Dun & Bradstreet Marketing Database Exposed

A Dun & Bradstreet database, 52 GB in size and containing more than 33.6 million records with very specific details, has been exposed.

Cybersecurity researcher Troy Hunt, who received the database for study, on Wednesday confirmed that the records already were organized and developed as if intended for distribution to a potential client.

The database belonged to NetProspex, a firm purchased by Dun & Bradstreet in 2015 for US$125 million, ZDNet confirmed. NetProspex had compiled the database — which included personal information including names, job titles, job responsibilities and work email addresses and phone numbers — for e-marketers, by all accounts.

It presumably was meant as a tool to target customers via email campaigns and other communication methods. It is the type of data that can be purchased by clients and broken down either via bulk email addresses, or by specific records such as by company or industry.

No highly sensitive personal information was included in the records, however, according to Dun & Bradstreet.

“Based on our analysis, it is our determination that there has been no exposure of sensitive personal information from, and no infiltration of, our system,” a Dun & Bradstreet spokesperson said in a statement provided to the E-Commerce Times by company rep Deborah McBridge.

“The information in question is data typically found on a business card,” the spokesperson added. “As general practice, Dun & Bradstreet uses an agile security process and evaluates and evolves security controls to protect the integrity of our data. Generally, our legal agreements do require our customers to safeguard and maintain the confidentiality of the data they receive.”

Devil in the Details

The database includes information only on Americans, Hunt found. California has the highest representation with more than 4 million records, followed by New York with 2.7 million, and Texas with 2.6 million records.

That is in line with the population breakdown of the United States in general.

The database is quite diverse, including information on organizations in the government and military sectors, as well as individuals in the commercial sector. The database includes details on more than 100,000 individuals working for the Department of Defense, and more than 88,000 employee records from the United States Postal Service. There are more than 76,000 records from the United States Army and United States Air Force combined.

On the corporate side, the database includes records from several large-scale businesses, including AT&T, Boeing, Dell, FedEx, IBM and Xerox, as well as Walmart, CVS Health Corporation, Wells Fargo Bank, Citigroup and Kaiser Foundation Hospitals.

Ohio State University is one of the centers of higher education listed by Hunt, with 38,705 of its employee records turning up in the database.

Digital Commodity

How the information was stolen isn’t yet clear, but it doesn’t appear that great sophistication was required, which is in itself worrisome.

“The D&B breach shines an uncomfortable light on a common fact of modern life — that companies of most every sort consider personal customer information to be a valuable commodity,” said Charles King, principal analyst at Pund-IT.

“Once consumers provide information to businesses and other organizations, they have virtually no control over how it is handled, and few options when it is mishandled,” he told the E-Commerce Times.

“This hack shows that these types of databases are the low-hanging fruit for hackers,” said Pierre Roberge, chairman of Arc4dia.

“This wasn’t a very technical hack, and there probably isn’t a lot of money that will be made from it, but for some hackers this is enough so that they can eat and live,” he told the E-Commerce Times.

Going Into Crisis Mode

Companies have been challenged to come up with effective responses to data breaches, cyberattacks and other hacks.

“Organizations that have been hacked or breached would do well to address the situation with full transparency,” noted King.

“In fact, Yahoo’s situation is an exemplar of the bad tidings that can occur for a company and its shareholders when lack of transparency is the rule,” he told the E-Commerce Times.

“Though Dun & Bradstreet insisted that no personally identifiable information was exposed, reports that the database includes people’s first and last names, their job titles, email addresses, and the organizations they work for suggests otherwise,” King said. “The company would do well to get out in front of this or risk suffering long-term damage. “

Threat Level

Compared to recent cyberattacks and security breaches, this leak could rank more as an annoyance than as a grave security concern.

“This isn’t voter data rolls, or very personal information such as what we saw in the Office of Personnel Management or healthcare breaches,” said Eric Hodge, director of consulting at security research firm CyberScout.

