If recruiters need to advertise an opening, they have a few options. Hacker forums offer the most exposure, many of them are password-protected, and users generally choose pseudonyms. But they still carry risks—anyone who logs in without somehow anonymizing their web traffic can be traced relatively easily.
Holland says his company asks domain hosts to take down forums if they come across a specific threat to one of their clients—like a post that offers a reward for extracting data from a company’s private server—but some domains don’t respond.
A less vulnerable but less visible alternative is to post a help-wanted ad on the dark web, a part of the Internet accessible only by Tor, a web browser that bounces web requests through a random string of servers to anonymize their origin. Researchers even found hacker-specific job boards on both the surface web and the dark web that promised to broadcast help-wanted ads for a fee—a sort of Monster.com for cybercrime.
Hackers look for a broad range of characteristics in potential candidates. Some postings ask for applicants with specific skills (SQL injection, denial-of-service attacks) and a facility with certain programming languages (Perl, Python, C). Hackers hiring with a specific target in mind may look for candidates who already have insider knowledge of an organization’s networks and systems.
There are also more basic requirements. One posting read, “You must speak English fluently; bad grammar can be tolerated to a certain extent.” And enthusiasm helps—the same posting specified that candidates should be “motivated and thrilled to learn new programming languages, attack vectors, and everything else.”
Once an ad draws interest, the next move may be to set up an interview. Holland says many of these interviews occur over Skype, but the participants typically take a few unusual security measures. To protect both participants’ identities, Skype calls tend to be conducted without video, and the speakers may use digital voice changers to disguise themselves. They can also use services like Tor to anonymize their traffic as they make the call.
If the interview goes well, a job offer may be extended. Researchers found that hacker jobs fall into two main categories: contract gigs, where the hacker gets a certain amount of money per month, and jobs where a hacker is awarded a percentage of whatever is stolen. Holland says it’s hard to know how much hackers are generally compensated for their work, because most financial negotiations happen in private.
But the offers sometimes come with a few strings attached. Researchers found that some groups imposed a probationary period on new hires: One group known as DeleteSec stipulated that new recruits “must hack a website within three months” to prove themselves.
Holland says the biggest thing he learned from examining hacker recruitment is that there’s a continued interest in exploiting basic vulnerabilities. “It’s easy to get wrapped up in silver bullets,” he said, referring to fancy cybersecurity products like the ones that will be hawked at this week’s RSA cybersecurity conference in San Francisco. But basic attacks like denial-of-service and SQL injection, which have been in use for more than a decade, remain popular and effective among hackers—so keep up those timeless skills and you can work your way on to a criminal’s payroll in no time.