A hack-for-hire group targeted thousands of people and hundreds of organizations across six continents for several years, according to a report by Citizen Lab. The internet watchdog, based at the University at Toronto, tied the ring, dubbed “Dark Basin”, with high confidence to an Indian company called BellTroX InfoTech Services.

Over the course of an investigation that began in 2017, Citizen Lab found that Dark Basin was hired to conduct espionage campaigns against the opponents of their clients involved in high-profile criminal cases, advocacy campaigns and public events. These included prosecutors, senior politicians, journalists, CEOs, and non-profits. “This is one of the largest spy-for-hire operations ever exposed,” said Citizen Lab researcher John Scott-Railton in a statement for Reuters.

A large cluster of victims were linked to the #ExxonKnew campaign, which dealt with the oil giant’s alleged knowledge of climate change for decades. Some of the prominent targets that consented to being named are the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace and the Conservation Law Foundation. Per a New York Times report (paywalled), the exposé has prompted a federal criminal investigation in the US.

Dark Basin utilized a range of techniques in its attacks, notably phishing emails. These were sent out from various accounts, including self-hosted and Gmail accounts. The group also employed 28 unique URL shorteners to obfuscate phishing website addresses, with Citizen Lab being able to uncover almost 28,000 different long URLs that directed victims to phishing websites. The websites masqueraded as popular services, such as Facebook, LinkedIn and various email providers.

RELATED READING: How to catch a cybercriminal: Tales from the digital forensics lab

Interestingly, in some cases, the group left the source code of its phishing kit accessible. The code included references to logs and scripts, which held the records of all the interactions with credential phishing websites, as well as the usernames, passwords, and IP addresses used by the victims. This allowed the researchers to observe Dark Basin test their phishing links and credential theft kits.

Citizen Lab concluded that the campaigns were successful to some extent, especially due to their persistence. “For example, we found that some ‘high value’ targets were sent more than one hundred phishing attempts with very diverse content,” said the team.

Besides non-profits and individuals engaged in high-profile public events, Dark Basin was prolific in attacking targets across various industries, such as hedge funds and short sellers, global banking and financial services, legal services, the energy sector, governments, and the list goes on. The variety and number of targets shows that cybercrime-as-a-service is a serious problem that should not be underestimated.

“We also encourage online platforms to be proactive in notifying users that have been targeted by such groups, such as providing detailed warnings beyond generic notifications to help enable targets to recognize the seriousness of the threat and take appropriate action,” said Citizen Lab.

What individuals and organizations can do to protect themselves is to follow cybersecurity best practices and keep educating themselves on the cyber-threats that are lurking in the shadows. Could you honestly say that you would be able to spot a phish? Indeed, why not take ESET’s cybersecurity awareness training?