How are data breaches of non-sensitive data used by cybercriminals?
When it comes to cyberattacks having detailed situational awareness and the ability to quickly sift through open-source data and information on the surface, deep, and dark web allows businesses and financial institutions to quickly determine potential risks and take necessary precautionary actions fast. This can help mitigate threats posed by cybercriminals, reducing the security spending and costs surrounding the fallout after criminals successfully commit fraud through the use of leaked data.
In this article, we explore a growing concern for a number of businesses which poses increased year on year risk, with increasingly costly repercussions - credential stuffing. We answer the following questions and more: what is credential stuffing? Why does it pose a severe security risk? And how can dark web monitoring and social media monitoring be used to mitigate the threat of data breaches?
What is credential stuffing?
Many businesses assume that non-sensitive customer data has little value to a cyber-criminal.
In fact, in a recent study, it was found that a number of businesses didn’t even password protect cloud-stored customer data. Meaning anyone could have come along and downloaded the entirety of those databases.
What is even more worrying, is that many data breaches go entirely undetected.
Credential stuffing is a tactic growing in popularity that weaponises non-sensitive stolen credentials (eg. usernames and passwords) against websites and mobile applications. Large volumes of stolen account logins are tested against other website login pages to gain unauthorised access to accounts, in order to commit fraud.
The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.
Whilst the strike rate is low - think a few successes for every thousand attempts - there are billions of stolen credential pairs in the hands of cybercriminals.
In 2018 there were 2.8 billion credentials stuffing attempts reported in the US alone. And this number is only rising. Which goes to show just how much of a threat credential stuffing has become.
On top of this, a skilled hacker, using a throttled bot with multiple Autonomous Systems Numbers (ASNs) and IP addresses can remain undetected for long periods of time, allowing them to try potentially millions of login combinations without anyone knowing anything untoward is happening.
Source: idtheftcenter.org
What are the cybercriminal’s goals?
“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves.” - Source
Obviously, the most valuable data for cybercriminals is going to lead them to bank account and credit card details. These they can use directly to access a persons money. In 2019 though, there was a significant decrease in the amount of sensitive data exposed. Going from a reported 471 million records in 2018, down to 164 million in 2019. It’s worth noting though that the Marriot breach in 2018 did skew the records there with over 300 million sensitive records exposed in that single data breach.
However, there are numerous ways a cybercriminal can benefit from accessing another persons account data through credential stuffing of purportedly non-sensitive data. These strategies will be tailored to the sites they gain access to and can lead to various forms of identity fraud and phishing scams.
Part of the reason this indirect strategy is growing in popularity with cybercriminals is that sensitive data is becoming better and better protected by corporations and financial institutes. However, this somewhat simplistic approach creates a serious vulnerability to any company.
Credential stuffing is costing businesses millions each year. Not just in the follow-up costs of a cyber attack and the ramifications of fraud, but from increases inIT security spending, potential lost revenue from lost customers, and application downtime. This, according to one study by Akamai is costing companies an estimated $4 million a year.
Who is most at threat?
When it comes to what this looks like in real life you only have to take a cursory glance at the numbers to have cause for concern. In 2019 it was reported that a total of 869,857,509 records were stolen by cybercriminals in the US - and it’s likely that many more stolen records went either undetected or unreported.
The majority of that data, around 750 million records, was non-sensitive data, that will largely find its way to the hands of cybercriminals who will use it for credential stuffing.
The credential stuffing technique can be used against any company with a login page.
“Up to 83% of people - according to 2018 research - use the same password for more than one account.”
Consumers face growing complexity in password requirements, with various length requirements, plus symbols and numbers - this has actually encouraged many users to find a single password that fits the bill and they’ve then reused that password or variations of it across numerous account logins. This is then paired with a growing number of individuals who have access varying levels of technology and might not know how to best protect their data.
Source: idtheftcenter.org
What can be done to mitigate the threat of credential stuffing?
People are always talking about having better online security but no one ever talks about what happens after a data breach or after being hacked.
As the old saying goes, “hope for the best, but plan for the worst.” A growing number of companies are on the receiving end of cyberattacks and it is leading to an increasing number of data breaches.
Shoring up online and cybersecurity is absolutely vital. However, it may well not be you who is hacked, instead a victim of the credential stuffing technique. One thing to do is to require two-factor authentication. But even this isn’t flawless as the hacker may well have access to that user’s email account as well.
So, what can businesses do to mitigate the growing threat of credential stuffing? Often hackers responsible for the data breach won’t use all the data themselves. Instead, they’ll turn to the dark web where they can anonymously sell the data instead.
This is where threat intelligence software like Signal comes in. Signal allows for users to monitor the dark web without needing a Tor browser. With threat intelligence software like Signal one can do much more than just monitor the dark web though.
Users can set up alerts for keywords and monitor dozens of channels instantly generating alerts for users based on their search queries. What this means is that as soon as leaked data goes up for sale on the dark web - or as soon as anyone talks about purchasing records gained through illegal or forced access to your database you will know.
You can then take precautionary actions to mitigate the potential threat. For example, warning customers of potentially exposed data so that they can secure any logins with the same password, force resetting customer passwords, and reporting the incident to the authorities.
In one recent example, it was found that an employee of a bank, stole over 3 million sensitive records from their company database. They then went away and bragged about it on social media and on various dark web forums (like 8chan). These set off immediate alerts through the Signal system and action was able to be taken, the data was recovered before it changed hands and the employee faced the legal ramifications of their actions.
Because Signal uses open-source data all evidence and information gathered through its channels are able to be used as actionable intelligence.
Related: Black Hat Brags about Bank Hack Signal Could have Spotted
Detect and remedy data breaches fast with Signal
Get in contact to learn more, or request a demo using the options below: info@signalpublicsafety.com
