The Dark Art of Turning Mountains of Stolen Data Into Cash

We’re only two months into a new year and already hundreds of millionsof personal records have been compromised, including 123 million employeeand customer records from sporting retailer Decathlon and another 10.6million records of former guests of MGM Resorts hotels.

These announcements followed fuel and convenience chain Wawa’s revelation that it was the victim of a nine-month-long breach ofits payment card systems at 850 locations nationwide.

In addition, Microsoft earlier this month said a data breachspanning 14 years exposed 250 million of its customer records.

Data breaches have become so common that experts agree it isn’t amatter of if, but rather when a company will become a victim. A recoveryplan therefore should focus on how to deal with a breach ofemployee/customer/client data, how to handle a ransomware attack, and what to do to make sure exploits are plugged so that additional hackers don’t use the same ones again.

In the case of the Wawa breach, hackers claimed on dark websites such as fraud bazaar Joker’s Stash that they had 30 million records for sale. Whether that was true or not highlights the likelihood that there may be far more exposed data than even hackers can handle.

Big Data Haul

The data that typically is stolen can vary, but in the case of theMGM the breach included full names, home addresses, phone numbers, emailsand even dates of birth. For the Decathlon breach the informationincluded unencrypted passwords, employment contract information,Social Security Numbers and working hours.

The MGM breach did not include credit card data, however.

“It’s important to realize that no payments data was involved in thisparticular incident,” said Gary Roboff, senior advisor at The Santa Fe Group.

However, “the effects of this hotel data leak may be even moreinsidious than some expect,” warned Mike Jordan, vice president ofresearch at risk management firm Shared Assessments.

The last big breach of a hotel occurred in 2018 when Marriott wascompromised, but that wasn’t really a profit-driven breach.

“It was attributed to alleged China-sponsored attackers for thepurposes of intelligence and perhaps ultimately coercion,” Jordan toldTechNewsWorld.

State Actors

One other factor contributing to the sheer number of breaches is that they aren’talways conducted by cybercriminals, as in the Marriott example.

“Statecraft by intelligence organizations often relies on basicinformation such as how and where to find people,” explained Jordan.

“Getting this information in bulk or using it to verify existing datais a key component to building an effective intelligence program,” headded.

“This information leak would be quite useful for those purposes,considering there are some particularly wealthy patrons on that list,”noted Jordan.

Because the MGM information was posted to a public forum, it isvery unlikely that the perpetrators were the same as those responsiblefor the Marriott breach.

“However, this information could be just as useful to maliciousparties, and more of them now have access to it,” suggested Jordan.

Supply and Demand

As a result of these breaches, it seems that a vast amount of data is beingoffered for sale on the dark Web — almost to the point that the bigdata is getting too big for cybercrooks to handle.

“Based solely on the law of supply and demand, the cost of a recordhas dropped significantly,” said Matt Keil, director of productmarketing at Cequence Security.

“There are huge breaches still being revealed regularly,” warned JimPurtilo, associate professor of computer science at the University ofMaryland.

“Remember that just because your data are exposed once doesn’t meanevery miscreant has it. More breaches place your data in more hands,meaning there are just that many more opportunities for some criminalmind to do something with it,” he told TechNewsWorld.

The issue is what the data contains, said James McQuiggan, securityawareness advocate at KnowBe4.

“People need to consider that their information is out there, likeSocial Security Numbers, names, emails and passwords and addresses,”he told TechNewsWorld.

“It’s important for folks to monitor their credit and accounts, alongwith being vigilant towards emails they receive,” McQuiggan added.”While they can’t ignore all of their emails, they need to verify ifsomething is too good to be true or suspicious.”

Cybercriminals tend to be highly inventive when it comes to finding profitable ways to use stolen data.

“In the hands of a motivated bad actor, this data can be used in anaccount takeover attack against MGM itself and — based on thepropensity to reuse passwords — against other resorts,” Keil toldTechNewsWorld.

“If successful, the value then becomes significantly greater becausethe bad actor will then be able to steal or use reward points,” headded. “The resultant fraud is an added expense to MGM, and longerterm, impacts their users negatively. Statistics show that customersare far more likely to use a different vendor when their personalinformation is stolen.”

The Evil Lottery

Following the breaches at Equifax, the government’s Office of PersonnelManagement and Target, as well as countless other cyberattacks, it is very likelythat most Americans have had some personal data exposed in recentyears. The good news is that in many cases there is so much data thatmuch of it won’t be used by the bad guys.

