Imagine if a locksmith created a key for your home or business, then sold a copy of that key to a burglar. They didn’t steal your belongings, but they provided access, making them integral to the process for it to occur. Initial Access Brokers (IABs) work in a similar fashion. The name says it all, they provide the initial access to your account and do this by brokering or selling your credentials to the cybercriminals who will then take it a step further and steal data or deploy ransomware for extortion of funds.
Make no mistake, they are all criminals, but they operate on different levels, working together to threaten the security of individuals and businesses alike.
How It Started and Evolved
As cybercrime has evolved and increased in occurrence, roles were naturally defined by the technical know-how that each part of the crime required.
There wasn’t much differentiation between cybercriminal roles; credentials were compromised, and networks were breached. But as ransomware has shown to be extremely easy and lucrative to deploy, those hackers realized it might be worth paying the individuals who focused on gathering and selling credentials to get that data, and then spend their time focusing on sending phishing emails and other tactical approaches that might pay off.
What Do IABs Sell?
These tech-savvy criminals are brokering RDP access, web shell access, panels access, Active Directory credentials, VPN access, RMM access – and more. This isn’t just username and login lists that are being sold. And there is consistent money to be made from what they are selling.
Why It Matters
The evolution into this type of hierarchy and roles within the cybercriminal world are showing us how sophisticated the business of cybercrime has become. We are fascinated by the folklore of crime in the cinema, the stories of thugs that roamed streets and rose to power within the organizations like the mafia or drug empires. We acknowledge that the business of crime is not unlike like the Wall Street businesses that contribute to our daily lives, only they center around illegal activity. The people have names, nicknames and legends that surround them. Cybercrime is the same, only we don’t see the faces or know (yet) of the characters that are rising to power, we just know that it will affect us one day, in one way or another. Cybercrime is a business, and their business is destroying anyone that they can gain access to.
Your clients should be aware that their business profile might not seem (to them) appealing or likely to be the target of an attack. For example, they aren’t specifically looking in Your Town, USA for a business to target, but they are taking mass data compromises that occur and going through the compromised credentials one by one and seeing if those will work on any other platform. Platforms like CRM systems, bank accounts, professional sites like LinkedIn, your WordPress site that you built for a fun side hobby – any of those doors will be checked to see if they can be opened. Once they find the key that they need, they will then sell those to the next group of cyber criminals – so an individual has no idea that they have had their login credentials compromised at this point. They’ve been “verified” by the IAB and passed along.
Remind your clients to use strong and cyber secure password behaviors in order to increase the likelihood that they are passed over by IABs – it isn’t a failproof way to avoid being breached, but it will lessen the risk of an attack via their credentials. In addition, 2-factor authentication should be encouraged as an added layer of protection should a user’s password end up in the wrong hands.