Mimic: The ransomware exploiting Windows search
Discover an emerging ransomware family that’s using a legitimate Windows search tool to locate victims’ files before encrypting them.
Read MoreHackers-for-hire have been in the mainstream media again recently, after a data leak from a cybersecurity firm in China revealed that hiring hackers is an increasingly common practice. It’s happening worldwide, and it poses a major security risk to governments and private organisations – with hired hackers earning tens of thousands of dollars to harvest data from targets, feeding it back to their clients.
Malicious hackers-for-hire are a real (and growing) problem. But the vast majority of malicious hacking services advertised on the dark web are not legitimate – and that is a problem, too.
Research shows that many hackers offering for-hire services are actually scams – with only a small number of them delivering what they promise.
The service providers often lack the skills required to complete the tasks they’re offering, or they simply never have any intention of doing the job; knowing that there’s little chance of clients being able to file complaints or seek compensation.
A 2019 study by researchers at Google and UC San Diego, for example, found that only five out of 27 hacker-for-hire services actually launched attacks against targets.
Of course, things have changed since then. The proliferation of more affordable and accessible cyber tools and automation means that the barriers to entry for malicious hackers are lower than before; it’s easier to launch attacks without being a skilled hacker, and easier to scale those attacks too. Threat actors can deploy services and intelligence that just wasn’t available to them before – so while we haven’t been able to find reliable data on this, it’s reasonable to assume that genuine hacker-for-hire services are becoming more prevalent.
A 2023 report by the UK’s National Cyber Security Centre (NCSC) predicted that the number of hackers for hire will grow over the coming five years, driving a growth in the number and frequency of cyber attacks.
Jonathon Ellison (Director of Resilience and Future Tech at NCSC) told Sky News,
"Our new assessment highlights that the threat will not only become greater but also less predictable as more hackers for hire are tasked with going after a wider range of targets and off-the-shelf products and exploits lower the barrier to entry for all.”
The services offered by hackers-for-hire are wide ranging: from personal attacks against individuals, to attacks against specific websites, DDoS attacks, and attacks that target large-scale organisations in both the private and public sectors.
So when it comes to getting scammed by the false promises of a hacker-for-hire ad, the scope of potential victims is wide-ranging too – from individuals with a vendetta against someone, to groups wishing to compromise a corporation or government organisation; and everyone in between.
Should we care? If someone goes and hires a hacker for malicious purposes, isn’t it fair if they get scammed?
Well; yes, maybe. But the rise of hacker-for-hire scams represents a bigger problem. It shows that malicious hacking is an increasingly lucrative enterprise, and that the anonymity of online spaces creates the conditions for new scams all the time. And crucially, it puts those who are legitimately seeking a hacker-for-hire (or pentester) at risk – those who want to test the security of their own network assets have the potential to come up against a scammer instead of a genuine hacker, incurring financial losses and potentially reputational damage too.
When engaging a pentester, clients should always:
Join us at Black Hat MEA 2024 to learn directly from the world’s best ethical hackers. Meet them face-to-face, gain insights into how they work, and build relationships to ensure you have the best pentesters in your contact book when you need them.
Join the newsletter to receive the latest updates in your inbox.
Discover an emerging ransomware family that’s using a legitimate Windows search tool to locate victims’ files before encrypting them.
Read MoreWhat are non-human identities (NHIs) and why are they driving a paradigm shift in identity security?
Read MoreNew research shows that a growing number of organisations view cybersecurity as a strategic priority.
Read More