How's your 'Probiv'? How about customer service? Here's how Dark Web forums connect cybercriminals looking for talent with those looking for work -- and which skills are hot right now.
The Dark Web is a cesspool of illegal activity, from underground drug trades to the buying and selling of stolen credit card information. It's also a place to find financial opportunity and gainful employment.
Yes, there are "criminal job boards" in the traditional sense on the Dark Web. The Edge spoke with several security researchers, including the Photon Research Team at Digital Shadows, about the growing number of English- and Russian-language Dark Web forums that feature job boards with specific sections dedicated to the topic of recruitment and the skills required.
How does it work? Much like a regular job board.
The Application Process
Job seekers and criminal "employers" find each other through posts. Wannabe hackers will create threads in specific sections of a forum for topics, such as malware and phishing, and explain their skillsets in order to find work. And criminal groups, or even individual threat actors looking for help, will also announce when they are seeking assistance and then outline the requirements.
Sometimes these listings get more creative – and competitive, the Photon researchers say.
For example, over on the Russian-language forum XSS, the Sodinokibi/REvil ransomware collective sponsored a competition for criminal job seekers in December 2019. The contest asked forum members to submit a technical paper on a selected topic. The winner was offered the chance to work for the collective.
At the English-language hacking forum KickAss, the Photon team spotted The Dark Overlord (DTO) hacking group actively recruiting new members. DTO listed specific key attributes the successful candidate should possess.
The Skills in Demand
What skills are the most in demand on the black market? The Photon Research Team says "probiv" – a Russian-language slang term best translated as "look-up" – is a popular skill, and criminal groups are continually looking for people to join who might work in a specific sector or company who can bring probiv abilities to the table.
Criminals who provide probiv services typically find lucrative work by abusing privileged job positions, such as roles in banks and passport agencies, and then provide insider information in exchange for a fee. Threat actors recruit workers with access to specific databases, according to Photon.
Ransomware groups, on the other hand, are looking for a variety of skills to complement whatever talents they already possess on their teams. Chester Wisniewski, principal research scientist at Sophos, recently observed that certain "criminal specialties" are called for in forums in order to form a team that can help with various steps in the ransomware exploit chain.
For example, one team member might be an "initial access broker" specializing in gaining access to secure systems. The next might bring coding skills and author the malware.
"There appears to be a delineation of responsibilities," Wisniewski says. "It is clear in some cases that those coding the malware are not the same as the people providing technical support chat in English. There also seems to be different groups acquiring an initial foothold than the groups conducting the ransom and extortion. We see similar things in the stolen credit world, where many card thieves then sell their cards to 'cashiers' or go into business with them on a commission basis."
Training for Criminal Employment
How do criminals get their training? Is there any kind of formalized training module a young, industrious hacker can hit up to learn?
The Photon team has not observed any formal courses on the Dark Web but says knowledge and expertise is shared among junior members of Dark Web forums all the time, including prepared guides and tutorials on how to conduct certain activities. Photon has also seen Dark Web platforms like XSS offer their own dedicated e-learning sections on the forum where users can enhance their skills a number of areas.
Similar efforts have been uncovered on the forum CryptBB, where beginners who are not at an advanced skill level are given access to a dedicated "Beginners" subsection to learn and increase knowledge. More experienced criminals answer questions and serve as mentors.
"Underground forums for black hat hackers are a free, relatively easy way to learn from other experienced cybercriminals,” says Kristina Balaam, senior security engineer for mobile security firm Lookout. "The added benefit is that if a user develops the trust of others in this community, they may be recruited to criminal activities or projects."