The Long Tail of Data Breaches
Data breaches have become so common that virtually everyone has been impacted by a breach in some way. Breaches at big retailers make the news, and replacement credit cards ominously arrive in the mail from our banks. However, there is a lot more to most data breaches than meets the eye, and as is the case with more traditional robberies, the theft of data is often just the beginning of the crime. If criminals can’t use or sell stolen data without being caught, then the data quickly becomes worthless. As a result it’s critical to understand what happens to data after a breach.
Understanding the Criminal Infrastructure
While hacktivists groups will periodically expose data to further an ideological cause, the vast majority of breaches are perpetrated by criminal groups focused on financial profit. Since very few of these attacks result in the direct theft of currency, criminals need a way to turn their stolen data into money. Even in the simple case of stolen credit card information, criminals either need to sell the cards to other criminals or use the cards directly to commit fraud. In either case, the card data itself is a precursor to future fraud.
This may seem incidental at first, but there are important consequences. Specifically, the ability to monetize stolen data requires a very different set of skills than those needed to breach a network in the first place. A network breach can be a relatively targeted operation perpetrated by a few attackers. However, once a breach is successful, the scale of the operation changes entirely. Whether the stolen data is personally identifiable information (PII), payment card data, or login credentials, the attackers face a challenge of scale. Millions of individual records need to be monetized either by reselling them or using the data directly for profit. The sheer volume of data makes it impractical to do these tasks manually, and this is where cybercriminals need help. In most cases help arrives in the form of botnets that can automate the processing of individual records, and a larger ecosystem of organized crime that can consume the stolen data. Here are few examples.
Direct Financial Fraud
Payment card breaches such as the recent attack against Target have obvious financial impacts and motivations. Yet while it is relatively simple for a criminal to derive value from an individual stolen credit card, doing the same for millions of cards is another thing entirely. This is where the larger criminal ecosystem comes into play. The attackers behind the breach will sell the stolen card data to brokers, who in turn sell cards in batches to lower level criminals who use the data to either buy goods online or print cards to be used in physical stores.
This ecosystem shares a common problem in that stolen credit cards have a very limited shelf-life. As soon as it becomes apparent that a specific merchant has been compromised (Target for example), all of the compromised cards will be quickly deactivated. This means that freshly stolen and active cards are highly valuable ($100 or more), while older cards can be worth pennies. This is a serious spread, and criminals need to know which sorts of cards they are buying, and the state of the cards they are holding. To address this challenge, criminals will periodically test a subset of their cards by using them to make small online purchases. Attackers can drop a few hundred credit cards into a botnet programmed to make small purchases, and quickly determine the percentage of cards that are active and working. Oddly enough, charities such as the Red Cross are a common recipients of these charges because they commonly receive small donations, and the purchase is unlikely to raise red flags with the consumer. Disrupting these validation steps could provide an interesting way to devalue the black-market price of stolen cards, and make the attacks less profitable for an attacker.
End-user credentials (usernames and passwords) are another common target of attackers, and can provide considerable long-term value for additional attacks and fraud. Unlike payment cards, there are no centralized authorities to deactivate compromised usernames and passwords in the event of a breach. A website that is compromised may lock out affected users so that they have to change their passwords, but there is nothing keeping an attacker from using the stolen credentials at other sites. A 2011 study from PayPal unsurprisingly found that 60% of users reuse passwords at multiple sites, meaning that a breach at one site can easily spider out to other sites around the Internet.
In order to find sites where credentials are re-used, attackers again turn to botnets in what are called credential stuffing attacks. In these attacks, stolen credentials are fed into distributed botnets, which in turn slowly and deliberately test those credentials against high-value websites. These attacks can afford to be patient, and will slowly test logins from many different IP addresses to avoid rate and reputation-based triggers that could expose the attack.
This strategy can transform a seemingly innocuous breach into something far more serious. If an attacker is able to take-over a victim’s account on an e-commerce site, they could easily commit fraud in the victim’s name. Such fraud may take longer to identify because the attacker is using the victim’s real account and from a site that the victim is known to use. Credentials to social media sites are also highly valuable, enabling an attacker to easily impersonate the victim and infect his or her social networks.
Likewise, compromised personal webmail accounts can be a goldmine for an attacker. Such access not only provides the attacker insight into the victim’s identity, but can also be key to breaking into additional online accounts. Most sites and applications have an option to reset or resend a user’s password to the email address on file. If the attacker has access to the victim’s email account, he can again use a botnet to proactively find online accounts where that email is used, and then obtain or reset the victim’s password.
These are just a few examples, but it serves to illustrate why it’s important for security teams to consider the lifecycle of stolen data. In order to monetize a breach, attackers often need to go through additional steps, and this provides additional opportunities to mitigate the effects of a breach. Likewise, companies can insulate themselves from the impacts of breaches elsewhere on the Internet by knowing how criminals attempt to automatically use stolen data. This of course won’t prevent breaches from happening in the future, but it certainly is possible to mitigate the damage.
Related: All Data Is Not Valued Equally