Along with everything else malicious that’s available “as-a-Service”, the latest addition takes the burden of trying to initially hack an organization off of the plate of would-be criminals.
It used to be that a hacker worked an attack from end-to-end, hacking their way into an organization, navigating around as necessary, and performing whatever dastardly deed they intent. But today’s cybercriminal can focus on just one aspect of the crime, and leverage services to do the rest.
It started with malware-as-a-service, with coders writing the malware to be used in, say a phishing attack. Then the landscape exploded, with everything from millions of email addresses, to RDP credentials, to phishing services, and more.
This latest “service offering” feels a bit like lead generation companies who do tons of cold calling to generate a warm lead that’s willing to speak with your company’s sales team. For a sizable fee, all the work has been done to sit you right in front of the desired individual.
The same now rings true for the cybercriminal. According to Google, “hack for hire” groups offer to break into a specific user’s account for $750.
Using a mixture of spear phishing and social engineering techniques, these groups run a month-long phishing campaign, sending emails impersonating family, friends, colleagues, government officials, or even Google. Once an account is breached, the list of possibilities is sizable – fraud, spreading malware via email, collecting intel for a larger scam, ransomware, and more are all conceivable choices, keeping in-mind that the invested $750 needs to pay off, so the take will likely be something multiples more than that.
This kind of targeting an individual isn’t new; CEO gift card scams have long targeted individuals with titles scammers feel will want to make the CEO happy and, therefore, take the bait and fall for the scam.
Organizations wanting to prevent such attacks need to teach users that these kinds of attacks exist and how to spot them before becoming a victim. Security Awareness Training provides organizations with the tools needed to continually keep users abreast of the latest scams, attack methods, and social engineering tactics used, reducing the likelihood that – even in “hack for hire” instances – users don’t fall for it, keeping the organization safe.