Cyber criminals are willing to pay more than a million dollars a year to skilled information security professionals who are willing to don a black hat.
Skills including network management, penetration testing and programming skills are particularly in demand, reveals digital security company Dark Shadows in a recent report. Research on the Dark Web revealed one attacker is promising to pay $768 000 per year to skilled professionals willing to help carry out acts of malfeasance. The salary is set to rise to $1 080 000 per year in the second year.
The report also revealed criminal underground groups are on the lookout for partners in crime who can help them extort money from high-worth individuals, such as executives, lawyers and doctors. For these roles, monthly salaries of $30 000 are on offer.
For extortion to work, attackers need something of value to barter, such as the details of someone’s private life, confidential company information, or total control over a company’s network, adds the firm.
Acquiring this information or privileged access has never been easier. “As businesses rush into digital transformation, and new individuals and services join the digital economy daily, it’s becoming harder and harder to manage our data and digital assets. Cyber criminals recognise this and have developed ways to profit from our unwanted online exposure through extortion-based attacks.”
Digital Shadows says there are several ways attackers are monetising online exposure. Firstly, through compromised credentials, where criminals use cheap and readily available breached credentials bought on the dark market to perform mass extortion campaigns and convince victims they have been breached.
Not only will they extort victims directly, attackers now have dedicated sections on online forums to sell sensitive data, including corporate documents and intellectual property.
“In fact, the barriers to entry for extortion-based activity continue to fall. Extortionists come in all shapes and sizes, with varying levels of sophistication. With account, database and network accesses available on criminal forums, and extortion guides for sale at under $10, aspiring extortionists have a wealth of resources to get started,” adds Digital Shadows.
Attackers are also using technical vulnerabilities. Cyber crooks can carry out active and passive scanning to identify exploitable vulnerabilities on Internet-facing applications, and can deploy ransomware variants that disrupt business operations, damage business reputation, and demand huge ransoms in Bitcoin or other crypto-currency.
Ilia Kolochenko, CEO of Web security company High-Tech Bridge, says: “The shadow economy is not subject to governmental control or regulation. While in the past, cyber criminals were restrained by money-laundering difficulties in cyber space, the rise of crypto-currencies means virtually any illicit income of any size can be legalised without legal ramifications.”
Unlike lazy and inefficient cyber security start-ups that look for the next investment round as a universal resort for any past failures, cyber criminals are organised, disciplined and well-managed, says Kolochenko. “Their sole objective is maximising their short-term profit, not becoming a unicorn or running a successful IPO in 10 years.”
These numbers also undermine the long-term sustainability of commercially-motivated bug bounties, he notes. “We will likely see a decline in the number of skilled people involved in crowd security testing as they can either find a highly competitive salary in the industry, or alternatively shift to the dark side. At least their primary motivator will not be money.”