A newly published report into the new economy of the dark web from cybersecurity-as-a-service specialist Armor’s Threat Resistance Unit (TRU), contains much of what you might expect. The relatively cheap trade-in loan applications, business ‘fullz’ comprising a complete business attack dossier, and even SMS text bombing rental services. One discovery, however, stood out from the others as far as this somewhat jaded cyber-writer is concerned: a hacker university selling cybercrime courses to dark web degree students.
The people behind HackTown, the hacker university in question, describe it as somewhere designed to teach people how to become professional cybercriminals. The welcome page states that every course is geared towards “hacking for profit and committing fraud,” aiming at those with little or no coding experience. “By taking the courses offered,” the HackTown operators say, “you will gain the knowledge and skills needed to hack an individual or company successfully.”
Using a handful of free courses to tempt the would-be cybercrime mastermind, HackTown has an enrollment fee of $125 (£97), opening the doors to all other courses. The free courses themselves cover everything from operational security to network attacks, Wi-Fi hacking and carding. The latter being the trade in stolen credit and debit cards, along with the theft of this data and money laundering aspects for good measure. Once enrolled, HackTown offers courses in accessing router admin panels, discovering targets inside a compromised network, brute force attacks, man-in-the-middle attacks and so on.
Delving a little deeper, the Armor TRU researchers found that this hacker university claims to provide all the tools required to “fast track your cybercriminal hacker career,” as well as “excellent staff” providing support and assistance for course progression. That course progression, HackTown claims, ensures the criminal student will be able to use their new-found skills to deploy ransomware and remote access trojans (RATs) for “personal profit.” To make things even easier, HackTown is also developing a resource shop where enrolled students will be able to purchase the malware, keyloggers, password stealers needed as tools of their trade.
“We have been seeing the professionalization of cybercriminal organizations for some time now with corporate-like structures and slick customer services becoming the norm,” Jamie Akhtar, CEO at CyberSmart, says. “The development of a university goes one step further,” he continues, “this demonstrates that just as in the field of cybersecurity, there is a skills gap within these organizations that their leaders are seeking to fill.” Akhtar worries that with the crime business booming, it could add to the factors that might make a career in cybercrime seem more lucrative and rewarding than a legitimate cybersecurity one. “As other parts of the economy flounder,” Akhtar concludes, “alternative educational opportunities like these, and the illegal but professional paths they offer, maybe increasingly enticing to people.”
Meanwhile, Chad Anderson, a senior security researcher at DomainTools, is not surprised that there’s an underground cybercrime education and recruitment drive. “To any effort from the cybersecurity community corresponds an equal and opposite initiative by threat actors,” he says, adding “criminals have mirrored the efforts on the part of the security community to make education more accessible.” To counteract this, Anderson says a career in cybersecurity must be appealing and accessible to everyone. “Ensuring that a career in cyber is an option to everyone is the only way to reduce the likelihood that anyone would have to turn to these hacker universities,” he concludes.
The Armor report highlights how well-organized malicious actors are; David Kennefick, a product architect at Edgescan, says, “we just don’t often get to see it with this much detail.” With remote learning currently in place in most universities globally, he says, it’s no surprise cybercriminals are following. “This is made simpler by easy payment systems and access to content such as exploits and proof of concept code,” he says, “along with Capture the Flag (CTF) style tasks that have often been used in technical universities for teaching purposes.”
Martin Jartelius, CTO at Outpost24, notes that “almost all information required to become a hacker is already available via open channels such as YouTube.” Many database breaches some years back were primarily the result of “user-friendly tooling and online guides on extremely simplistic means of identifying vulnerabilities, combined with just a heap of young eager and idle hands on keyboards around the world,” he concludes. Indeed, “while a majority of this information is beginner level and most easily found on the internet,” Chris Hinkley, head of Armor’s Threat Resistance Unit (TRU) research team, says, “this is largely a play for mailbox money and an exaggerated advertisement portal for selling malware and tools.”
Javvad Malik, a security awareness advocate at KnowBe4, says that anyone tempted by such courses should be wary as “criminals by their very nature are primarily looking for ways to increase their likelihood of success while minimizing their own personal exposure.” It’s likely, Malik says, “they will use these universities as recruiting grounds for pawns who will take the fall.”
Something that Niamh Muldoon, senior director of trust and security at OneLogin, also told me. “There is a rise in young adults and teenagers, particularly young males, being targeted by folks operating on the dark web to attend hacker universities,” Muldoon says, “and become part of cybercrime activities in the roles of money mules and social engineering calls.”
Throw the news that the REvil ransomware gang has deposited $1 million (£775,000) onto a Russian-language hacker forum to recruit affiliates, and the reality becomes even more stark. “The modern cybercrime industry is exceptionally well-organized compared to the cybersecurity industry,” Ilia Kolochenko, CEO of web security company ImmuniWeb, said. The holder of a master’s degree in criminal justice and cybercrime investigation himself, Kolochenko pointed out that while most cyber start-ups “have access to venture funding while losing money, cybercriminals need to be profitable from day one so have no time for mistakes.” Resources such as HackTown will surely help in this endeavor.