On Thursday, Google's Threat Analysis Group (T.A.G.) announced that it has blocked as many as 36 malicious websites operated by hacker-for-hire groups from U.A.E., Russia, and India.

Hack-for-hire companies provide their clients with the tools to launch targeted attacks against corporates, activists, journalists, and other high-risk users, similarly to the surveillance ecosystem.

The difference is that customers buy spyware from vendors and deploy it themselves. However, hackers-for-hire operators are known to intrude on their clients to hide their proper role.

Shane Huntley, director at Google T.A.G., stated in a report that "the hack-for-hire landscape" is fluid in how attackers organise themselves and the broad range of targets they pursue in one campaign at the behest of disparate clients.

Hack-for-hire attackers openly promote their services and products to anyone willing to pay. Others sell more discreetly to a smaller audience.

An Indian hack-for-hire operator launched a recent campaign targeting an I.T. company in Cyprus, a Nigerian education institution, a Fintech company in the Balkans, and an Israeli shopping company. This demonstrates the breadth of the victims.

Google T.A.G. stated that the Indian outfit has been tracked since 2012. It was linked to a series of credential-phishing attacks in which login information for government agencies, Amazon Web Services (A.W.S.), and Gmail accounts were retrieved.

This campaign involves sending spear-phishing emails with a rogue hyperlink that launches an attacker-controlled page phishing page to siphon credentials from unsuspecting users. 

The targeted sectors included the government, healthcare, and telecom sectors in Saudi Arabia and Bahrain. Google T.A.G. identified the Indian hack-for-hire actors as a company called Rebsec. 

According to its Twitter account, Rebsec is shorthand for "Rebellion Securities," located in Amritsar. Although the company's website is down for maintenance, it claims to offer corporate spying services.

An identical set of credential theft attacks against journalists, European politicians, and non-profits was linked to a Russian actor named Void Balaur. This cyber mercenary organization was first documented by Trend micro in November 2021.

The collective is believed to have identified accounts at significant webmail providers such as Gmail, Hotmail, and Yahoo! over the past five years. Regional webmail providers such as abv. Bg and mail.ru, or inbox. Lv and UKR.net.

T.A.G. also described the activities of a U.A.E.-based group. And is connected to the original developers of remote access trojan njRAT (also known as H-Worm, or Houdini).

These revelations come one week after Google T.A.G. disclosed details about an Italian spyware company called R.C.S. Lab. Their "Hermit" hacking program targeted Android users in Italy and Kazakhstan.