“However, it could be a great first step for identity theft,” he told the E-Commerce Times.

“The information can make it more convenient for criminals, but this information is already out there and could be picked off LinkedIn or Facebook,” added Hodge.

“The bigger worry from this is that it casts a light on the global state of cybersecurity,” observed Arc4dia’s Roberge.

“It might not be very sensitive, but it shouldn’t end up on the black market so easily,” he said.

Follow-Up Attacks

Identity theft is the biggest potential concern resulting from an attack like this one, but unlike the OPM breach, which included Social Security numbers, home addresses, and in many cases fingerprints, the information leaked here is less significant on a personal level.

“This is in the ‘oh great, I’m going to get more spam’ — but anyone who thinks their information was breached should be more aware,” cautioned Hodge.

“I’d suggest checking credit card bills more closely, checking credit scores, and generally being vigilant,” he said, even though “this isn’t the type of breach that should be cause for huge alarm.”

Still, enterprising hackers could use corporate email addresses in dangerous ways.

“The challenge with a breach of this nature is that it provides a lot of raw material for nefarious attackers to craft very convincing phishing or social engineering campaigns against decision-makers in corporations,” said Dwayne Melancon, vice president of products at security and compliance firm Tripwire .

“Organizations should warn executives,” he told the E-CommerceTimes, “and educate them on the warning signs of business email compromise schemes.”

Mind of the Marketer

The thieves apparently meant to sell the database to unscrupulous marketers.

“This does cast the spotlight inside the seamy underbelly of what you agree with when you check on agreements to use your personal information,” noted CyberScout’s Hodge.

“This information is what is considered acceptable to share when you check the box on agreements without reading the fine print,” he added. “It will open the eyes to what you give in the way of information to reputable companies, and this is good illustration of the reality of how this information is then shared.”

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and FoxNews.com.Email Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Peter Suciu
More in Cybercrime

CRM Buyer Channels

Reports Warn of Worsening Warfare From Cyber Criminals in 2022

Brace yourself, 2022 promises to bring expanded cyber confrontations as ransomware attacks gain the high ground.

A dangerous increase in ransomware attacks last year caused devastating compromises to government organizations, critical infrastructure, and businesses. Much of the increase resulted from cybercriminals becoming increasingly innovative and bold in their approach.

A report from Positive Technologies late last month found cybercriminals can penetrate 93 percent of local company networks and trigger 71 percent of events deemed ‘unacceptable’ for their businesses.

It takes an average of two days for cybercriminals to penetrate a company’s internal network. Researchers found that all the analyzed companies were susceptible to an intruder gaining full control over the infrastructure once inside the network.

Positive studied results of testing involving financial organizations (29 percent), fuel and energy organizations (18 percent), government (16 percent), industrial (16 percent), IT companies (13 percent), and other sectors.

Bugcrowd on Jan. 18 released its annual Priority One Report that revealed a 185 percent increase in high-risk vulnerabilities within the financial sector. It also revealed the increase in ransomware and the reimagining of supply chains that lead to more complex attack surfaces during the pandemic.

Ransomware Out of Control

Ransomware overtook personal data breaches as the threat that dominated cybersecurity news across the world at 2021’s end. Global lockdowns and remote work caused a rush to put more assets online, which led to an increase in vulnerabilities.

These reports show that all companies and organizations are now more susceptible to hacking and must double down on long-term cyber defense. Targets also involve individual consumers.

Ransomware is a major concern for everyone. Attackers can disrupt our daily lives whether they go after hospitals, gas pipelines, schools, or other businesses, warned Theresa Payton, former White House chief information officer and current CEO of cybersecurity consultancy firm Fortalice Solutions.

“Ransomware syndicates have no boundaries and do attack our personal systems and devices as well,” she told TechNewsWorld.

Another Case in Point

Hackers are buying space from major cloud providers to distribute Nanocore, Netwire, and AsyncRAT malware, according to a Jan. 12 Cisco Talos blog.

