Data breaches have put the data of billions of people into the hands of cyber criminals. Major breaches such as those that occurred at Equifax, JP Morgan, Target and Home Depot, and the thousands of smaller (and not so small) breaches that don’t make headlines, have put billions of people at risk of an attack. It is frightening to imagine the downstream impact of data breaches and how they enable a whole new generation of phishing attacks.
So You’ve Been Impacted By A Data Breach
The downstream impact of the biggest data breach in absolute number of records, Yahoo!’s massive breach of 3 billion records, could in theory have be mitigated with a change of a password, assuming that 1) your account wasn’t accessed and 2) content wasn’t downloaded. With other breaches such as Equifax or JPM, you could take some kind of defensive action like credit monitoring, cancelling credit cards and adding security tools that limit the compromise of more financial information. Yet there should be a legitimate fear stemming from the social engineering attacks that can follow.
The “Dark Web” black market for data places more value on a data set the richer it is, or for specific information types. “Fullz”, credit scores and health records (which are more durable) can all command higher prices. With a record including a Social Security Number, criminals can profit significantly by making false filings to the IRS on one’s behalf. Similarly with credit cards, there are multiple simple ways for criminals to cash out. Verified credit cards with good credit scores can demand a premium. There is even a market for dead credit cards.
Fortunately for consumers, in many cases, most data can become stale and less useful to criminals. The most dangerous downstream consequences of a breach are mitigated for the most part by a rapid deterioration in the value of the data – which makes the time taken by major companies and brands in disclosing breaches all the more concerning.
Two Dangerous Trends Collide
The caveat here is that two major trends could intersect with disastrous consequences. The more data available to bad actors, the more likely socially engineered attacks can be successfully carried out. Social engineering opens more avenues for criminals to monetize compromised data, primarily because they can incorporate a victim’s data into an attack, making the attack sound more legitimate and getting the victim to ignore suspicions.
Social engineering doesn’t necessarily have to be a complex multi-factor CEO fraud. There’s the possibility that more and more bulk mail social engineering begins to make the rounds – only made possible through data breaches, which put massive amounts of rich data onto the dark web.
Generally, phishing has been executed with either a highly targeted focus or a very wide reach. There’s a real threat of a phishing attack executed as a follow-up to a data breach could put your average user, and particularly the elderly, busy, or less digitally aware, at a much greater risk. Attacks that used to be shotgun bulkmail can become enriched with other information that results in a more “personalized” feel.
The fear is that given specific pieces of information, a shotgun “spray and pray” approach can be scaled to a more targeted method with a greater chances of snagging a victim. What happens when targeted threats are launched at increasing scale?
The Economics of the Email Threat
To simplify why these concerns are significant, let’s do the math. From the perspective of an attacker, imagine that:
Potential Earnings of Attack Campaign:
(Estimated Revenue Per Successful Attack * Attempted Attacks) * Attack Vector Effectiveness Rates – Cost per Campaign = The “Return on Investment” of an Attack
Cost per campaign = Costs of Acquiring Data + Variable (and some fixed) Costs + Cost of Time and Energy required to “Convert” Target
The time and energy costs of a highly targeted phishing attack, such as a Business Email Compromise or CEO Fraud, are quite high by comparison to a bulk mail attack. They require a lot of research before they’re launched, along with intensive nurturing and follow up. For such an attack to be effective, it needs to be flawlessly executed, or just about, and dozens of attempts might need to be made before an attack is successful in yielding the 5-to-6-figure payoff many attackers are looking for. The alternative spray and pray approach will have a tiny effectiveness rate but cost per campaign is quite low, with a very low marginal cost. (If this is beginning to sound like an sophisticated business case, well, spam and cybercrime is a billion or even trillion dollar business.)
What is very frightening is that the more tailored the attack is, the more likely it is to be successful. The level of targeting exists on a scale. For each element that makes the campaign more personal or seemingly in possession of information that creates a sense of familiarity with the subject, the likelihood of a “hit” increases, or dare I say conversion. Using the correct “first name” is a start, but easily ignored.
In a CEO Fraud, a scammer might pick up the phone to follow up an email – which creates huge amounts of trust or at least enough to sow a degree of confidence. But in the middle range targeted attack, if an email has 3 important elements or cues, for example say first name, last 4 digits of my account number, and knows the recipient been hacked? That’s sure to have a frighteningly high success rate.
If a scammer goes on the Dark Web and purchases JPM’s database with usernames and whatever other information is available, they can dramatically boost the effectiveness of a “reset your password” campaign with the same launch cost and with a only slightly higher data acquisition cost compared to what was previously available. By comparison, trying to get a user to reset their password without knowing any of their banking information, and it’s clear that the more you know about a target and make use of, will make attacks much more effective. What happens if the number of victims of a bulkmail spam campaign goes from 1 in 1,000,000 to 1 in 100,000 with only a slight increase in costs of data on the black market?
Credential Phishing After Breaches
An unfortunate characteristic of a password-reset attack is that they are seemingly even more effective in the wake of an attack making headlines. Think about it: If you heard Equifax got hacked, and then received an email from equifax asking you to rest your password to an account on one of their platforms without knowing whether the sender, how much more likely would you be to follow through in that process? What about your Yahoo! password? Or if you got a message about joining a lawsuit against Target because they lost your credit card?
The Scammers Probably Have Your Data, Now What?
Given the number of large scale data breaches that we’ve seen in the past decade, it’s a fair guestimate to say that there’s pretty rich data on nearly every household in North America out there on the dark web. Shotgun Phishing could become much more targeted – and that is very frightening.
Leave a Comment