news
December 4, 2023by Dov Lerner

Your Co-Workers May Be Literal ‘Partners in Crime’ A Look at How Cybercriminals Recruit Malicious Insiders

Most of us assume our co-workers are trustworthy, law-abiding, and dedicated to the organization's well-being. So it’s shocking to realize that some of them may be teaming up with cybercriminals and sharing data and access in return for cash – or sometimes just revenge.

A recent exploration of the nefarious digital underground conducted by our threat researchers gives a glimpse of the illicit exchanges potentially occurring between threat actors and the employees of some of the world’s largest companies, including Amazon, Meta, Walmart, Chase, PayPal, AT&T, and Verizon. We’ve gathered our findings in a 30-page report, Coming From Inside the Building: Dark Web Recruitment of Malicious Insiders.

A Market for Employee Disloyalty

Scanning the dark recesses of the web over the past year, our team found hundreds of posts in which cybercriminals sought help from ill-intentioned insiders in exchange for cash. 

For example, threat actors solicited employees of mobile phone companies to arrange a “SIM swap” – porting a victim’s phone number to the threat actor’s SIM cards. Threat actors could then intercept one-time passwords sent via SMS or take over crypto wallets associated with the victim’s number. A cooperative insider – called an “inny” by those seeking a literal partner in crime – would receive up to $1,200 for an AT&T SIM swap.

While the total impact of such actions is unknown, a series of high-profile cases highlight how damaging such actions can be. One involved the employee of a large British healthcare company who stole data belonging to more than 500,000 customers from the company’s CRM system and tried to sell it on the dark web. In another case, two former Tesla employees gave a German newspaper negative information about the company’s self-driving car research. In the process, they grabbed and shared the private information of 75,000 Tesla employees with the newspaper (which declined to publish it).

Industries Most Likely to Be Targeted

In the report, we categorize the industries most commonly targeted by cybercriminals and describe in detail what actions they seek from the “innys.” Ranked from the most to least common, the industries are:

  1. Telecommunications – SIM swapping, providing credentials, customer data

  2. Retail – Refund fraud, providing customer data, theft of goods

  3. Shipping and logistics – Tracking scans, theft of packages

  4. Social media – Banning, unbanning, and verifying accounts, providing customer data

  5. Financial services – Approving transfers and withdrawals, account loading, currency exchange, server access

  6. Government and military – Providing classified intelligence, citizen data

These rankings reflect in part the cybercriminals’ likelihood of success: The greater the possibility of finding and exploiting an unethical insider, the more attractive the sector. While financial services might promise greater payoffs, that industry is highly aware of data and privacy access issues and takes extensive measures against breaches. On the other hand, retail is less guarded, albeit unlikely to yield substantial financial rewards for hackers. 

Revenge of the Unhappy Worker

Sometimes, it’s the insiders who are eager to share access because they are furious with their employers, as this “Disgruntled Telecom Employee” said in one of the posts Cybersixgill uncovered:

“I’ve worked like a slave for decades and have nothing to show for it whatsoever. After years of being taken advantage of by this corporation and its management, I'm ready to burn them like they burned me time and time again before hanging up my badge for good.” Many threat actors are looking for easy-to-execute scams, such as getting a few hundred dollars through fake shipments of retail items. But others are seeking exchanges of potentially far more significant consequences. For example, an “intelligence analysis corporation” sought highly confidential information on missile technology from employees or contractors working for major American defense firms. 

Responding to the Insider Threat 

While the report will be of primary interest to anyone in a security position, it’s eye-opening for managers and employees of virtually every organization that might be affected. Those responsible for safeguarding organizational information will want to note the many preventive measures the report outlines, including:

  • Principle of least privilege -- Limiting employee privilege to only what their tasks require

  • Job rotation -- Cycling employees between tasks to reveal fraudulent activity

  • Multiple signoff -- Requiring multiple employees to approve sensitive actions

  • VIP account protection -- Allowing customers with sensitive data to opt in for more stringent account protection

  • Employee awareness -- Making employees aware of the issue and encouraging them to report questionable behavior

  • Automated detection -- Using software to flag suspicious activities

  • Underground monitoring -- Gaining real-time threat intelligence from the clear, deep, and dark web to be aware of the potential organizational risk from insider threats.

To glimpse a world you likely never knew about, download your copy of the report, Coming From Inside the Building: Dark Web Recruitment of Malicious Insiders

If you’re concerned about your organization’s vulnerability to malicious insiders, schedule a demo of Cybersixgill’s tools for gaining continuous visibility into these underground exchanges contextualized for your industry and organization.

You may also like

LockBit Seizure Blog-Thumbnail

February 22, 2024

International Law Enforcement Disrupts LockBit Ransomware Group's Dark Web Operations

Read more
Glupteba Botnet Blog-Thumbnail

February 15, 2024

Glupteba Botnet Adds UEFI Bootkit to Cyberattack Toolbox

Read more
PCI DSS Blog-Thumbnail

February 14, 2024

PCI DSS 4.0: How Cybersixgill can help merchants meet the new requirements

Read more