Corporate Insiders – A Growing Cybercrime Threat

Tommy Ben-Avi

In the past couple of years, awareness to the existence of the Dark Web (or darknet) has risen dramatically, especially due to extensive media coverage of major events such as Silk Road’s demise, the subsequent arrest of its admin and large corporate breaches such as the ALM Media data leak. Popularized and romanticized by mainstream TV shows, the Dark Web has enjoyed piqued public interest as of late, with more people using it and more law enforcement monitoring activity.

Google searches for “darknet”

Figure 1: Google searches for “darknet”.

For that reason many normative internet users, who might have otherwise remained innocent, fall to the promises of easy earnings and cheap thrills. The normative user, whose intended or unintended malicious intentions are welcomed by the savvy fraudster, is lured to cooperate with cybercriminals. These bad actors, able to offer underground services usually related to the exploitation of stolen information, hacking, and similar ventures, have grown their businesses in the dark web by joining forces with employees who want to profit from selling company information.

Insiders of any large organization are always in high demand among cybercriminals. Even without a concise modus operandi, cybercrime rings who encounter a potential insider understand the benefits of collaborating with one. This usually starts when a malicious insider posts generic messages in which he simply declares the nature of his work at a corporate environment and that he is open for suggestions.

From there, offers start rolling in. In order to obtain access to the inner enterprise mechanisms which are not available otherwise, criminals promise a portion of the revenues from the fraud scheme.

Search trend for insider-related keywords in the cybercrime underground as analyzed by Sixgill
Figure 2: Search trend for insider-related keywords in the cybercrime underground as analyzed by Sixgill

One of the common scenarios of insider fraud is the abuse of privileges by gaining access to company assets – clients and partners. Maybe an IT guy uses his privileged access to the corporate database to steal a list of customers, corporate assets, or financial plans resulting in direct damage to the company.

Other common forms of data may include credit card and bank information or other documents. The errant employee will often aid fraudsters by facilitating fraudulent transactions with the company’s seal of approval, thus bypassing ordinary security mechanisms by operating from the inside.

The worst and most damaging scenario, however, happens when a would-be insider custom-tailors the operation to cater the needs of his accomplices. In such cases the insider can be lured to install malware on the corporate computers, allowing cyber criminals to gain full control of the company’s computers and data.

An insider in a major UK bank offering his services to potential attackers

Figure 3: An insider in a major UK bank offering his services to potential attackers
A fraudster claims to be working for a major bank in the United States
Figure 4: A fraudster claims to be working for a major bank in the United States.

An insider in a major UK telecommunication company

Figure 5:  An insider in a major UK telecommunication company.  

An analysis of the posts from individuals claiming to be insiders shows that the vast majority of them are new users with little to no reputation in cyber-criminal circles, and while some may be looking to scam fraudsters, some may cause serious damage to the organization they work for. Thus, when dealing with insiders, quick responses and real-time alerts play a crucial role in mitigating such potential threats.

A gas station employee offers to steal credit card information from clients
Figure 6: A gas station employee offers to steal credit card information from clients.