Constantly working to save Google and its users from serious threats, the Threat Analysis Group (TAG) continues to publish analyses on various evolving threats like commercial surveillance vendors, serious criminal operators, and government-backed attackers. Continuing the legacy, they recently shared intelligence on a new segment of attackers called hack-for-hire. Such hackers focus on compromising victims’ accounts and extracting data as a service. Read on to know more about this group.
The hack-for-hire firms are fundamentally different from commercial surveillance vendors, who usually sell a capability to the end user to operate. These firms typically conduct the attacks themselves and target a broad user range. Opportunistically, they exploit the known security flaws in their campaigns. Both commercial surveillance vendors and hack-for-hire firms, however, share a similarity that those people who would otherwise lack the capability initiate their attacks.
Google’s Threat Analysis Group (TAG) says they experienced hack-for-hire attackers targeting journalists, political and human rights activists, and high-risk users worldwide, putting their security, privacy, and safety at risk. Additionally, the hack-for-hire groups also carry out corporate espionage.
TAG shared hack-for-hire ecosystem examples from countries like UAE, Russia, and India to help users understand their persistence mechanisms and capabilities.
How Hack-For-Hire Ecosystem Works
The hack-for-hire operations are fluid, considering their broad range of targets in a single campaign and how the hackers organize themselves. Some attackers advertise their services and products openly to the suitable buyer, while other hack-for-hire groups sell to a limited audience and operate more discreetly.
TAG observed Indian hack-for-hire organizations collaborate with third-party investigation services (intermediary reaching out for services on the client’s behest) and offer data extracted from an earlier successful operation. TAG detailed this Indian hack-for-hire ecosystem, observing that the hack-for-hire organizations worked with freelancers the firm did not directly employ.
The broad range of targets in these campaigns has amazed many experts. They are in contrast to government-backed operations, which clearly delineate targets and missions. In recent hack-for-hire campaigns, the attackers were seen targeting a Nigerian education institute, a Balkan fintech firm, an Israeli shopping company, and an IT firm in Cyprus.
Recent Hack-for-Hire Campaigns
India
TAG has carried out an extensive hack-for-hire tracking campaign since 2012. An interwoven set of hackers who previously worked for Appin and Belltrox (Offensive Indian security providers) was on its radar. TAG analyzed the patterns of these hack-for-hire actors and concluded that they frequently targeted government, telecom, and healthcare sectors in the United Arab Emirates, Bahrain, and Saudi Arabia with credential phishing attacks. The credential phishing campaigns ranged from targeting Gmail and AWS accounts to targeting particular government organizations.
After thorough investigations, TAG linked these attacks with former employees of Belltrox and Appin. Furthermore, they traced the links to a new firm Rebsec, which openly offers corporate espionage as a service on its website.
Indian hack-for-hire attack Domains:
- dtiwa.app[.]link
- share-team.app[.]link
- processs.app[.]link
- aws-amazon.app[.]ink
- mipim.app[.]link
- requestservice[.]live
- unt-log[.]com
- webtech-portal[.]com
- clik[.]sbs
- loading[.]sbs
- apl[.]onl
- go-gl[.]io
- userprofile[.]live
- id-apl[.]info
- rnanage-icloud[.]com
Russia
The infamous 2017 credential phishing attack, which targeted a Russian anti-corruption journalist, caught TAG’s eye, which started its investigation into the campaign. The investigators found that the Russian hacker targeted politicians, journalists, NGOs, and other non-profit organizations across Europe. The sticking point in the investigation was the broad range of targeting that included individuals with no affiliation to the targeted organizations. They were regular citizens, living everyday lives in Russia and other countries. The infamous hack-for-hire actor is known today as ‘Void Balaur.’
Regardless of the target, the modus-operandi of these attacks was similar, which included phishing emails that arrived with a link to the attacker’s controlled phishing page. The attacker lured the victims by sending fake Gmail and other mail provider notifications or sending messages that spoofed the Russian government enterprises. After compromising the target, the hacker maintained persistence by offering an OAuth token to an email application like Thunderbird (legitimate) or accessing the account via IMAP by generating the App Password. If users change their password, App passwords and OAuth tokens get revoked.
In the earlier days of the investigation, TAG discovered that the attacker advertised account hacking capabilities for social media services and email on his public website ( taken down later). Furthermore, the website claimed to have received positive reviews on Probiv.cc and Dublikat (Russian underground forums). TAG has observed the hack-for-hire group targeting major webmail provider accounts like Hotmail, Yahoo!, Gmail, and regional email providers like UKR.net, mail.ru, inbox.lv, and abv.bg.
Russian hack-for-hire Attack Domains:
- my-oauth-accounts-mail[.]ru
- login-cloud-myaccount-mail[.]ru
- login-my-oauth-mail[.]ru
- oauth-login-accounts-mail[.]ru
- myaccounts-auth[.]ru
- security-my-account[.]ru
- safe-place-experience[.]ru
- preference-community-place[.]ru
- source-place-preference[.]ru
- safe-place-smartlink[.]ru
United Arab Emirates
TAG is now tracking an active hack-for-hire group based in the United Arab Emirates, which is mostly active in North Africa and the Middle East. Their primary targets include political, educational, and government organizations. The Middle East-focused NGOs based out of Europe and Amnesty International have reported on hack-for-hire campaigns. Fatah, the Palestinian political party, has also become a victim of their attacks.
The attackers use SendGrid or MailJet API to send phishing emails to their victims and lure them by asking them to reset their OWA or Google passwords. Then, they steal credentials and use them to blackmail the victims. While most hack-for-hire campaigns utilize phishing frameworks like GoPhish and Evilginx (open source), this group utilizes Selenium. This custom phishing kit describes itself as a set of tools for automating web browsers. Brought to light by Amnesty, the custom phishing kit has evolved over the past five years because of active development.
After the account gets compromised, the hacker maintains persistence by offering themselves an OAuth token to an email application like Thunderbird (legitimate) or linking the victim’s Gmail account with an attacker-owned account running on a third-party mail provider. The attacker uses a custom tool for downloading the email contents through IMAP.
TAG established the links of the hack-for-hire group with developers of H-Worm, or njRAT. The developer, Mohammed Benabdellah, is fighting a civil lawsuit filed against him by Microsoft in 2014 for the development and forwarding of H-Worm. Benabdellah, also named Houdini, was actively involved in developing and operationalizing credential phishing capabilities that the hack-for-hire group had used since its inception.
UAE hack-for-hire Attack Domains:
- supp-help[.]me
- account-noreply3[.]xyz
- myproject-login[.]shop
- mysite-log[.]shop
- goolge[.]ltd
- goolge[.]help
- kcynvd-mail[.]com
- mail-goolge[.]com
- account-noreply8[.]info
- account-server[.]xyz
- kcynve-mail[.]com
Final Words – Protecting the Users
In a persistent effort to combat advanced threat actors and protect their users, TAG uses the results of its research to improve the security of its products. After discovering the hack-for-hire campaigns, TAG added the identified domains and websites to Safe Browsing to shield the users against further harm. Furthermore, they appealed to high-risk users to update all their devices and enable Google Account Level Safe Browsing and Advanced Protection. In light of the above-mentioned credential phishing campaigns, TAG and its cyber investigation group are in touch with law enforcement agencies.
TAG is committed to sharing its findings on the latest threats to raise awareness within the security community and the individuals and organizations who might be at a higher risk. They operate with the motive that an enhanced understanding of techniques and tactics will improve threat hunting capabilities and result in stronger user protection measures across the industry.