Thousands of commercial, government and political entities have cumulatively lost hundreds of millions of personal records to hackers. The targets have been (and continue to be) iconic public and private sector organizations in retail, finance, health care, sports, education, energy, agencies of the state and federal governments, our election system–your friends, family and neighbors. Tip of the iceberg, my friends.
Meanwhile, data breaches continue at a torrid pace. A recent study by San Francisco-based digital risk intelligence broker Digital Shadows found 97 percent of the world’s largest 1,000 organizations had credentials exposed last year.
This is unfolding because cyber criminals in the vanguard have turned their attention to putting stolen personal data to work expanding and accelerating a variety of attacks. Here’s are a few snapshots of how they continually innovate:
DocuSign, a provider of electronic signature technology, disclosed in early May that it sustained a data breach in which thieves took customer email addresses, and nothing else. But then someone began putting those email addresses to work. Spoofed DocuSign messages were sent to the company’s customers carrying enticements to click on a corrupted Microsoft Word attachment.
The end game, says Steve Malone, a product director at messaging security firm Mimecast, may have been to infiltrate the company networks of any DocuSign customer duped into clicking on the infected Word doc. In this type of multi-tiered infection scenario, the criminals really are striving to locate and access as many corporate email systems as they can.
Then the deeper attacks commence. The threat actor can begin to send spoofed messages, carrying tainted attachments, that originate from actual corporate email servers. This boosts the criminals’ success rate two ways: it enables the spoofed emails to evade email filters and intrusion detection systems, and it provides gravitas to the faked messages.
Stolen usernames and passwords have tangible value, as they are increasingly being used to takeover online accounts via credential stuffing – the art of trying many usernames and passwords until access is granted.
Stolen account credentials are widely available. They come in a range of prices on the Dark Web, depending on freshness and geography, says Michael Marriott, research analyst at Digital Shadows.
The new guys on the block typically go for the cheaper data bases that have been on the market for a few years. It’s not difficult to find stolen credentials selling for a nominal cost, or even free for the taking. And cheap, effective tools are readily available that can turn any newbie criminal into a competent credential stuffer.
Elite crime rings don’t mind paying premium prices for freshly stolen data from a potentially lucrative geography, aiming to “maximize their activities while the stolen credentials are newly exposed,” Marriott says. Once a campaign has been completed, using the fresh data, the top criminals will sell them off for whatever the market will bear.
“It’s a classic case of supply and demand,” Marriott says. “With well over 3 billion credentials publicly-available, it’s no surprise that the price will be pushed down.”
Assigning a computer to try endless alpha numeric combinations to break a password is nothing new. That “brute force” tactic has now been adopted by botnet operators, criminals who control vast armies of computers dedicated to carrying out malicious commands.
Botnet-driven brute force account takeovers are spiking, according to browser security vendor Distil Networks. Vast botnets are being directed to methodically try millions of stolen username and password combinations to break into financial, retail and media websites at scale.
This has profound implications for each one of us. Let’s say your account logons were stolen several years ago and nothing happened. So you never bothered to change any of your usernames and passwords. This rising wave of botnet-executed credential stuffing now puts you at renewed risk of becoming a victim of identity theft, especially if you have been using the same old webmail account and password to access multiple accounts for a number of years.
Until such time as cybercriminals cease to innovate faster than businesses improve network defenses, a little paranoia will serve you well. You really can’t trust any email, and you need to remain on high alert for anything that appears even the least bit suspicious. If you aren’t regularly changing your online account passwords, enabling two-factor authentication services, using a virtual private network whenever you can, and updating or upgrading your security software, you’re living on borrowed time. To paraphrase former President Ronald Reagan: Never trust. Always verify.