There is an established and sophisticated market for stolen data that is just as complex and with as many inter-relational dependencies as any legal business supply chain.
We asked Chris Pogue, CISO at cyber security forensics experts Nuix about what happens to all the stolen data that is doing rounds on the dark web
CBR: What happens to stolen data – can it be tracked?
CP Nuix: When hackers steal payment card data or CHD (short for Cardholder Data), they then sell it to a second group known as carders. These people maintain large databases full of stolen CHD from breaches all over the world. The data can then be sorted and sold according to age, card type, issuing bank, geographic region, or available balance. The price of the card will depend largely on how old the data is, which bank it was issued from, and what the available balance on the card is. Carders normally sell cards in bunches based on these factors as well as guaranteeing a certain success rate. For example, you would pay a higher price for a group of cards that had a 95% success rate than you would for a block of cards with only a 65% success rate.
The stolen data can potentially be tracked by law enforcement that have established a presence in underground carding forums or by the issuing banks or card brands after fraudulent transactions have occurred. However, this has become more complex with the increase in data commingling, where different customer data sits on the same server. For example, if I live in London, and my card is suddenly used in Dallas, Texas, a place that sits outside my normal spending pattern, the likelihood of that transaction being fraudulent is high. However, if I live in London, and my card is suddenly used in Camberley, this is inside what would be considered to be a normal spending pattern and is much less likely to be flagged.
Stolen CHD detection is based on where the data was taken from and the age of the data. Let’s say data was stolen from a grocery store in London two weeks ago, a video game store in Camberley last week, and a restaurant in St. Albans yesterday. All of that stolen data is subsequently lumped together in a carding database, and sold to criminals to start using it fraudulently. The fraudulent transactions are reported by the issuing banks or by the card holders themselves, and the brands try to identify what is commonly referred to as a common point of purchase (CPP), or place where the cards were last used legitimately. Knowing the location of the CPP helps investigators to determine who was breached, how long the cards have been used fraudulently, and where to focus remediation efforts.
But if the stolen card data comes from multiple locations, and different dates, identifying the CPP becomes exponentially more difficult. Even with these clever evasion strategies, card brands are still very good at identifying CPPs. However, the delay caused by the complexity of the data buys the carders enough time to sell their goods and the fraudsters to make purchases with a relatively high rate of success.
Three Mobile Hack – 6 vital questions about the major data breach answered
CBR: What technologies/methods are available to aid corporates to track data once it has been stolen?
CP: The issuing banks and the card brands have proprietary algorithms that they utilise to detect abnormal purchase patterns. Once these are detected, they attempt to ascertain the location(s) where the cards being used fraudulently were last used legitimately. Once identified, that location is called a Common Point of Purchase, or a CPP.
CBR: Has anyone ever successfully recovered stolen data – without paying a ransom?
CP: These are two different issues. Firstly, data is stolen so that it can be monetised on the black market. There is no ransom here. It’s a simple matter of theft and re-sale. Organisations that are victims of ransomware have their data encrypted by malware. The ransom they pay to attackers is to obtain a decryption key to unlock their data.
If an organisation is hit by ransomware, the chances of getting that data back without paying the ransom are slim to none. The only caveat is if that organisation has good backups and can restore the encrypted data using them. Otherwise, their only option is the pay the ransom.
Next: Will criminals ever be caught? Can stolen data ever be recovered?
CBR: Forgetting 14 year old boys in their bedrooms – Will authorities ever be able to ‘solve the crime’ of sophisticated data hacks?
CP: Authorities will eventually be able to ‘solve the crime’ of sophisticated data hacks. Cybercrime is an evolving, multi-faceted, international criminal phenomenon. Breach investigations need to be conducted by experienced industry experts that work with attacks of this nature on a daily basis. This is the reason why public/private partnerships between law enforcement agencies and private sector investigators is so critical. I have conducted or overseen more than 2,500 data breach investigations over my 18-year career. That means I, and people with similar experience, have a tremendous amount of field experience that can be leveraged by law enforcement to help catch cybercriminals. In the US, this paradigm has been popularised by the Federal Bureau of Investigation with their Infragard program, and by the United States Secret Service with the Electronic Crimes Task Force program. In both instances, industry experts work side-by-side with private sector experts to help fight the common enemy.
CBR: 800,000 accounts from Brazzers have been hacked – what will happen to this data now?
CP: In this attack what was stolen was, “…email addresses, user names and passwords spelled out in plain text”. This sort of data is used for a different type of fraudulent activity. What will likely happen here is that the entire dump will be sold to somebody on the black market. Once that data has been purchased, it will be sorted to determine if there are any opportunities for blackmail. For example, are there any politicians, police officers, high ranking businessmen, or members of the clergy that don’t want the fact that they had an account on a porn site to become public knowledge? If so, they would likely be willing to pay something in order to keep that information secret.
Additionally, since people are creatures of habit, and frequently use the same username / password combinations at other sites such as personal banking, online credit accounts, or work email, hackers are sure to try them out en masse (with the help of hacker created automation) to see if they work elsewhere.
CBR: The Dropbox hack – considering the hack was in 2012, why did the data only come to light years later?
CP: It’s anybody’s guess. Perhaps the effectiveness of the data has run its course, so the hackers decided to announce the theft. This is not a multibillion-dollar industry by accede. While stolen data has monetary value, it will be used efficiently and effectively to make money. Often, once it’s no longer useful for that purpose, attackers jettison the data- they couldn’t care less what happens to it.
CBR: Once data is stolen – is it that it, once it’s gone it’s gone?
CP: Once data is gone, it’s pretty much gone. You can make efforts to track it, but those will always be expost facto, or part of undercover law enforcement operations. Organisations should recognise their data is going to be stolen at some point, and make every effort to ensure that stolen data is useless through encryption. If done properly, encryption can render the data useless to the attackers.