking or a credential stealer, commissioning buyers typically provide more detail of what they need the developer to do and list their “budget” for the project. The more high-profile the work, the fewer details employers may want to give away due to operational security concerns.
There’s more work to be done after the malware has been developed. The threat actor will need many more components, like binders or installers, to get their malware past defenses and onto the target networks. A threat actor might have the skills or motivation to complete all these parts of the process themselves, but it may be cheaper, quicker, and easier to hire a specialist to do it for them. Requests for these services are mostly linked to ad hoc, one-off work, although encryption specialists will likely see the most repeat work; their forum profiles often have the highest reputation scores out of these providers. After all, the best malware in the world is useless if it gets detected by antivirus software as soon as it reaches the victim’s system. Scamming in this area is pretty common; many threads in forum arbitration sections see users complaining that commissioned work was not carried out, or not completed to the required standard.
Phishing and vishing
Ah, phishing… This social engineering technique has been a mainstay of the cybercriminal world for decades, and it doesn’t look to be going away anytime soon. From the most sophisticated ransomware campaign to the crudest Nigerian prince scam, phishing is often an essential part of any cybercriminal attack. No matter how good automated detection, firewalls, and antivirus software get, cybercriminals will always seek out phishing specialists to exploit human fallibility. One click of a button and a malicious email can slip past our nets. So how does recruitment work for phishers?
For email and landing page (fake website) phishing, it’s almost always ad hoc. Forum users list what they need crafting, potentially stating their budget, and if a phisher thinks they can fulfill the requirements, they’ll usually initiate contact via private message. For more sophisticated types of phishing, such as reverse proxy phishing, attackers can turn to the many phishing-as-a-service (PHaaS) providers already advertising their services on forums. Providers give very detailed specifications about what they can do, and even list daily rates for the uptime of commonly cloned landing pages such as social media platforms, cryptocurrency exchanges, and online banking platforms. The ecosystem is very developed, and it’s a seller’s market. Resultantly, scamming is common. Buyers often complain that phishing pages only last minutes before being taken down, phishing emails don’t make it to victims’ inboxes, or that the promised service simply didn’t work.
Voice phishing or “vishing”–the social engineering technique that uses telephony to gain the trust of a victim–is a bit more niche. While it might be less technically challenging than creating a perfectly cloned phishing page, it may require an attacker to be dynamic and think on the fly. Vishers, or “callers” as they’re referred to on forums, are often highly sought after due to their unique social engineering skill set. The threat actor who is the brains behind an attack may not be able to conduct a simple voice call, just like an esteemed author might make for a terrible actor.
Recruiters often advertise for vishing roles based on language competency and regional accent (good luck making a convincing English-language vishing call if you don’t speak English), gender (many attackers believe that victims are more likely to believe a woman’s voice), and technical knowledge (someone pretending to be calling from your bank shouldn’t be stumped by what “overdraft fees” are or what a CVV is). However, experience is the most sought-after factor, with many recruiters stipulating that a history of conducting this sort of work is a requirement. This work can be pretty lucrative as well. We’ve seen offerings of USD 1,000 per call. Not bad work if you can get it.
Despite widespread complaints on cybercriminal forums that “carding is dead”, the number of dedicated carding forums and threads advertising stolen card information indicate carding is still an important part of the underground ecosystem in 2022. Unlike malware development/delivery and phishing, which are components of a larger attack chain, carding is the means and the end.
Perhaps the most common and basic form of carding is referred to as stuff carding: buying goods, or stuff, with stolen card information, and then using or selling the stolen goods. Although the attack method may be easy in comparison to setting up a botnet, it’s much riskier for the attacker. To receive the fraudulently purchased goods, carders must ship them to a physical address, which means compromising their anonymity. A way around this is hiring carding “mules”, who provide their own address for shipping, receive the delivery, and then physically deliver the fraudulently purchased gifts to the carder for a small fee. It’s very easy work, with no technical skills required, but it entails a very high risk of getting caught. “I don’t know why these goods have been delivered to my house, I didn’t buy them!” probably isn’t going to cut it with law enforcement.
It’s likely that once a beginner carder gains experience, they outsource the risky part to a mule. Mules are often the most junior of cybercriminals looking to get their foot on the cybercriminal ladder. Threat actors requesting and offering mule work are ubiquitous on forums, with users listing their location and fees. It’s a mixture of ad hoc and in-house work: Although working as a mule is probably not a long-term career, stuff carders will seek to work with someone they know will reliably deliver the goods.
CC/CVV and fullz providers
Not all threat actors who fraudulently purchase goods will have stolen the credit card details themselves. It’s much more likely that they will have purchased them from another cybercriminal who perhaps uses a card skimmer or banking trojan to harvest payment credentials. However, the trade of card numbers, CVVs, and “fullz” (full card information, including name and address), is absolutely rife with scams. Vendors may pass off made-up card numbers as valid, and entire credit card shops may be scam websites designed to steal a carder’s funds and account credentials. Reliable, in-house carders are therefore highly sought after. The credential stealers have a guaranteed buyer, and the buyers can trust that the credentials they’re purchasing will have a high validity rate. Larger-scale carders take the scattergun approach and make card “scoop” threads, where they offer to buy any and all card details on offer. The theory is that if you buy in sufficient volume, even a low validity rate will result in profit.
Partnerships, language barriers, and scams
A common theme links all these disparate types of cybercriminal recruitment: the prevalence of scams. Reviews about working with cybercriminal employers can be bought and faked. Cybercriminals can hardly take each other to court for the non-delivery of goods or hold each other liable for the non-completion of a project. They may find that the black-hat developer they were paying USD 3,000 a month for malware development simply disappears before the project is finished. Likewise, a developer can’t sue for non-payment of wages if the ransomware group they work for decides not to pay upon completion of a project.
Forum users do have some methods of loss prevention and recourse to justice. Forum reputation and account age are big giveaways about the credibility of a threat actor; the more likely a new cybercriminal employee will follow through on what they promise to deliver for their employer. One forum user recently explicitly stated they don’t even look at posts from users with low reputations and short forum tenures. Salaries and fees commanded by experienced users are comparatively higher. Additionally, if something does go wrong, users can initiate claims in a forum’s Arbitration section (if it has one), and the wronged party may be awarded funds taken from the wrongdoer’s forum deposit (if they have one). For this reason, users seeking to contract for difficult projects, such as zero-day exploit development, often have very large forum deposits, which may stretch to the hundreds of thousands or even millions of USD dollars.
We’ve often noticed that there are significant issues with the language barrier between cybercriminal forum users. Forums are diverse places, and although much of the communication occurs in Russian and English, it’s evident from chat logs uploaded as evidence in claims in the Arbitration section that these are not the first languages for many users. Recruitment can be difficult in this context, and many disputes appear to have originated from one of the parties not fully understanding what the other wants. A job description may not be entirely clear; a software developer may design malware that’s not up to the commissioner’s specs. Heavy usage of criminal slang and jargon doesn’t help either.
As with ransomware, by tracking which services and roles cybercriminal groups are trying to recruit, Digital Shadows (now ReliaQuest) keeps track of cybercriminal market trends. If hiring voice callers is suddenly all the rage, companies should brace for a potential increase in vishing attacks. Digital Shadows (now ReliaQuest) monitors cybercriminal forums on a daily basis, tracking cybercriminal recruitment, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.