CybercrimeMalwareSecurity

Coming from inside the building: dark web recruitment of malicious insiders

There is a considerable quantity of underground posts discussing insiders for performing SIM swaps. In the image below an actor seeking an insider at a Verizon store to perform SIM swapping.

Cybersixgill

Telegram is the most popular venue for actors to seek telecom insiders, also referred to as innys. In the examples below, threat actors seek SIM swaps through insiders at organizations including T-Mobile, AT&T, Metro and Verizon.

Cybersixgill

Cybersixgill

Occasionally, the post’s author will even state how much they will pay for swaps, such as this author (below), who offers $1,200 apiece.

Cybersixgill

This actor, who charges $2,000 per swap, offers proof of working with an insider, including a screenshot of AT&T’s employee portal and DMs with the insider.

Cybersixgill

In addition to SIM swapping, underground actors also seek telecom insiders for credentials, customer data, and general information. In the images below you’ll first see an actor on an underground forum seeking Vodafone insiders to provide customer data. Then an actor seeks telecom insiders in Russia, Ukraine, Kazakhstan, Belarus, and Uzbekistan. Folowed by an actor that seeks a Claro Colombia employee to answer some questions.

Cybersixgill

Cybersixgill

Cybersixgill

Sometimes we find insiders reaching out. For example, this self-described “disgruntled telecom employee” is offering to sell information regarding eSIMs, which will enable porting numbers with nothing more than running “a script in the cloud.”

Cybersixgill

Insider Threats: Retail Sector

Underground threat actors typically seek retail insiders to receive goods for free. One common scheme in which they can involve insiders is refund fraud, also known as refunding, in which an actor claims undeserved refunds for a product.

There are many techniques to carry out this type of attack, including reporting that an empty box or damaged item arrived or returning an empty box. However, most methods require convincing an employee to accept the story; it is easier to carry out a fake return if they are already a willing accomplice.

Some threat actors state quite plainly that they are seeking insiders for refund scams. In the examples below, one actor offers $5,000 for an insider responsible for returns at Walmart or any other retailer, while another offers an undisclosed sum to insiders who work with them.

Cybersixgill

Cybersixgill

Other actors are not as explicit about wanting an insider to assist with refund scams. For example, the actor in the post below sought an Amazon insider, preferably a customer support supervisor. Someone in this role would be able to authorize returns.

Cybersixgill

Threat actors also recruit insiders in e-commerce. For example, this actor seeks eBay insiders who can unblock suspended accounts.

Cybersixgill

Another actor persistently sought insiders at lego.com to provide information about orders, posting eight times in two months.

However, in many postings, there are few, if any, clues about why an insider is requested, though we may presume that they are related to theft. One actor seeks an Amazon warehouse worker; another seeks an Amazon India employee who can assist with bulk orders, and another seeks associates at a long and varied list of companies to help with “customer lookups,” to provide sensitive and confidential customer data.

Cybersixgill

Cybersixgill

Cybersixgill

Insider Threats: Shipping and logistics

Underground threat actors recruit insiders in shipping and logistics primarily to execute fraudulent tracking scans. Just like in the example below where an actor seeks an insider at UPS and other couriers to perform scans.

Cybersixgill

Insider scans are another technique in refund scams. In this scheme, an actor requests to return an item to an e-commerce store. An accomplice in the shipping company scans the shipping label, confirming to the retailer that the item is in transit. The retailer issues a refund but never receives the package. Fraudsters can also use insider scans and courier insiders to simply “ship” a package that disappears, allowing them to claim insurance for their losses.

The examples below show how malicious actors go about performing these scams. In one image an actor seeking insider scans at UPS, DHL, and other carriers to assist with refund scams and in the following an actor looking for employees at UPS, FedEx, USPS or other couriers.

Cybersixgill

Cybersixgill

Many posts recruiting courier insiders, such as the example below, offer “big money” to malicious employees.

Cybersixgill

Others offer insider scans as a service such as the post below, requesting $60 per scan at FedEx, UPS, Royal Mail, and other couriers.

Cybersixgill

Insider Threats: Social media

Threat actors target insiders at social media companies to ban, un-ban and access customer data. The examples below show how one actor on Telegram claimed to be “paying good” for someone at Instagram or X (formerly Twitter), and another offered “$$$$$$” for someone at Snapchat.

Cybersixgill

Cybersixgill

If the post specifies the function of the desired insider, it generally has to do with banning, unbanning, or verifying accounts. In addition to this, actors also seek social media employees to provide a user’s personal information.

