Malicious employees, also known as insider threats, can cause significant harm to businesses by leaking or selling sensitive data, altering systems, or collaborating with cybercriminals to launch large-scale cyberattacks. New findings from NordStellar reveal that bad actors are now advertising and selling insider data-backed services on the dark web — profiting from employees of industry giants who have decided to go rogue.
The team at NordStellar has found 35 dark web posts claiming to sell services based on insider data so far this year. Some of the services for sale on the dark web claim to have direct connections to insiders from such well-known companies as Facebook, Instagram, and Amazon.
The majority of the posts discovered by NordStellar's team offer various look-up services, exposing sensitive user information, such as IP addresses, full names, email addresses, phone numbers, and even physical addresses. Aside from violating the user's privacy, this information can be used to launch highly targeted phishing scams or to commit fraud — or even identity theft.
The posts reveal that look-up services can start at $500, offering the user’s phone number and linked email address. Advanced packages, which contain even more sensitive user information, such as IP addresses, physical addresses, date of birth, and other confidential details, can be purchased for $1,000 or more.
Other popular services include account recovery and unbanning. The former can be especially damaging to the brand because users are often banned for violating the company's policies or engaging in fraudulent activity. As a result, individuals who have been using the company's services for scams can continue to do so, acquiring more victims and damaging the brand's reputation in the process.
Spotting and Stopping Insider Threats
Insider threats are complex, and to safeguard against malicious employees, companies must have a comprehensive cybersecurity strategy in place. High observability and behavioral analysis are the two main pillars for resilience.
The first key step is to ensure high observability into user actions — once security teams achieve visibility, they can look for anomalies in employee behavior, triggering the first alarms about potential malicious activity. Security teams should assess whether there's any potentially dangerous patterns in activity, for example, if a user is accessing sensitive information without justification or if there are any signs of them exfiltrating that information to external sources, like their own personal devices, accounts, or third parties.
This underscores the importance of proper network segmentation and the principle of least privilege in general to prevent users from accessing sensitive information that isn't necessary for their work. To prevent employees from sharing and downloading unauthorized files, data loss prevention tools are also required.
Consistent monitoring is another key asset — if prior security measures failed to stop the user from retrieving and exfiltrating the data, it's crucial to mitigate the threat before it can escalate further. Monitoring the dark web for posts mentioning the company, especially those claiming to sell services fueled by insider data, should be prioritized.
Once the potential threat is spotted, security teams can inspect its validity and, if the claims turn out to be legitimate, stop the employee from doing further damage and inform affected users to be on high alert before cybercriminals can deploy their attacks.
To effectively mitigate the damage inflicted by malicious insiders, companies should prepare an incident response plan in advance. The plan should outline the detection and investigation process, as well as the steps for containing the threat, eradicating the user's access to company data, and recovering systems if attackers compromise them in the process.
