2014 has become the year of the mega breach. From the discovery of the Heartbleed and Shellshock bugs to large-scale data theft at big brands such as Target, Yahoo! and eBay, cyber criminals are becoming increasingly successful at gaining access to personal information held on corporate networks. It’s a scary thought considering hackers were able to successfully penetrate the networks of nearly a quarter of large organisations in the UK last year, with nearly a fifth seeing confidential information stolen as a result. Aside from the obvious ‘how are hackers able to access this information?’ There are others wondering ‘what are they doing with it?’
In general, people tend to worry about identity theft and the unauthorised use of financial information when an attack is announced. Cue, passwords being changed, credit reports checked and bank statements looked over thoroughly. However, while this cannot be disregarded, with a lot of breaches – particularly larger ones – cyber criminals will have gained terabytes of data, all of which they probably won’t use right away. One part of their loot will be made up of targeted data, like card data that can be sold on the black market easily. In the weeks after the Target breach, credit and debit card accounts stolen flooded the underground markets, with card details selling in batches of one million and going for anywhere from $20 to more than $100 per card.
The other side is made up of what is called ‘by-product’ data, which includes surnames, mother’s maiden names, dates of birth, addresses etc. This information is essentially an added bonus for those attempting to steal what they consider to be the most important information – the card data that enables criminals to create counterfeit copies. While this information may have no value to those that stole the information, they can sell it on to other criminals who want to gain access to even more personal information, whether it’s through underground networks or targeting specific individuals or companies via spear phishing attacks. It’s like stealing a car and selling it for parts.
Evolving from mass-mail phishing campaigns, spear phishing attacks are much more targeted and involve duping particular individuals into unknowingly clicking on a malicious link or downloading malware onto their machines. These attacks are successful as they send customised, credible emails that appear to come from a trusted source. So, a criminal could use the seemingly worthless information they have bought from another criminal to form an email that appears to come from the targeted individual’s partner, wishing them a happy birthday. Personal information is being manipulated to trick people into unwittingly providing criminals with access to even more valuable corporate and financial information. It becomes one big vicious circle.
Cyber criminals may appear to be getting smarter by the minute; however it’s still important for consumers to be vigilant with their data and continue to be on the lookout for emails that may not be legit, unofficial pop-up ads and other online sources that could potentially cause problems. We may only seem to hear about big name data breaches, but we still need to be aware of personal online behaviour to keep data safe and out of the bad guys’ hands. Spear phishing is simply a 21st Century equivalent of traditional, non-technological tricks such as pick-pocketing, so the smarter and more street-wise the user is, the less likely they are to fall victim.