The threat actor, in this case, used cloud services to deploy and deliver variants of commodity remote access threats (RATs). Those deployments contained information-stealing capability starting around Oct. 26, 2021.

These variants are packed with multiple features to take control over the victim’s environment to execute arbitrary commands remotely and steal the victim’s information, according to Cisco Talos. The initial infection vector is a phishing email with a malicious ZIP attachment.

These ZIP archive files contain an ISO image with a malicious loader in the form of JavaScript, a Windows batch file, or Visual Basic script. When the initial script is executed on the victim’s machine, it connects to a download server to download the next stage, which can be hosted on an Azure Cloud-based Windows server or an AWS EC2 instance.

To deliver the malware payload, the actor registered several malicious subdomains using DuckDNS, a free dynamic DNS service.

Researchers Became Hackers

During the assessment of protection against external attacks, Positive Technologies experts breached the network perimeter in 93 percent of cases. This figure has remained high for many years, confirming that criminals are able to breach almost any corporate infrastructure, according to the company’s researchers.

“In 20 percent of our pentesting (penetration testing) projects, clients asked us to check what unacceptable events might be feasible as a result of a cyberattack. These organizations identified an average of six unacceptable events each, and our pentesters set out to trigger those,” Ekaterina Kilyusheva, head of research and analytics at Positive Technologies, told TechNewsWorld.

According to Positive’s customers, events involving the disruption of technological processes and the provision of services, plus the theft of funds and important information, pose the greatest danger, she said. In total, Positive Technologies pentesters confirmed the feasibility of 71 percent of these unacceptable events.

“Our researchers also found that a criminal would need no more than a month to conduct an attack which would lead to the triggering of an unacceptable event. And attacks on some systems can be developed in a matter of days,” Kilyusheva added.

An attacker’s path from external networks to target systems begins with breaching the network perimeter. It takes two days to penetrate a company’s internal network.

Credential compromise is the main way criminals can penetrate a corporate network for most companies. That high number results mainly because simple passwords are used, including for accounts used for system administration, according to Positive’s report.

Regarding security attacks on financial organizations, they are considered to be among the most protected companies, as part of the verification of unacceptable events in each of the banks Positive tested, noted Kilyusheva.

“Our specialists managed to perform actions that could let criminals disrupt the bank’s business processes and affect the quality of the services provided. For example, they obtained access to an ATM management system, which could allow attackers to steal funds,” she explained.

Key Cybersecurity Trends

Bugcrowd’s Priority One report spotlighted the key cybersecurity trends of the past year. These include the rise in the adoption of crowdsourced security due to the global shift to hybrid and remote work models and the rapid digital transformation associated with it.

The report reveals that the strategic focus for many organizations across industries has shifted, with the emphasis now on clearing residual security debt associated with that transformation.

Until now, highly advanced maneuvers and clandestine operations defined attack strategies. But this approach started to shift last year toward more commonplace tactics such as attacks on known vulnerabilities.

Diplomatic norms around hacking have weakened to the point where nation-state attackers are now less concerned with being stealthy than in the past, according to Bugcrowd.

Top highlights from the 2022 Priority One Report include:

  • Cross-site scripting was the most commonly identified vulnerability type
  • Sensitive data exposure moved up to the third position from the ninth on the list of the 10 most commonly identified vulnerability types
  • Ransomware went mainstream, and governments responded
  • Supply chains became a primary attack surface
  • Penetration testing entered a renaissance

An emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations are changing the cyber threat landscape, according to Casey Ellis, founder and chief technology officer for Bugcrowd.

“All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same,” he predicted.

To Pay or Not To Pay?

Cyber experts and some governments used to preach not paying a ransom. This is still a valid strategy, although not all government officials and cyber experts agree.

