Criminals sell hacker toolkits for BofA on dark web, study finds
Organized crime groups are selling access to the computer networks of financial firms like Bank of America Corp. and hacking tools targeting these companies, according to a British researcher who posed as a buyer on several dark web marketplaces.
While engaging criminal groups on the dark web in conversations over several months, Michael McGuire, a criminology professor at the University of Surrey, and his team discovered tools for sale to steal login credentials of many businesses, including those of Bank of America customers. They also found what sellers claimed to be the passwords and PINs of Qatar National Bank customers for sale.
Their findings, released in a research report today, offer rare insight into the workings of the dark web, the portion of the internet which requires specialized software or authorizations to access and which isn’t indexed by conventional search engines. There are numerous sites on the dark web that serve as marketplaces for hackers selling their services and the data they’ve previously stolen.
"We couldn’t legally purchase this stuff," McGuire said in an interview before presenting the findings at an information security conference in London Thursday. His research was sponsored by Bromium, a Silicon Valley-based cybersecurity firm.
The scale of data breaches has grown in recent years as criminal hacking groups become increasingly adept at penetrating corporate networks and harvesting vast amounts of information. Often these data are then used for identity-theft and credit card fraud. In other cases, access to a network is used to implant ransomware which encrypts the contents using a key only the hackers control. The hackers then ask for a ransom to be paid to hand over the key. Nation-states have also become much more active in targeting corporate networks.
Between November 2018 and March 2019, McGuire’s team reached out to sellers often over encrypted messaging services or in password-protected forums. Given the anonymous nature of the dark net, the researchers typically didn’t have a clear sense of who the sellers they were negotiating with were or where they were based, he said. It’s possible in some cases that these groups could be affiliated with nation-states, or even that some were undercover law enforcement officers posing as hackers as part of investigations or intelligence-gathering, McGuire said.
In the case of Bank of America, the material McGuire found available were fake web pages that could be used to harvest customer data in phishing attacks. In these attacks, a customer is sent an email that appears to come from the bank, asking them to click a link to access their account. The link then takes them to the fake web page and records their username and password.
A complete phishing toolkit — including a tutorial manual — that would enable almost anyone to launch such a phishing attack against Bank of America customers was selling for $11, the report said.
In other cases, the researchers discovered individuals seeking employees at companies such as AT&T Inc. and Verizon Communications Inc. who would be willing to sell access to those companies’ networks in order to steal contract and payroll information.
The researchers found that the banking and financial sector was most frequently targeted by tailored malware or hacking tools for sale on the dark web, constituting about 35% of those on offer.
While those tools still require some knowledge to use, banks also ranked highly among those entities to whose networks hackers claimed they could provide ready access, the report said. E-commerce firms and health care providers were also popular targets.
The price for commissioning an attack on a specific corporation averaged about $4,500, the researchers found. Bespoke corporate espionage services, targeting either individuals or specific information from a particular company, were available for fees ranging from $1,000 to $15,000, they said.
McGuire said the research indicated corporate espionage, either for competitive business advantage or possibly insider trading, was likely far more prevalent than most people realized. "We posed as an enterprise and wanted to see if someone would get us information about a competitor’s product trials and product lists, accounting information, and we got positive responses," he said.
He also said that some information available for sale was clearly marketed at those who might want to blackmail senior executives — such as stolen emails that seemed to indicate an executive was romantically involved with a junior employee, McGuire said.
McGuire said his research suggested that, if they were not already doing so, corporate cybersecurity teams ought to spend time monitoring the dark web to pick up signs of potential threats, such as data from their organizations already for sale or rogue employees willing to sell network access to others.