That doesn’t mean we shouldn’t be worried.

“We have become immune to the regularity of data breaches,” suggested Keil.”No longer do we see the outrage and backlash that occurred with thebreaches of yesteryear — aka Target.”

Right now it isn’t a question of if or really even a question of when,but more likely how frequently our data could be exposed. We all could be participants in an “evil lottery.” Instead of winning a jackpot, we’re singled out for the unpleasantness that comes with our data actually being used by the bad guys.

That’s unfortunately true, said Shared Assessments’ Jordan.

“Our data is of value for targeting individuals using currently legaland illegal means — data is a raw material commodity like copper orsoybeans that needs refining,” he explained.

Due to changes to our information over time, data has a shelf life, Jordan noted, “so new breaches are needed to keep their data valuable.”

Breach and Repeat

Many security breaches occur because they are easy to pull off. Alltoo often companies see data theft as an added cost of doing business. Evenseemingly “public” information can have value.

“It isn’t my intention to draw a road map for how to do this, butexposing just an address and DOB can be problematic enough,” explainedUniversity of Maryland’s Purtilo.

“Someone who acquires those in a smash and grab on some site can flipthem for some trivial amount per record and move on — it’s not quitefree money, but close to it,” he said.

A harsher impact occurs when the data is aggregated in the hands of someone with patience.

“One’s address and DOB are sufficient to open all sorts of innocuousaccounts in someone’s name, which creates a thin backdrop ofcredibility for when the hacker goes “pretexting” or pretending to bethat person for purposes of persuading a utility company, financialfirm or medical provider to reset an account for the identity thief,”Purtilo explained.

The result is that in very short order a legitimate data owner willfind himself locked out of services while the hacker picks him clean.

“The more data spilled in a breach, the less of a story must bemanufactured in order persuade firms to give away your goods, but evena little data can be exploited when blended with patience,”said Purtilo.

It is no small task for cybercriminals to pull this off either.Unlike what movies and TV shows suggest, it isn’t a matter of instantlyturning the data into bitcoin — it takes real effort to make the dataworth something without alerting the authorities.

“Figuring out how to test the accuracy of pilfered identitycredentials but without triggering an alert at a credit reporting firmbecomes a real art,” said Purtilo. “An identity thief can work allaround the periphery of someone’s digital profile creating a backdropbefore going in for a more upscale breach at some financial firm.”

Beyond Breaches

There are other significant cyberthreats that are unlikely to stop,so recovery unfortunately has become the next best course of action.

“There is so much money being made in ransomware attacks that theattackers can afford to creatively develop and test new ways to attackorganizations,” said Erich Kron, security awareness advocate atKnowBe4.

“The costs of phishing attacks — about (US)$65 to send 50,000 phishingemails from Dark Web operators — is so low, has such a low risk ofbeing caught, and has such a high payout, that it is nearly impossiblefor cybercriminals to resist,” he told TechNewsWorld.

These attacks have proven themselves over decades and have masteredthe ability to manipulate human behavior, added Kron.

“The key to avoiding these attacks is training people how to spot themand report them within the organization,” he suggested. “They alsoneed to monitor traffic in and out of the network, looking forsensitive data or unusual traffic patterns. In addition, data at restshould be encrypted wherever possible to minimize the risk ofsensitive data that is being leaked, even if it is exfiltrated.”

Technology Fighting Back

Fortunately there are now simple, yet effective, methods to help makesome of the data worth less to hackers, if not exactly worthless. Two-factor authentication can render many of the exposed passwordsuseless, while security features are being added to payment solutions.

“Since chip cards were finally introduced in this country, we’veseen a sharp decrease in the amount of useable credit and debit cardinformation captured at the physical point of sale,” The Santa Fe Group’s Roboff toldTechNewsWorld.

“The use of dynamic payments data generated by EMV-compliant cards andthe increased use of payments tokens online — and biometrics toauthenticate users initiating token-based payments on Apple andAndroid devices — has helped reduce payments fraud,” he added.

However, the best solution may be better practices on the part of individuals.

“Users need to take more control, paying closer attention to theirpassword hygiene. Move to using a password manager for all uses, not justthe important ones,” added Cequence Security’s Keil, “and whereverpossible, two-factor authentication should be enabled.”

Peter Suciu

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Peter Suciu
More in Cybersecurity

CRM Buyer Channels