Over a 30-month period, cybercriminal groups and threat groups advertised for workers with expertise in software development, IT infrastructure maintenance, and designing fraudulent websites and email campaigns.
In accordance with a new report from cybersecurity firm Kaspersky, demand for technically skilled individuals continues, but it spiked during the coronavirus pandemic, with double the average job advertisements coming during March 2020, the first month of the pandemic.
The analysis gathered messages from 155 Dark Web forums between January 2020 and June 2022, focusing on those that mentioned employment — either by cybercriminal groups or individuals looking for work. The majority of job postings (83%) were from threat groups looking for highly skilled workers, such as developers (61%), attack specialists (16%), and fraudulent website designers (10%).
As per Polina Bochkareva, a security services analyst at Kaspersky, enhancing defenses has compelled attackers to optimize their tools and techniques, driving the need for more technical experts.
"Business related to illegal activities is growing on underground markets, and technologies are developing along with it," she says. "All this leads to the fact that attacks are also developing, which requires more skilled workers."
The data on underground jobs reveals a spike in activity in cybercriminal services as well as the professionalization of the cybercrime ecosystem. According to a December report, ransomware groups have become much more eļ¬cient as they have turned specific aspects of operations into services, such as offering ransomware-as-a-service (RaaS), running bug bounties, and forming sales teams.
Furthermore, initial access brokers have productized the opportunistic compromise of enterprise networks and systems, frequently selling that access to third parties. According to the Kaspersky report, such a segment of labor necessitates the use of technically skilled individuals to develop and support complex features.
"The ads we analyzed also suggest that a substantial number of people are willing to engage in illicit or semilegal activities despite the accompanying risks," the report stated. "In particular, many turn to the shadow market for extra income in a crisis."
Pandemic caused spike
A similar crisis sparked a surge in activity on Dark Web forums in early 2020. The pandemic, with its sudden layoffs and work-from-home mandates, fueled significant activity in the cybercrime underground, with 2020 seeing the highest number of employment-related posts. Overall, 41% of advertisements and job-seeking inquiries were posted on the Dark Web during the year, which is about average. However, March 2020 was the first month of worldwide lockdowns and saw approximately 6% of all postings, roughly double the average rate.
"Some ... living in the region suffered from the reduction of income, took a mandatory furlough, or lost their jobs altogether, which subsequently resulted in rising unemployment levels," Kaspersky stated in the report. "Some job seekers lost all hope to find steady, legitimate employment and began to search on Dark Web forums, spawning a surge of resumes there. As a result, we observed the highest ad numbers, both from prospective employers and job seekers."
Personal crises emerged to drive some technically inclined workers to seek employment with cybercriminal organizations. A common refrain in job advertisements is that applicants should not be addicted to drugs or alcohol.
"Teamwork skills, stable connection, no alcohol or drug addictions," read one job posting's translated requirements in the Kaspersky report.
"Dirty Work"
In many cases, the terms of the Dark Web jobs were similar to those of legitimate jobs, such as full-time employment, paid time off, and regular pay increases, with salaries ranging from $1,300 to $4,000 per month. However, the majority did not have an employment contract, and only 10% included a promise to pay salaries on time. The underground employment opportunities were dubbed "dirty jobs" in the report.
"Many are drawn by expectations of easy money and large financial gain," the report stated. "Most times, this is only an illusion. Salaries offered on the Dark Web are seldom significantly higher than those you can earn legally."
Reverse engineers had the highest potential median salary of $4,000 per month, with attack specialists and developers coming in second and third with promises of $2,500 and $2,000, respectively. However, the majority of offers (61%) were geared toward developers. According to Kaspersky's Bochkareva, these workers are the key to the cybercriminal underground.
"The most sought-after professionals were developers and attack specialists, particularly for coding malicious programs, phishing websites, and planning and implementing attacks," she says.