Targets of dark web cybercriminals

The GCC countries constitute a high-tech community with high rates of digitalization, high living standards, and active economic and technological development. According to Global Finance, the UAE ranks 18th in the world and 2nd in the Middle East in the list of the most technologically advanced countries. The region is also crucial to the petroleum industry: both Saudi Arabia and the UAE sit in the world's Top 10 oil producers by barrels per day. The combination of these factors makes the region highly attractive to threat actors. Public sector organizations in the UAE face down 50,000 cyberattacks on a daily basis.

Analysis of ads and posts on specialized dark web forums revealed that the UAE (40%) and Saudi Arabia (26%) are of most interest to threat actors. Such a large share of messages related to the two countries can be attributed to a number of reasons. First, the UAE and Saudi Arabia stand out in terms of attractiveness to foreign investors and companies, activity of regional foundations, and ease of doing business. By 2031, the UAE plans to incubate 20 startup projects, each worth more than $1 billion. In addition, geopolitical tensions in the Middle East are generating a wave of hacktivism aimed primarily at raising public awareness of certain issues through different kinds of cyberattacks depending on the perpetrators' level of expertise (these include DDoS, website defacement, attacks on corporate infrastructure). In July 2024, a UAE-based bank was hit by a six-day DDoS attack orchestrated by a hacktivist group.

The most popular categories on dark web platforms in the GCC region are Data (33% of posts) and Access (21% of posts). We discuss these categories in more detail below.

Posts about DDoS attacks (10%) and hacks (2%) contain calls to action or statements from hacker groups about a successful attack on a given organization in the region with confirmation of the outcome.

Offers in the Carding category (10%) may contain the following data: card number, year/month of expiry, CVV code, cardholder's address, phone number, and email. This data is used to withdraw funds through various fraudulent schemes. The cost and the funds withdrawal method depend on the collected dataset, the cardholder's bank, and the country. The cost of one payment card dataset starts at $30. Some offers allow datasets to be paid for as a percentage of the funds withdrawn using them (starting from 30%).

There are ads selling fake ID cards, driver's licenses, degree certificates, invitation letters for visa application, bank statements, and utility bills. Some offers are for making changes to documents (for example, filling blank passports) using a graphic editor. Prices for these services start at $10 per document. The cost and delivery time depend on the complexity. Altered documents can be used for ID verification in various services, such as bookmakers (Bet365), e-payment platforms (Skrill, Stripe), and online casinos.

Databases of phone numbers and email addresses are sold for spamming purposes. They can be broken down by interests and hobbies to send targeted texts and emails to users. The average price per 1,000 lines is $2.

Traffic redirection services (5% of posts) redirect users to a malicious website, say, with phishing or malware content. Traffic redirection can be targeted at users with particular interests. Six out of ten posts on this topic are requests to purchase traffic in the GCC region. This indicates how buyers are keen to involve users from this region in their scams, including ones linked to cryptocurrency.

Cash-out services (4% of posts) are used by attackers to withdraw funds obtained as a result of hacks, scams, carding, and so on. Cash-out can be done through services that facilitate money transfers to payment cards. If further withdrawal of funds requires ID verification, cybercriminals may employ a front person to withdraw cash from an ATM or register a legal entity in their name for a fee.

There are ads for ready-made scams and related techniques (1%), the average cost of which is $200. A phishing page costs $150 on average; the price of an off-the-shelf toolkit starts from $200. Such services allow threat actors to acquire users' personal data and credentials, as well as access to their devices.

Attackers are attracted to data

For the posts we analyzed, the statistics show that one in three ads is for the sale, purchase, or giveaway of data. More than half of the posts (59%) offer data for free. Free data may be made available by ransomware groups if a victim refuses to pay up, or by local hacktivists whose main goal is not financial gain but raising public awareness of political issues.

Data-selling ads (33%) mainly offer databases breached from large commercial firms. The average cost of such a database is $2,300. Buyer ads (8%) contain requests for databases in specific industries. Requests of this nature may reflect the attackers' interest in companies operating in a particular field. For example, a great many database purchase requests for the region are related to finance (40%), commerce (20%), government (16%), and manufacturing (12%) sectors.

Also under this category, we considered databases of corporate information breached by ransomware groups. The UAE (65%) and Saudi Arabia (25%) accounted for the lion's share of such data breaches. Of most interest to ransomware groups were companies in the service (26%) and manufacturing (22%) sectors. In case of non-payment of a ransom, the attackers openly published the victim company's information.

