Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Underground Job Market – Part 2 of 3

"Leave your ego at the door every morning, and just do some truly great work. Few things will make you feel better than a job brilliantly done."

Robin S. Sharma


The last time we visited the cybercriminal underground, we introduced you to a community with its own laws and code of trust. In Part Two of the series, we take a closer look at the job market of the dark web – an investigation that sheds light on the day-to-day lives of its members and illustrates cooperation among them.

The underground community offers custom applications, malware and a range of exploit kits. Its members are often responsible for complex operations that lead to financial damage in banks around the globe. So how are they able to operate in an international market where they have to be in the right place at the right time?

We have already witnessed the deep hierarchy of the underground community. This is also true from a business perspective: In the underground you will find organizational structures that resemble small, medium and large businesses that take part in activities of varying complexities based on the available talent pool.

The principles of an ordinary functional community take place there, too, and one of these is economy. One of the core laws in an economy states that demand breeds supply. In underground terms this means that a person creates an extraordinary piece of malware, another person buys it and exploits victims, and both turn a profit for their efforts. A real economy stands on hardworking people creating real products.

But as with any economy, there are those running the show who do less of the actual work, but manage the operation and contribute their experience in doing so, the skilled laborers or "professionals" who do the expert work and get paid accordingly, and those who do the menial work for lower pay (but while doing so acquire knowledge and life skills that may one day earn them a spot higher up in the hierarchy).

In this blog post we will explore a variety of employers and employees from groups in this hierarchy and explain how they compare to the economy that lives above ground.

A (Dis)honest Day's Work

There are quite a few able-bodied members in these forums looking for (almost) any kind of work. 

This person explicitly states that he is OK with, and even prefers, illegal work. This is because the underground market as a whole understands risk and reward, and jobs with more risk naturally result in higher pay. We will see this trend in more detail throughout the blog.

Another thing to note from this advertisement that differs from the "legal" job market is the concept of deposits. Risk in this line of work lies not only in the employee who puts themselves out there, but also on the employer who must, as part of the process, give valuable (illegal) goods, money or access to a criminal who claims to be honest. To reduce this risk, some underground jobs require that the employee put down a deposit when they collect the goods, which they will then get back, with the addition of their salary, on completion of the job. This helps incentivize employees to do the work and get their pay, rather than take the goods and run.

An abundance of advertisements exists in the underground for jobs meant for people like this. Most of these ads sound like regular job offers, with slight differences that are often hidden between the lines. The details of the job are usually left for private conversation. This ad seems like a common everyday job offer for a car driver:

But without further contact for more details, let's compare this offer to a car driver offer published in a non-underground market in the same region:

The salary in this category can go as high as 85,000 RUB (about USD $1,350) for a month's work. The underground position offers the same amount of money for just over a week's worth of illegal work, not including the living expense compensation that the underground employee will receive during their time of employment. Further conversation in the thread with more job details hinted that this position is related to drug delivery.

Another example of a simple job is in local advertising. It is an unskilled job with the minimal risk of being punished for vandalism. This kind of job is very attractive for students and other younger crowds:

The screenshot was taken on May 2018.

The advertiser promises over 400 UAH (about USD $15) per day. Compare this offer to the local minimum wage of 3,723 UAH (about USD $140) per month, or the highest available student scholarship of 1,660 UAH (about USD $63) per month. Within one work week, a student could earn more than a scholarship, and within two weeks more than a full month's salary at minimum wage – a very appealing offer for a part-time job.

As a result, many city blocks are covered with Telegram channel names and internet drug store titles, mostly understood only by the younger generation. This contributes to the growth of both real and cybercrime societies. (Telegram is a secure cloud-based instant messaging and voice-over IP service that allows secure chatting between clients.)

Other positions are advertised specifically to students, promising "easy money" from the very beginning:

The advertisement sounds like a dream part-time job: You should have Facebook and Telegram accounts, and one to two free hours per day to participate in a credit card extraction project. And don't worry, you will be paid for simply sending spam messages.

Much like the real job market, recruiters use diverse ways to attract the attention of young people with offers of nice conditions and good compensation, but some also try to appeal to the young mind by playing on being cool and attractive ("flash the cash").

It seems that the underground community understands the value and need in bringing young members into its fold and teaching them the ways of the underground, so that they may one day become its future.

Other types of menial underground jobs can be performed online. These require little to no skill but rather the willingness to be something of a human automaton. Positions for captcha solvers and data entry clerks, as they're known, are widely represented here.

