Sick of trawling through endless job boards and firing off résumés into the black? Thinking about turning to a life of crime, just to avoid having to put on a nice shirt and a forced smile for another interview?
A career as a criminal hacker may not be the best place to escape the job-search tedium, according to new research from the cybersecurity firm Digital Shadows. Looking at about 100 million websites on both the surface web and dark web, the researchers found that the process hackers use to recruit new hires mirrors the one most job-seekers are used to. (The interview, for example isn’t gone—it just might involve some anonymizing technology.)
Just like in any other industry, hackers looking for fresh talent start by exploring their network, says Rick Holland, the vice president of strategy at Digital Shadows. “Reputation is really, really key,” Holland says, so a candidate who comes highly recommended from a trusted peer is off to a great start.
When hiring criminals, reputation isn’t just about who gets the job done best: There’s an omnipresent danger that the particularly eager candidate on the other end of the line is actually an undercover FBI agent. A few well-placed references can help allay those fears.
If recruiters need to advertise an opening, they have a few options. Hacker forums offer the most exposure, many of them are password-protected, and users generally choose pseudonyms. But they still carry risks—anyone who logs in without somehow anonymizing their web traffic can be traced relatively easily.
Holland says his company asks domain hosts to take down forums if they come across a specific threat to one of their clients—like a post that offers a reward for extracting data from a company’s private server—but some domains don’t respond.
A less vulnerable but less visible alternative is to post a help-wanted ad on the dark web, a part of the Internet accessible only by Tor, a web browser that bounces web requests through a random string of servers to anonymize their origin. Researchers even found hacker-specific job boards on both the surface web and the dark web that promised to broadcast help-wanted ads for a fee—a sort of Monster.com for cybercrime.
Hackers look for a broad range of characteristics in potential candidates. Some postings ask for applicants with specific skills (SQL injection, denial-of-service attacks) and a facility with certain programming languages (Perl, Python, C). Hackers hiring with a specific target in mind may look for candidates who already have insider knowledge of an organization’s networks and systems.
There are also more basic requirements. One posting read, “You must speak English fluently; bad grammar can be tolerated to a certain extent.” And enthusiasm helps—the same posting specified that candidates should be “motivated and thrilled to learn new programming languages, attack vectors, and everything else.”
Once an ad draws interest, the next move may be to set up an interview. Holland says many of these interviews occur over Skype, but the participants typically take a few unusual security measures. To protect both participants’ identities, Skype calls tend to be conducted without video, and the speakers may use digital voice changers to disguise themselves. They can also use services like Tor to anonymize their traffic as they make the call.
If the interview goes well, a job offer may be extended. Researchers found that hacker jobs fall into two main categories: contract gigs, where the hacker gets a certain amount of money per month, and jobs where a hacker is awarded a percentage of whatever is stolen. Holland says it’s hard to know how much hackers are generally compensated for their work, because most financial negotiations happen in private.
But the offers sometimes come with a few strings attached. Researchers found that some groups imposed a probationary period on new hires: One group known as DeleteSec stipulated that new recruits “must hack a website within three months” to prove themselves.
Holland says the biggest thing he learned from examining hacker recruitment is that there’s a continued interest in exploiting basic vulnerabilities. “It’s easy to get wrapped up in silver bullets,” he said, referring to fancy cybersecurity products like the ones that will be hawked at this week’s RSA cybersecurity conference in San Francisco. But basic attacks like denial-of-service and SQL injection, which have been in use for more than a decade, remain popular and effective among hackers—so keep up those timeless skills and you can work your wan on to a criminal’s payroll in no time.