Access in demand

The second most popular item on dark web sites for the GCC region is access to corporate information resources (21% of posts). Access is used by threat actors as an initial entry point into a company's internal infrastructure to further develop an attack.

Posts selling access make up 85% of the total. Most offers related to the commerce (25%), service (21%), and manufacturing (14%) sectors.

The demand for access to companies in the commerce and service sectors is due to several reasons. First, databases have a tendency to become outdated. Access to such companies gives attackers a constant supply of fresh data to achieve their goals. Second, when paying for goods in online stores, users enter payment card details, which an attacker can intercept and exploit. A previous report of ours highlighted the popularity of Magecart attacks (theft of payment card data) in the e-commerce sector in 2023. Sites were compromised by exploiting vulnerabilities in CMS systems such as WordPress, Magento, and OpenCart. Q4 2023 saw a rise in the share of payment card data in the overall amount of information stolen (up to 5% in attacks on organizations and up to 16% in attacks on individuals). Data was stolen by introducing malicious scripts.

The share of access buyer ads (6%) is much smaller than that of access seller ads. This would suggest that the access market has plenty of offers, allowing cybercriminals to pick out the most suitable for their needs. Buyer ads request access to companies in commerce and manufacturing industry, as well as to government agencies.

The remaining messages (9%) are hacktivist posts giving away access to the infrastructure of GCC-based companies. Access giveaways represent a new trend for the region that first appeared in H2 2023. Most access giveaways (70%) contained the credentials of government agency employees.

With some giveaways, the infrastructure could have already been accessed and attacked (confidential data downloaded, disruptive actions performed, business processes stopped), with a backup access point put in place. In these cases, the purpose of the access giveaway was to confirm the hack and undermine trust in government agencies.

Maintaining access or creating a backup point of access to the target infrastructure makes it possible to develop or repeat the attack at a later date. For example, Figure 17 shows a hacktivist post about a successful dump of data and documents from a government agency. What's more, maintaining access allowed them not only to continue viewing data from user devices, but to develop the attack, gaining access to other departmental systems.

Dark web resources sell access of various types. Nearly half (45%) of all ads offered access via a VPN or RDP connection. Another significant share (15%) is made up of ads selling access via remote access programs, such as AnyDesk, ScreenConnect, Citrix, or RDWeb.

Mail-type access grants entry to a mail server or the mailbox of a specific company employee. Once inside, an attacker can view confidential information and messages. Upon gaining access to the email of a specific employee, the attacker then must gain direct access to the company's infrastructure to develop the attack. One way to do this would be through a phishing attack using this compromised email account. This account can also be used for phishing attacks on customers and contractors of the company.

Attackers employ all sorts of methods to connect to the internal resources of the target company. For instance, the Other category includes options for connecting to e-commerce website builders (Magento, WordPress), databases and database management systems (MySQL, phpMyAdmin), POS systems, web consoles (cPanel), and program interfaces (API).

Each access comes with certain privileges in the system. The most common are local administrator (54%) and domain administrator (26%) rights. Access with domain administrator rights grants an intruder entry to all computers and servers within the domain, paving the way for an attack on the target company's critical systems. Access with local administrator rights grants full access to just one computer or server.

Ads selling access with user rights make up 20%; the assumption here is that privilege escalation in the system will be done independently. Privilege escalation expands the attack options on the target host and determines how the attack develops and its outcome. This type of access could be of interest to advanced attackers with suitable professional skills.

70% of access offers are under $1,000. The lowest price ($15) is for access to a university network. But there are high-cost offers that target big firms with a large turnover. For example, one ad selling access with domain administrator rights to the infrastructure of a UAE-based bank has a starting price of $25,000.

Industry specifics

Most posts concerning the GCC region are related to the following areas: government (21%), commerce (16%), services (15%), and finance (13%).

Figure 22. Share of posts on dark web platforms, by industry

Regional government agencies have become a prime target of attack. The main consequences of attacks on government agencies are breaches of confidential data and disruption of public services.

Most of the data (63%) related to government agencies in the region was made freely available by hacktivists. First and foremost, cybercriminals are looking to steal valuable information: insights of national importance, official and diplomatic correspondence, development concepts, contracts, agreements, and the like. Following an attack on a U.S. target in the GCC region, the haktivist group Altoufan Team gained access to the organization's correspondence and email. The hacktivists said their actions were in support of one of the sides in a political conflict in the Middle East. Disclosure of sensitive data can have a serious impact on the target country, in terms of both its political decision-making and its international image.

