The job search can be intimidating. Balancing mass resume submissions, networking, LinkedIn activities, connecting with recruiters, attending job fairs, and seeking internships (hopefully paid) and short-term contracts can be a painfully long process. So how can you convince your potential employer that you are suitable for the job? The evidence comes in many forms: job experience, references or recommendations, persuasive interviewing, successful passing of a technical assessment or exercise, and luck and timing. While this can be a daunting task in the real world, what does this look like on the deep and dark web? How do people convince others that they are suitable for the job?
On the underground, job seekers and employers need to prove themselves – and developing trust on the underground in a world of anonymity has unique challenges.
What is particularly interesting about the underground digital economy is that practices taking place in the legitimate world can share similarities with the deep and dark web– albeit with their twist. By observing these postings, we can gain a more robust understanding of the maturity and capabilities of specific threat actors, learn which hacking groups may be expanding their operations, and gain a firmer grasp of their TTPs.
Dark Web Job Request: Experience = Reputation
Let’s look at the post below, which shows a threat actor looking for an experienced coder. “Experienced coder needed” on face value is something you could expect to see in a job posting. However, this job differs – as the request is to build a scam page (phishing page).
It is also important to note that the actor will only consider reputable forum members for the job. Although the post does not provide many details, it covers a critical area that underscores a potential barrier to entry to less experienced threat actors or impersonators (such as security researchers or law enforcement). Developing a reputation takes time and effort, and someone’s public persona or activity levels on a forum can assist in making them reputable.
Guarantor and Project Alignment
One way to reduce the concerns over the exchange of services is to utilize a guarantor. A third party holds onto a payment until the goods or services have met both parties’ expectations. Oftentimes, this is a built-in mechanism on forums and marketplaces to ensure everything is above board. For example, the job seeker in the post not only provides the offer of a guarantor, but also references the Terms of Reference (TOR) to lay out the scope for the potential project.
This actor also positions themselves as not just an IT specialist but also as a project manager who can work in a team setting -- all good qualities for a candidate. They also discuss working through a guarantor.
Alongside listing their competencies, this pentester references an RFP (Request for Proposal) – terminology one would not expect to see on the underground.
Job Hiring: Outsourcing Elements of the Attack Cycle
Very few actors initiate or develop all stages of an attack. Instead, many threat actors have a specific core competency or specialty. For example, the fraudster that crafted the phishing email or attempted to obtain PII over the phone is probably not the same person that created the malware. Similar to how companies are composed of individuals executing various organizational functions, so too are threat actor groups. In what looks like an advertisement for a startup, this actor is looking for roles within a hacking team.
Like many people who want to translate a one-time gig or contracting job into a full-time role, good work can lead to longer-term partnerships, which can significantly benefit both parties. For example, one of the more common areas involves partner or affiliate programs of ransomware groups – a relationship characterized by having a longer-term goal.
By looking at various recruitment and job-hunting methods, we can see that there are multiple aspects of the underground economy that operate like legitimate businesses. Many organizations frequently subcontract or outsource for specific roles they cannot do and instead find the specialist required to complete the job. Experts can utilize elements in the surveillance, initial access, or execution phase within an attack cycle. Finally, like in the real world, there are communities where threat actors can find best practices and suitable candidates for a job.
Despite regular job recruitment having much greater transparency between interested parties, threat actors can still develop mutually beneficial employment opportunities even with the discretion required for longevity on the deep and dark web. In this context, by monitoring different threat actors’ job advertisements and recruiting efforts, we can perhaps comprehend their capabilities and understand that the more they mirror the operations of a legitimate organization, the higher the potential threat they may pose.