Hacker in data security concept. Hacker using laptop. Hacking the Internet. Cyber attack.
Image: Adobe Stock

In the world of illegal cyber activities, different kinds of threat actors exist. It has become increasingly common to read about companies selling offensive services like spyware as a service or commercial cyber surveillance. Some other actors are also government-backed. Yet another category of threat actors exists, dubbed hackers-for-hire.

Google’s Threat Analysis Group (TAG) published a new report about this kind of threat and how it works, providing examples of this ecosystem from India, Russia and the United Arab Emirates.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Who are hackers-for-hire?

Hackers-for-hire are experts in conducting accounts compromises (generally mailboxes) and exfiltrating data as a service. They sell their services to people who do not have the skills or capabilities to do so.

While some companies openly advertise their services to anyone who pays, others stay under the radar and only sell their services to a limited audience.

Some hackers-for-hire structures also work with third parties, generally private investigation services, which act as proxy between the customer and the threat actor. It might also happen that such a hack-for-hire company decides to work with freelance experienced people, avoiding to directly employ them.

Indian hackers-for-hire

Google’s TAG chose to share details about Indian hack-for-hire companies and indicates that they are tracking an interwoven set of Indian hack-for-hire actors, with many having previously worked for Indian offensive security companies Appin Security and Belltrox (Figure A).

a list of services provided by Appin Security
Image: Archive.org. Figure A: An email hacking service is listed in the services provided by Appin Security in 2011.

TAG could link former employees of these two companies to Rebsec, a new company openly advertising for corporate espionage on its commercial website (Figure B).

Corporate espionage service listed on Rebsec's website
Figure B: Corporate espionage service as exposed on Rebsec’s commercial website.

Russian hackers-for-hire

A Russian hack-for-hire group has been tracked by the TAG team since 2017 and has targeted journalists, politicians, and various NGOs and non-profit organizations in addition to everyday citizens in Russia and surrounding countries.

In those attack campaigns, the threat actor used credential phishing emails that looked similar no matter the target. The phishing pages to which the victims were led could impersonate Gmail and other webmail providers or Russian government organizations.

A public website, gone since 2018, provided more information and advertised for the service, which consisted of compromising email boxes or social media accounts (Figure C).

sample prices listed on a Russian hacker-for-hire site
Image: Archive.org. Figure C: Sample prices for the services of a Russian hack-for-hire actor.

As often in the Russian cyber criminal underground, the threat actor also highlighted positive reviews of its services from different well-known cyber criminal marketplaces such as Probiv.cc or Dublikat.

The United Arab Emirates hackers-for-hire

One hacker-for-hire group tracked by TAG is mostly active in the Middle East and North African area, targeting government, education and political organizations, including Middle East-focused NGOs in Europe and the Palestinian political party Fatah.

That actor mainly used Google or Outlook Web Access (OWA) password reset lures to steal valid credentials from their targets, using a custom phishing toolkit utilizing Selenium, a tool useful for automating tasks in web browsers.

Once compromised, persistence would be maintained by granting an OAuth token to a legitimate email client such as Thunderbird or by linking the victim Gmail account to another email account owned by the threat actor.

Interestingly enough, this threat actor could be linked to the original developer of the infamous njRAT malware, also known as Bladabindi, H-Worm or Houdini-Worm.

Who are hackers-for-hire targets?

Most common targets for these kinds of operations are political activists, journalists, human rights activists and other high-risk users around the world.

Companies, lawyers and attorneys are also at risk since some hackers-for-hire are hired to target them ahead of anticipated lawsuits or during litigation. They might also be targeted for corporate espionage and theft of industrial secrets.

Finally, any citizen can be targeted, since some hackers-for-hire structures offer low prices to compromise and provide access to any individual, typically a husband or a spouse who wants to find information about ongoing affairs and such.

How to protect from hackers-for-hire?

Most of these threat actors actually use email phishing as a starting point and generally do not go further than email box compromise and data exfiltration, which means they do not necessarily need any malware but rather use social engineering tricks.

SEE: Mobile device security policy (TechRepublic Premium)

Awareness needs to be raised on email phishing and related fraud attempts. Multi-factor authentication should also be deployed when possible to add a layer of security against those attackers.

Google recommends high-risk users to enable Advanced Protection and Google Account Level Enhanced Safe Browsing and ensure all devices are updated.

Finally, no one should ever authenticate to a web page popping up from a click on an email link. The user should always navigate to the legitimate page of the service and authenticate there without using any link.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday