Black market websites have offered a wide array of services aimed at the aspiring cyber-criminal for some time. However, recent attention has been given to a new breed of websites that offer hacking services to a much broader market. Hacking, it would seem, is moving from the realms of the aspiring criminal on the dark web and becoming a mainstream service.
Sites such as hackerslist.com, hackerforhire.org and neighbourhoodhacker.com have developed as anonymous meeting grounds for those seeking hacking services and those willing to provide them for a fee. Even the review site hackerforhirereview.com has sprung up, ostensibly rating such sites for veracity and effectiveness. As is to be expected in a technologically advanced market such as this, the free market has adapted to fill a perceived gap in the market before legislation can catch up. As such, the legality of these sites and practices remains in question, yet this has not prevented them from being populated with hundreds of listings.
The services offered on these sites tend to be only a portion of those offered on the much larger and unambiguously illegal ‘underground' market of the dark web. You won't find advertising for malicious botnets of infected computers with which to conduct a DDoS attack, nor can you purchase stolen passwords or credit card information.
Mainstream hackers for hire focus more on breaking into social media accounts, ostensibly to recover lost passwords, removing defamatory content or investigating and tracking down cyberbullying. Many of these sites advertise these activities as examples of ethical hacking, but in reality these practices are a far cry from the white-hat hacking that the information security industry would conventionally dub ethical.
The purpose of ethical hacking is to highlight failings in a cyber-security system using penetration testing techniques without causing any damage and then bringing any vulnerabilities to the party in question so that the relevant patches can be applied to fix them.
To qualify as a Certified Ethical Hacker (CEH) applicants must have worked in the information security industry for at least two years and passed a four-hour exam. As such, the term ‘ethical', when applied to the information security industry, is less about morality and more about qualifications.
White hat hackers are often employed by the companies they target to stress test their defences and ultimately improve an organisation's security. For example, hackers were recently able to take control of a Chrysler Jeep using the car's uconnect infotainment system, remotely controlling the vehicle through the cellular network. The hacker's aims were simply to make Fiat Chrysler, and other car makers, aware of this vulnerability and promote the issue of security for connected devices/cars. This resulted in the eventual recall of 1.4 million cars.
The supposedly ethical hacking on offer from these sites offers no accountability whatsoever. Who is to say that once a password is cracked or recovered the hacker will stop there? You have no way of knowing whether the hacker captured your information while they were in your account. The entire service very probably exists purely as a scam to capture personal and financial details.
Pricing on these websites is deliberately set at prices that are well within reach of most consumers whilst being expensive enough to retain an air of official complexity. The cost of services ranges depending on a number of factors but generally cost between $100 and £3000 depending on the complexity of the hacking job. For example, a recent request on HackersList, asking for help in accessing a Facebook account, successfully closed with a $350 bid.
Year on year, the barrier to entry into participating in cybercrime becomes easier but consumers should be aware that such activities are unregulated. Anything likely to be a scam is usually not the best way to resolve any legitimate issues you might have with your social media account. Ultimately these sites are a symptom of a growing demand for hacking services.
Their emergence brings a prevalent trend in services on the black market into the wider consumer domain. It is clear that there are substantial risks to using these services and we would advise everyone to steer well clear of them.
Contributed by Grayson Milbourne, director of security intelligence at Webroot.