By now, I am sure everyone has heard about the multitude of large data breaches publically disclosed over the past few months. To name a few: Sonic Drive-In, Equifax, Aetna, River City Media, IHG, ESEA and the list goes on. Aside from what the media is telling people about the breaches and how the companies are mitigating their risks, very few people I know personally have taken any kind of action.
With the Equifax breach, I made sure to talk to my close friends and family about it and in every single conversation I was asked, “What can someone really do with my information?” The reply I got is that equifax has already done what is needed to protect the customers from the attackers. This means that at the most, the customers received 6 months to a year of credit monitoring (which only protects from fraud).
This is when the younger blackhat in me starts to give them potential scenarios–ones that changing passwords, security questions, or even closing accounts cannot prevent once their data is stolen.
The data in breaches has a small shelf life for the low-hanging fraud or scam attacks once the breach is public. This does not make the breach any less dangerous to organizations or individuals. The long-lasting effects are what the professional bad guys are after.
Here is a short example of how tricky these attacks can get:
- Attacker cross-references several breaches to gather as much information about a group of targets. The sum of the data can contain: parts of a Social Security Number, birth date, full name, phone number, address, favorite things, gender, political party, type of property owned, healthcare provider, etc. Now, this is information that most people believe is not connected to their online identity like an email address or username. That is no longer the case.
- Attacker takes that information and starts crafting very believable social engineering attacks. (I was attacked by this method in 2016 and luckily spotted enough red flags). A really crafty attacker can have information on associates and relatives to further validate their attack.
- In the example I used recently, I described an attacker’s email stating they are part of the law firm working with Equifax to protect customers. They need you to validate some information so they can determine if your information was part of the breach and verify if your information has already been used for fraud. In that same crafted email, they could put your personal information that they got from other breaches to make it more believable.
- The target clicks the links because, hey, who else would know that this email is associated to Jane Doe at 123 street born in 1975, with the last 4 of the social 5555, and so on. The attack has two purposes once the target clicks the links:
a. Capture more information and further add a feeling a safety for the target
b. Attack the device the target is using.
So even without the information from the actual breach, an attacker can weaponize the opportunity. The attack is more believable because they use the real law firm’s name, maybe a real employee from the law firm, and include as much personal information about you that they can while keeping it relevant.
My questions for the Hackbusters community is: What have you done recently or in the past after a major breach, and how do your different social circles react after a breach?