Not paying the ransom should be a global goal to disincentivize cybercrime syndicates. We have seen while our Fortalice Solutions team is responding to incidents that victims frequently do not want to pay the ransom, noted Payton. Still, their cyber liability insurance companies may deem it cheaper to pay the extortionists versus paying for a recovery effort. That is problematic.

“If someone has to pay, I do not judge the victim organization or victim shame because that does not solve the issue. But when considering payment, victims should know that payments, which averaged $170,000 (per Sophos research) do not assure full data recovery,” Payton said.

Sophos also found that 29 percent of affected companies failed to recover even half of their encrypted data, with only eight percent achieving full data recovery.

Historically, ransomware has targeted organizations with mission-critical data over individuals. But, if you have ever lost data to an old hard drive failure, you have felt the pain of a ransomware attack, according to Lisa Frankovitch, CEO of network management firm Uplogix.

It is much better to employ security best practices such as two-factor authentication, password managers, and encryption than having to determine if you should pay the ransom or not, she advised.

Impact on End Users

The biggest threat that cyberattacks pose to both businesses and consumers is downtime, noted Frankovitch. Whether your network has been breached or your personal identity has been stolen, the disruption and downtime can be catastrophic.

Gartner estimates that the average cost of a network outage is over $300,000 an hour,” she told TechNewsWorld.

Regarding security for enterprise networks, The U.S. National Security Agency (NSA) published guidelines on using out-of-band management to create a framework that improves network security by segmenting management traffic from operational traffic.

Ensuring that management traffic only comes from the out-of-band communications path, compromised user devices or malicious network traffic is prevented from impacting network operations and compromising network infrastructure, explained Frankovitch.

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open-source technologies. He is an esteemed reviewer of Linux distros and other open-source software. In addition, Jack extensively covers business technology and privacy issues, as well as developments in e-commerce and consumer electronics. Email Jack.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories
More by Jack M. Germain
More in Cybercrime

Covid Domain Registrations Soar, Many by Bad Actors

Nearly half a million Covid-related domains have been created over the last two years, many of them being used by online fraudsters and hucksters.

The pandemic has created an environment in which bad actors make use of a range of Covid-related “hooks” to commit cybercrime and fraud, impacting consumers and brands, explained CSC, a domain registrar that released a study Tuesday of more than 478,000 domain names tied to pandemic keywords.

Over the study period, the report noted, the range of entities taking advantage of the growth in awareness of Covid to create websites to attract traffic and generate revenue has spiked. At the same time, the surge in sites has resulted in a larger pool of suspicious and malicious domain registrations.

“It’s insane the amount of fraud and fake goods that we’ve seen associated with these 478,000 domain names,” declared CSC CTO Ihab Shraim.

“The pandemic is an endless money-printing machine for these malicious actors,” he told TechNewsWorld.

“They’re all using this pandemic to make some serious revenue off it,” he added. “They’re making millions of dollars per month.”

Exploiting Brands

The report acknowledged that some Covid-related domain registration activity could be related to domain speculators trying to cash in on a potential hot domain name, but there were also signs of malicious third-party operations.

For example, the domains exploiting brand names related to Covid, such as Pfizer, Moderna and Johnson & Johnson, used the same infrastructure as previously identified with harmful websites. In addition, some sites used tactics favored by bad actors to disguise, then launch attacks, such as domain parking and pay-per-click.

The report also noted that of the domains exploiting brand names, about half contained no content, while the other half were involved in pay-per-click or other kinds of advertising schemes.

fraudulent website disguised at World Health Organization

This site is branded as the World Health Organization, but the logo is wrong, none of the social media links at the bottom of the page nor the menu options at the top are functioning. This appears most likely to be a phishing page intended to gather personal information. (Credit: CSC)

It added that a third of the dormant sites contained active MX records which could be used as a future launchpad for malicious activity.

“Domain names are valuable to threat actors looking to capitalize on newsworthy events, especially those that involve fear or financial motivations,” observed Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.

