Most of us assume our co-workers are trustworthy, law-abiding, and dedicated to the organization's well-being. So it’s shocking to realize that some of them may be teaming up with cybercriminals and sharing data and access in return for cash – or sometimes just revenge.
A recent exploration of the nefarious digital underground conducted by our threat researchers gives a glimpse of the illicit exchanges potentially occurring between threat actors and the employees of some of the world’s largest companies, including Amazon, Meta, Walmart, Chase, PayPal, AT&T, and Verizon. We’ve gathered our findings in a 30-page report, Coming From Inside the Building: Dark Web Recruitment of Malicious Insiders.
A Market for Employee Disloyalty
Scanning the dark recesses of the web over the past year, our team found hundreds of posts in which cybercriminals sought help from ill-intentioned insiders in exchange for cash.
For example, threat actors solicited employees of mobile phone companies to arrange a “SIM swap” – porting a victim’s phone number to the threat actor’s SIM cards. Threat actors could then intercept one-time passwords sent via SMS or take over crypto wallets associated with the victim’s number. A cooperative insider – called an “inny” by those seeking a literal partner in crime – would receive up to $1,200 for an AT&T SIM swap.
While the total impact of such actions is unknown, a series of high-profile cases highlight how damaging such actions can be. One involved the employee of a large British healthcare company who stole data belonging to more than 500,000 customers from the company’s CRM system and tried to sell it on the dark web. In another case, two former Tesla employees gave a German newspaper negative information about the company’s self-driving car research. In the process, they grabbed and shared the private information of 75,000 Tesla employees with the newspaper (which declined to publish it).
Industries Most Likely to Be Targeted
In the report, we categorize the industries most commonly targeted by cybercriminals and describe in detail what actions they seek from the “innys.” Ranked from the most to least common, the industries are:
Telecommunications – SIM swapping, providing credentials, customer data
Retail – Refund fraud, providing customer data, theft of goods
Shipping and logistics – Tracking scans, theft of packages
Social media – Banning, unbanning, and verifying accounts, providing customer data
Financial services – Approving transfers and withdrawals, account loading, currency exchange, server access
Government and military – Providing classified intelligence, citizen data
These rankings reflect in part the cybercriminals’ likelihood of success: The greater the possibility of finding and exploiting an unethical insider, the more attractive the sector. While financial services might promise greater payoffs, that industry is highly aware of data and privacy access issues and takes extensive measures against breaches. On the other hand, retail is less guarded, albeit unlikely to yield substantial financial rewards for hackers.
Revenge of the Unhappy Worker
Sometimes, it’s the insiders who are eager to share access because they are furious with their employers, as this “Disgruntled Telecom Employee” said in one of the posts Cybersixgill uncovered:
“I’ve worked like a slave for decades and have nothing to show for it whatsoever. After years of being taken advantage of by this corporation and its management, I'm ready to burn them like they burned me time and time again before hanging up my badge for good.” Many threat actors are looking for easy-to-execute scams, such as getting a few hundred dollars through fake shipments of retail items. But others are seeking exchanges of potentially far more significant consequences. For example, an “intelligence analysis corporation” sought highly confidential information on missile technology from employees or contractors working for major American defense firms.
Responding to the Insider Threat
While the report will be of primary interest to anyone in a security position, it’s eye-opening for managers and employees of virtually every organization that might be affected. Those responsible for safeguarding organizational information will want to note the many preventive measures the report outlines, including:
Principle of least privilege -- Limiting employee privilege to only what their tasks require
Job rotation -- Cycling employees between tasks to reveal fraudulent activity
Multiple signoff -- Requiring multiple employees to approve sensitive actions
VIP account protection -- Allowing customers with sensitive data to opt in for more stringent account protection
Employee awareness -- Making employees aware of the issue and encouraging them to report questionable behavior
Automated detection -- Using software to flag suspicious activities
Underground monitoring -- Gaining real-time threat intelligence from the clear, deep, and dark web to be aware of the potential organizational risk from insider threats.
To glimpse a world you likely never knew about, download your copy of the report, Coming From Inside the Building: Dark Web Recruitment of Malicious Insiders.
If you’re concerned about your organization’s vulnerability to malicious insiders, schedule a demo of Cybersixgill’s tools for gaining continuous visibility into these underground exchanges contextualized for your industry and organization.