Google blacklists hacking groups for hire

The Google Threat Analysis Group (TAG), which has been fighting against hacking groups since 2011, has added 37 new domain names and websites to the blacklist of rental hacking groups. In a newly published blog post on the Google Threat Analysis Group (TAG) page, these domains including domains like myproject-login[.]shop, mail-goolge[.]com or rnanage-icloud[.]com are listed in the United Arab Emirates, Russia, and India. divided into three different categories.

How Hire Hacking Operations Work

The hacking environment for hire varies depending on both how the attackers organize themselves and the wishes of different customers. Some hackers publicly promote their products and services to anyone willing to pay, while others more discreetly sell to a limited audience.

Hire hacking operations taking place in India

TAG has been tracking a number of Indian hacking groups since 2012, many of which have previously worked for Indian offensive security providers Appin and Belltrox. These activities range from targeting specific government entities to AWS (Amazon Web Services) accounts and Gmail accounts.

The image below shows an example AWS phishing email.

The image below shows an example AWS phishing page.

TAG has linked former employees of both Appin and Belltrox with a new firm, Rebsec, which has publicly advertised corporate espionage as an offering on its company website. The picture below shows Rebsec’s offers, according to the company’s website.

Rental hacking operations in Russia

While investigating a phishing operation that took place in Russia in 2017 targeting a journalist fighting corruption, TAG discovered that the Russian attacker had targeted other journalists, politicians in Europe and various NGOs. It was noteworthy that the hacker for hire, known as Void Balaur, targeted people who had no connection with the selected organizations and who appeared to be ordinary citizens in Russia and the surrounding countries.

These operations usually take place by sending e-mails containing misleading messages as if they were e-mails from Russian government agencies to the target account from a legitimate e-mail application. Afterwards, the user, who presses the option to create an application password to access the account via IMAP, changes his password, the application passwords are canceled and the account is seized.

The image below shows a sample email that hackers sent to take over the account.

The picture below shows the pricing of hackers hired from hacknet-service.com in 2018.

Hire hacking operations taking place in the United Arab Emirates

TAG also tracks a rental hacking group currently based in the United Arab Emirates that is mostly active in the Middle East and North Africa. Targeting the government, Middle East-focused NGOs in Europe, and political organizations including the Palestinian political party Fatah, the hacking group sends a fake security alert to steal credentials from targets, often using MailJet or the SendGrid API to send phishing emails. In the image below, there is a fake Google Security Alert.

Google has increased its security measures against the attacks mentioned above. You can also find the full list of group domains that Google considers malicious in TAG’s blog post.