Tech Talk: What could attackers REALLY do with breach information?

(James Bond) #1

By now, I am sure everyone has heard about the multitude of large data breaches publically disclosed over the past few months. To name a few: Sonic Drive-In, Equifax, Aetna, River City Media, IHG, ESEA and the list goes on. Aside from what the media is telling people about the breaches and how the companies are mitigating their risks, very few people I know personally have taken any kind of action.

With the Equifax breach, I made sure to talk to my close friends and family about it and in every single conversation I was asked, “What can someone really do with my information?” The reply I got is that equifax has already done what is needed to protect the customers from the attackers. This means that at the most, the customers received 6 months to a year of credit monitoring (which only protects from fraud).

This is when the younger blackhat in me starts to give them potential scenarios–ones that changing passwords, security questions, or even closing accounts cannot prevent once their data is stolen.

The data in breaches has a small shelf life for the low-hanging fraud or scam attacks once the breach is public. This does not make the breach any less dangerous to organizations or individuals. The long-lasting effects are what the professional bad guys are after.

Here is a short example of how tricky these attacks can get:

  1. Attacker cross-references several breaches to gather as much information about a group of targets. The sum of the data can contain: parts of a Social Security Number, birth date, full name, phone number, address, favorite things, gender, political party, type of property owned, healthcare provider, etc. Now, this is information that most people believe is not connected to their online identity like an email address or username. That is no longer the case.
  2. Attacker takes that information and starts crafting very believable social engineering attacks. (I was attacked by this method in 2016 and luckily spotted enough red flags). A really crafty attacker can have information on associates and relatives to further validate their attack.
  3. In the example I used recently, I described an attacker’s email stating they are part of the law firm working with Equifax to protect customers. They need you to validate some information so they can determine if your information was part of the breach and verify if your information has already been used for fraud. In that same crafted email, they could put your personal information that they got from other breaches to make it more believable.
  4. The target clicks the links because, hey, who else would know that this email is associated to Jane Doe at 123 street born in 1975, with the last 4 of the social 5555, and so on. The attack has two purposes once the target clicks the links:
    a. Capture more information and further add a feeling a safety for the target
    b. Attack the device the target is using.

So even without the information from the actual breach, an attacker can weaponize the opportunity. The attack is more believable because they use the real law firm’s name, maybe a real employee from the law firm, and include as much personal information about you that they can while keeping it relevant.

My questions for the Hackbusters community is: What have you done recently or in the past after a major breach, and how do your different social circles react after a breach?

(Matt Parkes) #2

Typically whenever I find out about a breach to an organisation that I have an account with it is usually my passwords and/or security questions that change. and maybe even my email address as this might be the common denominator across my accounts. No I do NOT re-use passwords I have a password manager which I can sync across my devices and have on my computers and mobile devices.

Most of the accounts we are talking about are low risk social media or other on line accounts, either the information within the account is limited to my name, email and password or if something like Facebook then I really do watch what information I post or associate to me, even better I don’t go on such sites very often, only when I have to.

When it comes to something like Equifax it’s a different kettle of fish for me, the majority of the info breached was account info from US customers, I live in the UK so even if my details were amongst the UK data effected I have no way of confirming or searching the breached data. So what can i do, yes I could put a freeze on my credit file, but I fail to see how this could help as, there is enough information potentially in the breach that a crook could impersonate me and lift the freeze and then change my details and lock me out of my own credit file so potentially I could be looking at proving who I say I am many times over should someone use my data for ID theft or fraud. So all I can really do is keep a close watch and be vigilant for the usual email scams and maybe phone or text message scams.

And yes I can have conversations with friends and family and it depends on the person I talk to, my mother in law for example is not a techie, she can use a computer or a mobile but for the specific limited tasks she knows so talking about the dangers of ID theft and fraud and how she could be targeted is hard. She has a number of physical ailments that comes with someone her age and so yes she is more vulnerable than most so it is up to me and my wife and others to make sure she is safe from such things, my friends generally understand what I tell them but may not always follow what I preach as sometimes they see it as “it will never happen to me”, all these scenarios I describe are so far fetched it’s like i’m describing an episode of CSI Cyber or Mr Robot. All you can hope for is that some of it rubs off and they remember if and when the time comes.

(James Bond) #3

Yea I hear you on the not taking your advice part. I think you are right in that there isn’t much else you can do other than being more aware and watch your digital assets. That is why I was curious on what other people have done after breaches. For me it is to raise the security awareness of my friends and family and try and keep things relatable. I DID put a freeze on my credit because I have been in enough breaches that I get targeted for all kinds of scams.

Any hope equifax had of saving a little face is now gone with the hosting of drive by malware downloads on their website. Regarding your personal exposure, those are all good points and give a different perspective considering you are from the UK. I try and stay connected to the unsavory crowds around the world and I am starting to see a broader sharing of international (to me) breach data. For many years we really only saw a majority interest in US service companies. Where I used to only see major international breaches getting traded I am now seeing smaller less known breaches being sought after (the breaches being local to Israel, Afghanistan, UAE, Brazil, Egypt, and so on). These never make the news and usually contain more than just usernames and passwords.

I used equifax as an example because of how recent it was made public but the overall effect is similar across any breach. Information about members that should not be made public is released into the wild lands of the internet. The severity of this information varies, but in the end some elevated risk is inherent because someone can find one more personal thing out about you and use it for malicious purposes. I am a firm believer in letting non-techies know that this has been going on for a long time and isn’t this epidemic that happened over night. That way they don’t go into a panic or become apathetic towards technology.