In recent months, cybercriminals have managed to steal large amounts of (personal) data. They then sell these through online marketplaces that can be found on the dark web. Occasionally the police manage to roll up such a marketplace, the most recent example being Genesis Market which was taken offline after investigations by FBI, Europol and the Dutch police (Operation Cookiemonster).
Cybercriminals amass large amounts of personal data through hacking or phishing. We also see the use of malicious software (malware) that can be contained, for example, in misleading files, applications or browser plug-ins, which siphon off data. A victim may have unknowingly installed these on their computer or phone.
What exactly is stolen in data breaches is by no means always clear. The obvious ones are usernames, passwords, phone numbers, bank account numbers or citizen service numbers. But there is more, because the more personal and recent information connected to a victim, the more valuable it is to a criminal. Think of a bank balance, cryptowallet data, bills from energy companies or webshop purchases. On Genesis Market, millions of user profiles were traded and data such as browser cookies and so-called session tokens were also for sale. These are technical details with information about which websites someone visits, with which browser and further login data and details of the user. This provides a profile with unique information.
On online platforms such as Genesis Market, criminals can access all kinds of services, but so can social media or chat applications. Here, criminals can buy and sell stolen information, as well as scripts or comprehensive manuals for malicious cases.
How is stolen data misused?
The kind of information an attacker has at his disposal determines the nature of the attack. The more information an attacker has about a person, the more sophisticated the tricks can be to extort money from the victim. Increasingly, this is done through social engineering: the victim is persuaded, often with urgency, to perform certain actions.
For example, an attacker in possession of someone's (e-mail) address and phone bill may impersonate a phone provider to persuade the victim to transfer money to avoid disconnection. An attacker can also contact an organisation and pretend to be a legitimate customer to extract information. The chances of all this succeeding become a lot higher if the attacker has the information that providers use to verify the customer (such as date of birth, postcode, house number). In WhatsApp frauds, the attacker pretends to be as trustworthy as possible as a friend or family of the victim, presents a precarious situation and asks for money. Again, the more the criminal knows about the victim, the higher the chances of success.
Genesis Market also offered profiles containing personal browser information. This allows the attacker to mimic victims' browsers, making it appear during login for an online shop that the login comes from the victim's known and trusted computer. This helps an attacker bypass the standard detection of non-legitimate logins.
How can organisations protect themselves?
Organisations with websites or applications can take several measures against illegal logins to ensure their customers' security.
First: adopt strict login and password policies. This means, for example, that the number of characters should be more than 10 or 12. Then advise customers to use a 'passphrase' instead of a password. Limit the number of login attempts by a user within a certain period of time to counter brute force attacks. A strict login policy also includes requiring multi-factor authentication, for example One Time Password tokens via SMS or an application like Google Authenticator. A second authentication step is harder for attackers to bypass. In addition, it is strongly recommended to limit lifetime browser cookies and permanent logins as much as possible. This makes it harder for attackers to take over a web session using stolen browser data.
Secondly, mask sensitive information, such as account statements, invoices and order confirmation e-mails, as much as possible. For example, do not display phone number, address or payment account in full. If an attacker does manage to gain access, they will have less in their hands to successfully carry out a social engineering attack.
Third, for organisations with a website: gain as many insights as possible to distinguish normal user behaviour from fraudulent behaviour. It also helps to inform customers of current threats and fraudulent activity. A good example is how banks notify customers in detail when fraud attempts are made by attackers posing as the help desk. Finally, keep in mind that attackers not only approach victims directly, but can just as easily obtain sensitive, personal information through organisations.
Call us before you need us.
Out experts are here to help you.