Cybercriminals recruit malicious insiders via the dark web
Cybercriminals can use malicious insiders as a direct means to access sensitive company resources, stealing confidential data or using the access to deploy a devastating cyberattack. New research shows that they’re actively searching for insiders from various organizations via the dark web.
Over the past 12 months, the team at threat exposure platform NordStellar has identified 25 unique dark web posts seeking out insiders. A significant portion of these posts focus explicitly on insiders who work for social media or cryptocurrency platforms.
"Employees can grant cybercriminals access to critical data, such as personal customer information and confidential business agreements," says Vakaris Noreika, cybersecurity expert at NordStellar. "This data can be utilized to deploy ransomware attacks, sell intel on business agreements to competitors, or to carry out sophisticated phishing scams on unsuspecting victims whose personal data they managed to get their hands on."
These insider threats can be challenging to spot and, therefore, may go undetected by security teams for a significant amount of time. Employees are trusted members of the organization and have legitimate access to company resources. Consequently, it can be challenging to pinpoint any anomalies in their behavior.
"Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers," adds Noreika. "Insiders are also familiar with the organization's internal security policies and weaknesses, allowing them to adjust their actions to avoid suspicion."
Although some cybercriminals are searching for insiders on the dark web, the recruitment process is usually carried out more privately. Bad actors target specific employees within the organization, especially those with technical capabilities that aid in their operations or have access to highly sensitive company data.
Mantas Sabeckis, a senior threat intelligence researcher at Nord Security, reveals that he has been contacted by cybercriminals for possible recruitment opportunities numerous times. He says that in the past, bad actors have reached out to him on LinkedIn, most likely intrigued by his experience in cybersecurity, and notes that the process of cybercriminals recruiting insiders likely follows the same playbook.
"In my experience, after the first few messages, bad actors try to direct the communication to a different channel, such as Telegram or WhatsApp," says Sabeckis. "One time, I was contacted by a recruitment specialist from Singapore searching for a candidate for a role in a large organization. She did not name the specific organization and asked to continue our conversation on WhatsApp, which is not an unusual request in itself, as different messaging platforms are popular in different countries."
To combat insider threats any unexpected system behavior or access patterns must be flagged, reported, and thoroughly examined. An effective recovery plan should cover incident detection and outline the key steps the organization should take to contain the threat and mitigate damage.
"Patterns of unusual behavior are the first indicator that the user might be an insider," says Noreika. "Security teams should keep an eye out for employees who are frequently accessing sensitive information and make sure that they have the proper authorization. Data exfiltration to external parties or devices is another major red flag to look out for."
You can find out more on the NordStellar site.
Image credit: Jefferson Santos/Unsplash