“The reason is quite simple,” he told TechNewsWorld. “The more legitimate they can make their fraudulent sending emails or websites appear, the more likely they are to fool their victims into trusting them.”

“This trust gives them much higher odds of stealing sensitive information or money from their targets,” he added.

Confusing Domains

Moreover, domain names can be confusing to a lot of people, noted Erich Kron, a security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.

“The domain name KnowBe4.com is different than KnowBe4.net or even Know-Be4.com, a difference that cybercriminals take advantage of, knowing that many people do not understand that they are different,” he told TechNewsWorld. “This allows these scammers to fake websites easily and in ways that look genuine.”

“Covid-19 is a great topic for cybercriminals because of the constant newsworthy stories and developments,” he said.

“With each development,” he continued, “there is guidance released and often revised, making it very easy to use these stories as a lure to get people to go to malicious websites or open infected documents purporting to be updated guidance or new findings in the battle against the virus.”

“Shortages of tests and vaccines are also powerful topics to get people to take action,” he observed.

“Any time there is a high-visibility incident, attackers will use that to create lures to entice victims,” added John Bambenek, a principle threat hunter at Netenrich, an IT and digital security operations company in San Jose, Calif.

“I’m sure once the shooting starts in Ukraine, the lures will shift to that very quickly,” he told TechNewsWorld.

Domain Ecosystem Problems

Bambenek maintained that the fundamental problem with the current domain system is that many registrars and companies in the domain ecosystem are willing to look the other way while they accept money from criminals to use their services to commit crimes.

“Once the U.S. relinquished control of this system,” he said, “there was no longer any pretending that it would be operated as a public benefit.”

Kron explained that problems with the domain system are largely due to the simplicity and low cost to register domain names.

“There is little to no verification of domain names, even those using keywords related to Covid and the pandemic, or even corporations such as vaccine manufacturers, to ensure that ownership can be traced to an individual or organization,” he said.

“Essentially,” he continued, “anybody can register nearly any domain name in minutes, and with no accountability.”

“Cybercriminals have perfected the technique of registering domain names with very little effort and cost, often knowing that the domain would last 48 hours or less,” he added.

Cloud computing has added to the problem, asserted Brian Johnson, CSO at Armorblox, an enterprise communications protection provider in Sunnyvale, Calif. “Phishing and business email compromise attacks that use these ‘in the moment,’ fleeting domains cannot be detected by existing security tools,” he told TechNewsWorld.

What’s more, domains can be susceptible to a number of attacks, added Sanjay Raja, vice president, of Gurucul, a threat intelligence company in El Segundo, Calif.

“Threat actors can take advantage of expired domains, problems with SSL certificates, poor security controls at domain registrars, domain extensions that are actually registered by threat actors, but look legitimate and domain hijacking through phishing attacks or other credential-stealing methods,” he told TechNewsWorld.

“These are just some of the tactics used that eventually lead to presenting users with domains that allow for compromising networks and installing and executing malware or ransomware,” he said.

High Marketplace Activity

Other areas covered by the report included ecommerce, mobile apps, phishing and social media.

The pandemic saw the appearance of very high volumes of Covid-related marketplace activity, it noted. Many of those listings were for counterfeit or otherwise low-quality or ineffective products, appearing in response to unprecedented consumer demand.

In the mobile domain, Covid-related apps found in the main apps stores were legitimate, CSC reported, but a significant number of programs found outside the stores were malicious.

The report also noted that Covid-related phishing campaigns contained a number of content types, including emails driving users to websites intended to harvest personal details, distributing malicious software through attachments and directly soliciting financial donations.

In a similar vein, fake profiles on social media were used to direct users to phishing sites or solicit donations. In addition, pages on those sites were used to feature e-commerce content of dubious quality, offer app-based trackers with malicious payloads, and spread disinformation.

John P. Mello Jr. has been an ECT News Network reporter since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the Boston Phoenix, Megapixel.Net and Government Security News. Email John.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Related Stories