Coming from inside the building: dark web recruitment of malicious insiders

Underground threat actors typically seek retail insiders to receive goods for free. One common scheme in which they can involve insiders is refund fraud, also known as refunding, in which an actor claims undeserved refunds for a product.

There are many techniques to carry out this type of attack, including reporting that an empty box or damaged item arrived or returning an empty box. However, most methods require convincing an employee to accept the story; it is easier to carry out a fake return if they are already a willing accomplice.

Some threat actors state quite plainly that they are seeking insiders for refund scams. In the examples below, one actor offers $5,000 for an insider responsible for returns at Walmart or any other retailer, while another offers an undisclosed sum to insiders who work with them.

Other actors are not as explicit about wanting an insider to assist with refund scams. For example, the actor in the post below sought an Amazon insider, preferably a customer support supervisor. Someone in this role would be able to authorize returns.

Threat actors also recruit insiders in e-commerce. For example, this actor seeks eBay insiders who can unblock suspended accounts.

Another actor persistently sought insiders at lego.com to provide information about orders, posting eight times in two months.

However, in many postings, there are few, if any, clues about why an insider is requested, though we may presume that they are related to theft. One actor seeks an Amazon warehouse worker; another seeks an Amazon India employee who can assist with bulk orders, and another seeks associates at a long and varied list of companies to help with “customer lookups,” to provide sensitive and confidential customer data.

Underground threat actors recruit insiders in shipping and logistics primarily to execute fraudulent tracking scans. Just like in the example below where an actor seeks an insider at UPS and other couriers to perform scans.

Insider scans are another technique in refund scams. In this scheme, an actor requests to return an item to an e-commerce store. An accomplice in the shipping company scans the shipping label, confirming to the retailer that the item is in transit. The retailer issues a refund but never receives the package. Fraudsters can also use insider scans and courier insiders to simply “ship” a package that disappears, allowing them to claim insurance for their losses.

The examples below show how malicious actors go about performing these scams. In one image an actor seeking insider scans at UPS, DHL, and other carriers to assist with refund scams and in the following an actor looking for employees at UPS, FedEx, USPS or other couriers.

Many posts recruiting courier insiders, such as the example below, offer “big money” to malicious employees.

Others offer insider scans as a service such as the post below, requesting $60 per scan at FedEx, UPS, Royal Mail, and other couriers.

Threat actors target insiders at social media companies to ban, un-ban and access customer data. The examples below show how one actor on Telegram claimed to be “paying good” for someone at Instagram or X (formerly Twitter), and another offered “$$$$$$” for someone at Snapchat.

If the post specifies the function of the desired insider, it generally has to do with banning, unbanning, or verifying accounts. In addition to this, actors also seek social media employees to provide a user’s personal information.

An insider at a bank or other financial services company might be the necessary link to execute a large, fraudulent scheme. Underground actors use insiders at banks to approve payments and money transfers, enabling fraudsters to move and launder money. In the next example, an actor claims to have an insider at Metro, Santander, and Barclays that can approve payments of up to GBP90,000-GBP200,000 (depending on the bank). The actor notes that these payments appear legitimate and do not burn the account.

In this next example, an actor claims to have a Bank of America insider onboard. The actor is seeking account and routing information, as well as mobile phone numbers, in order to carry out their scheme.

Insiders also allegedly assist with “loading,” an activity involving moving money to an account in the actor’s control.

Similarly, actors seek to use insiders for money conversions. The example below is from an actor expecting to receive $10,000-$30,000 each day from a “project” and seeks a PayPal employee to convert it into cryptocurrency.

Actors also seek bank insiders with access to the SWITCH application server.

In this next post, the actor even notes that they seek to deploy the FASTCASH malware. FASTCASH malware can be used to cause ATMs to eject their cash, and it was originally identified with Hidden Cobra, a North Korean advanced persistent threat (APT). Whether these posts’ authors have any connection to the group is uncertain, however, if they succeed in gaining access to the SWITCH application server, they stand to generate very significant cash payouts.

Transcending from cybercrime to espionage, we discovered several posts in which actors solicited governmental or government-affiliated insiders to provide information. This includes individuals, like in the image below, who can provide national citizen databases to assist in doxing. An actor seeking an insider in the French government to provide citizen data.

Other posts seek individuals who can provide classified information. For example, this next post appeared several times across several forums and Telegram from a self-described “intelligence analysis corporation” offering $1,000-$2,000 as a finders fee for someone that can connect them with an insider at a US military contractor.

Finally, we also discovered the below post in which an individual purported to sell sixteen sets of classified government data, including proprietary data belonging to defense manufacturers such as Raytheon and Elbit. The post also lists a secret document about a confidential Five Eyes military exercise for $300, noting that it was obtained by an insider.

We must emphasize that posts soliciting insiders to provide classified information are rare. The penalties for such activities are severe, and most of the dark web’s users are financially motivated. Even so, it is not unheard of for an insider to leak classified information on the deep and dark web; most recently, a Massachusetts National Guardsman has been charged with posting classified documents on a Discord server.

Defending Against Insider Threats

Employees can pose a unique type of threat to an organization. Most employees are not malicious, and they ought to be trusted with access to the data and systems needed for performing their tasks. However, those who are lured by a variety of methods to use their positions to assist in criminal enterprises can cause significant financial and reputational damage to their employers.

According to the 2023 Verizon Data Breach Investigations Report, malicious insiders perpetrate about 19% of known data breaches. While there is no way of knowing for sure how many of these attacks originated from a partnership forged on the deep and dark web, there are several practices that companies can take to protect themselves.

1. Principal of least privilege: Employee privileges should be limited only to what their tasks require.
2. Job rotation: Regular cycling of employees between tasks to reveal fraudulent activity.
3. Multiple signoff: Execution of sensitive actions should require multiple employees to approve.
4. VIP account protection: Customers with sensitive accounts or who are more likely to be targeted should be able to opt-in to more stringent account protection.
5. Employee awareness: Employees should understand that threat actors seek to recruit their peers and perpetrate fraud. If they see something suspicious, they should report it.
6. Automated detection: Use of software to flag suspicious activities.
7. Underground monitoring: Organizations must understand adversarial efforts to recruit insiders. Real-time cyber threat intelligence from the clear, deep, and dark web is essential to gather the information needed to expose organizational risk from insider threats.

A rogue employee can severely impact a business’s operations, finances, network security, and brand. They are far more than just an “IT problem” or even a “security team problem.” A proper organizational defense requires coordination between technical and non-technical players, from the SOC to HR, in order to keep the company secure.

Organizations must identify which of their employees are in roles that might be targeted for recruitment by cybercriminals, and enforce stringent monitoring and controls to neutralize any threats from inside the building.