Much of the infrastructure work that needs to be done as part of a future operation must be done en masse. Many parts can be automated, but some cannot. Employees in these positions fill those gaps to streamline the operation as a whole.

And do not forget about the verity of jobs related to art, from webservice or application design to drawing fake documents and the like.

Kicking It Up a Notch

The market offers other types of jobs that do not require special technical skills but do mostly ask applicants to have a "good head on their shoulders." This kind of job includes more physical activity and is considered much more dangerous compared to jobs in the previous category. Some even claim that these employees are the most frequently arrested than other members of the underground. The "cashouts," money mules and ATM filler jobs that fit into this category, however, appear to be well-paying jobs that possibly compensate for the considerable risk accepted by employees, who may very well wind up in prison if caught. (A cashout is a person who turns your cashless money into real cash by, for example, using a fraudulent cash card to withdraw money from an ATM.)

This typical job offer for a cashout position illustrates the ease of the task, simply asking the employee to give a percentage of the cashout money to employer. No specific mention of the risks is included in this advertisement, implying that the applicant is already familiar with them when applying.

Another advertisement looks for "agents" or "representatives," essentially salespeople who can bring wealthy clients into the business. They will receive a good commission from every deal (15%, starting from USD $7,200). They will be paid for getting customers to use the service:

The above advertisement not only illustrates the continued popularity of counterfeit money schemes worldwide, but also shows us the potential income of such an employee. The advertiser proposes from 250,000 to 450,000 RUB per month (approximately USD $4,000 to $7,200). This is a very high salary even in Moscow, not mentioning more remote regions, and is usually only paid to top/senior management or senior developers, making this salary extremely attractive for a non-qualified job.

The most popular job, both in offers and for those looking for employment, involves "drops." A dropper is a person who receives money transactions, goods or anything else, and then redirects it to a target point or another dropper. The droppers are used to separate and distance the source of the goods from their destination, naturally implying that the goods themselves are of an illegal nature. This is a highly efficient way of complicating any attempt to trace the flow of the operation when it comes to physical goods. 

These droppers are not a regional or country-specific phenomenon. They are often spread worldwide, wherever the dropper can be useful. Advertising may start in one country in an attempt to reach clients or employees from other countries:

The wide distribution of such job offers creates a market for manager positions who group several droppers and propose drop-as-a-service, getting to specific forums to find interested parties.

Moonlighting, Anyone?

As the saying goes, it's easier to find a job when you already have one. These next offers really take that statement to heart. The qualification is not in skill or knowledge, but rather in already being employed by a company of interest:

Offers like the above simply require the employee to help provide some inside information. This often ties back to a larger operation that requires monitoring to make sure that it is progressing as expected, or where tracking of specific people is needed.

The next offer looks for employees of banks who can assist obtaining loans for droppers or other needs that contribute to a larger operation:

The remuneration starts from 200,000 RUB (USD $3,150), with the best employee having earned 370,000 RUB (USD $5,800) the month before. For comparison, the average monthly wage for common bank workers stands at around 35,000 RUB (USD $550), a bank manager's average salary is about 110,000-120,000 RUB (USD $1,700 to 1,900), with senior managers salaries reaching up to 200,000-250,000 RUB (USD $3,150 to 3,950). This means that an entry-level bank employee doing this work could earn as much, if not more, than a senior manager in their bank. Needless to say, this significant increase in salary is pivotal for the underground business to find employees, as the risk here is very high. If caught, the employee will, at best, only lose their job and their ability to ever work in the finance sector again, and at worst, face prison time.

But not to worry, some of these offers assure you that you will not get caught, as maintaining a low profile is of utmost importance to them:

Some actors in the underground also try to recruit post office workers to use as safe droppers, because as employees at the post office they can intercept certain packages for their employers and re-route them as necessary without raising much suspicion:

Others aim even higher, attempting to recruit security professionals and government employees for what they describe as "long-term collaboration," hopefully unsuccessfully:

The advertisement promises from 400,000 RUB (USD $6,300) for two weeks providing "white" (legal) information and from 50,000 RUB (USD $800) per day for providing "black" (illegal) information.

This sort of recruitment continues on as the underground realized the possibilities and potential being having access to such private data, professional-looking ads such as these can be found in the underground:

The ad campaign tries to reach a wide number of employees in different sectors and organizations. The poster above is looking not only for the commonly requested cellular provider or bank employees, but also targets employee of government agencies. The advertiser is not shy about seeking contacts within law enforcement agencies as well. The ad invites employees of the Federal Customs Service, Federal Migration Service, State Civil Register Office, Ministry of Internal Affairs, General Administration for Traffic Safety, Pension Fund of the Russian Federation and land-administration agency "ROSREESTR" to work with them.