Against the backdrop of geopolitical strife, hacker groups have been carrying out campaigns to disrupt the activities of government agencies, calling for DDoS attacks and hacks. They have published the results of successful attacks, with confirmation of downed information systems, defacements, or publishing stolen data of stolen data. Each successful attack was trumpeted not only by the hacktivists responsible, but also by other groups that share their position.

Note that the rise in the number of such calls to action both began and peaked in Q4 2023. The fluctuation was due to the aggravation of the military-political situation in the countries of the Middle East at that time. DDoS remains a live topic in 2024, with the number of related posts climbing by 70% in H1 2024 against the same period in 2023.

Besides government agencies, hacktivists attacked the financial and transport industries. Successful attacks on these sectors can bring down banking and transport systems, disrupt business processes and logistics, and cause financial losses.

Commerce (16% of posts), the service sector (15%), and finance (13%) attract threat actors looking to obtain users' personal data. What's more, in more than 70% of ads, the attackers gave away the data of commercial firms for free, thereby increasing the risks to their customers. As we noted earlier, the proliferation of e-commerce exposes companies to attacks exploiting security gaps, weak password policies, and vulnerabilities in software. Commercial firms' databases may not always contain information that is of primary interest to cybercriminals, such as account credentials or payment card details. Such databases may get published into the public domain to prove a successful attack and boost ratings on dark web forums. Cybercriminals can use this data to attack individuals, for example, to make money from various scams. Such data can also be used for phishing and social engineering attacks on companies.

The more data breaches online, the more opportunities cybercriminals have to exploit it. For example, they can aggregate breached databases and collate information about places of residence and work, interests and hobbies, payment cards and accounts, property, as well as passport, medical, and driving records. All this can then be leveraged not just for mass attacks, but targeted ones, which have a much greater chance of success.

In a previous report, we examined the most common attack scenarios involving the use of personal data.

Conclusions and recommendations

As mentioned above, the GCC countries enjoy high rates of digitalization, high living standards, and active economic and technological development. The region's association with financial prosperity, as well as its geopolitical tensions, make it an attractive target for cyberattacks.

As a consequence, dark web forums are full of offers and services tailored to this region. The abundance of posts related to the sale of access, often low-cost, makes it easier for attackers to gain initial access to a company and carry out an attack without wasting time looking for new entry points into the infrastructure. Access giveaways are a new trend on the part of haсktivists allowing low-grade hackers to carry out attacks and raise public awareness about social and political issues.

The large number of freely available databases poses the dual threat of an increase in attacks on individuals and the appearance of updated or all-new scams. By aggregating this data, attackers can enrich their victims' profiles with a view to carrying out targeted attacks on employees of different companies through phishing and social engineering.

The number of successful attacks on organizations in the region will rise as a result. To safeguard information of national importance against theft and disclosure, prevent disruption and shutdown of business processes, and protect against financial and reputational losses, as well as propaganda aimed at influencing public opinion, it is vital to build a comprehensive security posture that fully factors in the latest trends in the dark web market and emergent cyberattack vectors. An approach underpinned by result-driven cybersecurity will rule out the possibility of non-tolerable events (ones triggered by a cyberattack and preventing an organization from achieving its operational or strategic goals or leading to significant disruption of its core business) and unacceptable damage. Non-tolerable events are defined at the level of top management, taking into account the specifics of the organization's operations and business processes.

Protection should be built around SIEM (security information and event management) and XDR (extended detection and response) solutions to ensure collection and analysis of security events from various sources and deliver a centralized response to detected threats. The MaxPatrol O2 metaproduct detects attackers, identifies compromised assets, and predicts attack scenarios based on company-specific non-tolerable events, thereby improving the quality of monitoring and incident response. For perimeter protection, NGFW (next-generation firewall) technology with broad functionality is a must. WAF (web application firewall) solutions minimize the risk of data breaches by blocking attacks on web applications, as well as zero-day and Layer 7 DDoS attacks, and defend against OWASP Top 10 threats. VM (vulnerability management) solutions identify emerging vulnerabilities on the perimeter and promptly eliminate them. NTA (network traffic analysis) and sandbox solutions enhance protection capability by detecting attacks at an early stage.