To work as to phishing – Newspaper Kommersant No. 142 (7343) dated 08/08/2022

The number of offers to employees of Russian organizations to open access to intruders to internal data or run malicious code is growing on the network, cybersecurity experts have recorded. Since spring, ads with similar work have been placed not only on the dark web, but also on Telegram. The fee for the service can be about four salaries of an employee, and the responsibility can not exceed a fine of 20 thousand rubles, experts explain.

In the first half of the year, the number of offers from abroad to employees of Russian companies to become insiders, that is, to provide paid services to attackers, increased four times compared to the same period in 2021, Phishman calculated. The list of such services may include, for example, the launch of malicious code on the organization’s system, which will allow remote access to it. If earlier such offers were placed exclusively on the darknet, then since the spring of this year, offers began to appear in specialized Telegram channels, Phishman said. Their number, according to the company, at the moment could exceed 200 pieces.

“The cost of searching for a person’s passport data by phone number in the database can vary from 2,000 to 7,000 rubles, and tracking a mobile phone can start from 80,000 rubles,” says Phishman CEO Alexei Gorelkin.

The growth in demand for insiders in Russian organizations is confirmed by Pavel Kovalenko, director of the Informzashita anti-fraud center: “The surge in insider offers came in the spring of this year both on the darknet and in the public field. At the same time, the goal of a hacker attack is no longer so important, mass character comes to the fore. In addition, the qualifications or savvy of IT insiders have become less important.”

Experts find it difficult to estimate the number of responses to such proposals, explaining that the coordination of actions is already taking place in closed resources and chats.

But, according to Mr. Kovalenko, the surge in proposals is comparable in number to the increase in information leaks and attacks that were observed in the spring.

Since the end of February, the Russian IT infrastructure has been subjected to serious hacker attacks, which led to the shutdown of services and massive leaks of citizens’ data. So, for example, in the spring in public space turned out to be data from SDEK, Yandex.Food, Avito, Wildberries, Delivery Club and Rostelecom services. After the incident, Rostelecom announced that one of the former employees was involved in the leak.

This year, indeed, the price of the “conscience of an employee” has decreased, all the high-profile leaks of the year are somehow related to the human factor, Evgeny Antipov, the creator of the Eye of God bot, confirms. “The standard situation for companies is to give access to the order control panel, get 100% of user data leaked through one person, and then report to the security service that phishing was the culprit of the leak. And no one will be held accountable,” he says. According to Yevgeny Antipov, payment for such “work” can be four salaries of an employee.

The law is still quite lenient with regard to persons committing illegal actions with databases, despite the fact that in recent years the damage from such actions has grown exponentially, Dmitry Gorbunov, partner at Rustam Kurmaev and Partners, agrees.

For the theft of databases that do not constitute a trade secret, but contain personal data, administrative liability may follow with fines of up to 20 thousand rubles. for individuals for repeated violations in the processing of personal data.

Regulators are also paying attention to the problem: for example, the head of the State Duma Committee on Information Policy, IT and Communications, Alexander Khinshtein, suggested that the government partially lift the moratorium introduced in March on business inspections in terms of data leaks and allow Roskomnadzor to conduct inspections of affected companies. Such a letter was sent to Prime Minister Mikhail Mishustin on August 3 (see “Kommersant” dated August 4).

Despite the fact that cybersecurity experts note a decline in malicious activity by the beginning of the second half of the year, both due to seasonality and the absence of high-profile geopolitical precedents, they warn that the dynamics will resume by September. According to Pavel Kovalenko, hacker activity could double in autumn.

Tatiana Isakova, Nikita Korolev