Another forum advertisement steps further and invites into their fold a broad assortment of employees from different countries including post offices, notaries, SIM sellers, railways, hotel or hostel employees- anyone who has access to customer databases.

The spectrum of organizations suggests that this search for insiders ties into bigger schemes than the mere collection of customer data, which is interesting given some of the services we will talk about a bit later in this blog.

Specialists

The job offers and propositions related to specific underground specialists are listed separately. Malware developers and hackers-on-demand are rarely represented but can be found if one knows where to look. The advertisements mostly list the person's general technical skills and their specializations.

While most of these advertisements remain fairly professional, others go for a more radical marketing approach:

And much like the business world that we all know, once in a while you run into an entrepreneur who doesn't quite have it all figured out, but really wants to create something new and profitable:

"One important key to success is self-confidence. An important key to self-confidence is preparation."

Arthur Ashe

Traditional Crime

This overview would not be complete if it failed to cover job offers and specialists in areas of physical crime. These advertisements are surprisingly direct and open given that these jobs are widely considered as crimes all over the world. The most common job offers are for drug delivery or cache placement positions:

Like in every successful organization, a career development path and incentive bonus plans exist here, too.

For people who want to develop their computer skills, the market offers a variety of jobs like skimmers and "cutlet" installers (ATM malware), mentioning that these are illegal actions but with no description for possible punishment from law enforcement.

Another advertisement describes this process as a simple and quick operation, playing on greed and sloth of protentional employees:

Further escalating on the illegal scale, the following ad offers a "well-paid" job for adults willing to burn someone's car on demand:

There are various kinds of job offers requiring the employee to perform varying levels of criminal offenses. For someone averse to setting things on fire, the following job simply requires them to show up and assume responsibility for an accident at an accident site. These are typically schemes aiming to scam car insurance agencies, but not to worry, they will introduce you to a professional who can eliminate these records from the databases, so that your future personal insurance costs are not harmed. Not only that – you will not get caught!

Deadly Crime…

Torching cars and scamming insurance agencies are not the only traditional crime jobs offered in the underground. Heavy criminals, sometimes related to gangs and mobs, look to hire people willing to commit extreme crimes involving varying degrees of physical violence toward their targets.

Advertisements on many boards offer services ranging from "teaching someone a lesson" to making someone disappear. We can never be sure whether all of these advertisements are real, but given how many of them reside in the underground it is likely that at least some of them are indeed legitimate.

The crime organization here sometimes shows their relationship to real-world organizations. Like many others in its line of work, this service claims to be an international group with the ability to get a person anywhere in the world – but also subtly hints at their relations to Italian organized crime (Italian mafia).

The service seems pretty popular and has been operating since 2013. In the context of this topic, it's worth mentioning that some underground advertisements seek out connections to real criminal organizations looking for collaboration and services:

The variety of services, skills and hired individuals lead to establishing services that can solve any kind of issue. The service provides a full set of solutions, such as people search and tracking, phone tracking, retrieving phone calls and SMSs, and covert surveillance. The list of services is truly impressive. The organization can retrieve data in many ways, as well as perform more technical tasks involving hacking or DDoS attacks. The organization also offers services for "taking care of" your competitors, ranging from disrupting their business by causing trouble to "teaching them a lesson in good behavior."

The service has received positive feedback from its users and seems to be continuing to develop.

Summary

Sadly, if you unsure of your strengths and competency to succeed in the legitimate job world – and your ethics and morals are nowhere to be found – these advertisements may very well speak to you. That's the intention of their creators. To target the susceptible.

The dark web is a global marketplace that connects people from all over the world and helps answer demand for illegal services and provide laborers with supply. Many concepts from the everyday job market that we're familiar with still apply here, but risk factors almost always exist and are taken into account.

And at the end of the day, money talks loudest of all. The market's ability to well compensate its employees seems to go a long way to keeping the supply alive.

Continue Reading

Underground Code of Honor - Part 1 of 3

Money Laundering: Washing Your Greens in the Underground - Part 3 of 3

Latest SpiderLabs Blogs

2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies

Trustwave SpiderLabs’ 2024 Public Sector Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies report details the security issues facing public sector security teams as...

Read More

How to Create the Asset Inventory You Probably Don't Have

This is Part 12 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More

Guardians of the Gateway: Identity and Access Management Best Practices

This is Part 10 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More