Cybersixgill

Cybersixgill

Cybersixgill

Cybersixgill

Insider Threats: Financial services

An insider at a bank or other financial services company might be the necessary link to execute a large, fraudulent scheme. Underground actors use insiders at banks to approve payments and money transfers, enabling fraudsters to move and launder money. In the next example, an actor claims to have an insider at Metro, Santander, and Barclays that can approve payments of up to GBP90,000-GBP200,000 (depending on the bank). The actor notes that these payments appear legitimate and do not burn the account.

Cybersixgill

In this next example, an actor claims to have a Bank of America insider onboard. The actor is seeking account and routing information, as well as mobile phone numbers, in order to carry out their scheme.

Cybersixgill

Insiders also allegedly assist with “loading,” an activity involving moving money to an account in the actor’s control.

Cybersixgill

Similarly, actors seek to use insiders for money conversions. The example below is from an actor expecting to receive $10,000-$30,000 each day from a “project” and seeks a PayPal employee to convert it into cryptocurrency.

Cybersixgill

Actors also seek bank insiders with access to the SWITCH application server.

Cybersixgill

In this next post, the actor even notes that they seek to deploy the FASTCASH malware. FASTCASH malware can be used to cause ATMs to eject their cash, and it was originally identified with Hidden Cobra, a North Korean advanced persistent threat (APT). Whether these posts’ authors have any connection to the group is uncertain, however, if they succeed in gaining access to the SWITCH application server, they stand to generate very significant cash payouts.

Cybersixgill

Insider Threats: Government and military

Transcending from cybercrime to espionage, we discovered several posts in which actors solicited governmental or government-affiliated insiders to provide information. This includes individuals, like in the image below, who can provide national citizen databases to assist in doxing. An actor seeking an insider in the French government to provide citizen data.

Cybersixgill

Other posts seek individuals who can provide classified information. For example, this next post appeared several times across several forums and Telegram from a self-described “intelligence analysis corporation” offering $1,000-$2,000 as a finders fee for someone that can connect them with an insider at a US military contractor.

Cybersixgill

Finally, we also discovered the below post in which an individual purported to sell sixteen sets of classified government data, including proprietary data belonging to defense manufacturers such as Raytheon and Elbit. The post also lists a secret document about a confidential Five Eyes military exercise for $300, noting that it was obtained by an insider.

Cybersixgill

We must emphasize that posts soliciting insiders to provide classified information are rare. The penalties for such activities are severe, and most of the dark web’s users are financially motivated. Even so, it is not unheard of for an insider to leak classified information on the deep and dark web; most recently, a Massachusetts National Guardsman has been charged with posting classified documents on a Discord server.

Defending Against Insider Threats

Employees can pose a unique type of threat to an organization. Most employees are not malicious, and they ought to be trusted with access to the data and systems needed for performing their tasks. However, those who are lured by a variety of methods to use their positions to assist in criminal enterprises can cause significant financial and reputational damage to their employers.

According to the 2023 Verizon Data Breach Investigations Report, malicious insiders perpetrate about 19% of known data breaches. While there is no way of knowing for sure how many of these attacks originated from a partnership forged on the deep and dark web, there are several practices that companies can take to protect themselves.

  1. Principal of least privilege: Employee privileges should be limited only to what their tasks require.
  2. Job rotation: Regular cycling of employees between tasks to reveal fraudulent activity.
  3. Multiple signoff: Execution of sensitive actions should require multiple employees to approve.
  4. VIP account protection: Customers with sensitive accounts or who are more likely to be targeted should be able to opt-in to more stringent account protection.
  5. Employee awareness: Employees should understand that threat actors seek to recruit their peers and perpetrate fraud. If they see something suspicious, they should report it.
  6. Automated detection: Use of software to flag suspicious activities.
  7. Underground monitoring: Organizations must understand adversarial efforts to recruit insiders. Real-time cyber threat intelligence from the clear, deep, and dark web is essential to gather the information needed to expose organizational risk from insider threats.

A rogue employee can severely impact a business’s operations, finances, network security, and brand. They are far more than just an “IT problem” or even a “security team problem.” A proper organizational defense requires coordination between technical and non-technical players, from the SOC to HR, in order to keep the company secure.

Organizations must identify which of their employees are in roles that might be targeted for recruitment by cybercriminals, and enforce stringent monitoring and controls to neutralize any threats from inside the building.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button