[BreachExchange] The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Dec 8 16:10:07 EST 2017
http://www.securityweek.com/cumulative-effect-major-
breaches-collective-risk-yahoo-equifax
Until quite recently, people believed that a dizzying one billion accounts
were compromised in the 2013 Yahoo! breach… and then it was revealed that
the real number is about three billion accounts.
That raises the question: so what? Isn’t all the damage from a
four-year-old breach already done?
The answer: not at all. For those who have taken control of the compromised
accounts, or who possess confidential information about a billion or more
individuals, the Yahoo! breach is the gift that will keep on giving.
First of all, the consequences of the breach are not yet fully realized.
Criminals have only recently started using compromised email accounts to
spread ransomware and spam. As email service providers increasingly use the
age of the sending account as an indicator of risk, the value to criminals
of long-established but compromised accounts has started to increase. These
accounts become a circumvention strategy for criminals wishing to reliably
deliver malicious emails. As the value of an established account goes up,
the damage that can be done by using the compromised accounts does, too.
Second, criminals have only recently started to mine the contents of
compromised accounts to identify promising opportunities – but that is
increasingly happening now, and is becoming another source of value to the
Yahoo! attackers (and anybody who has already purchased compromised
accounts from them.) To a large extent, we are still in the “manual effort”
phase of this type of attack, wherein attackers have not yet understood
exactly what they are looking for, and therefore, have not yet written
scripts to automate the task. Once their understanding matures and they
automate the process, the vast volumes of compromised accounts will turn
into new criminal opportunities.
And the automated extraction of meaningful content will dramatically
increase the yield of the attacks that the criminals will be able to mount.
Think of it like this: if your account was compromised, and a good friend
or colleague gets an email from you … or rather, your email account … with
a malicious attachment, will they open it? If the email is obvious spam,
they probably won’t, but if the message makes sense, they will; and if the
attacker knows what you and your contact normally talk about, that isn’t
difficult to do.
There is also a multiplier effect as the number of major breaches of
consumer data rises.
In the recent Equifax breach, criminals made off with information for more
than 145 million Americans, including names, mother’s maiden names, social
security numbers, addresses, birthdays, and more. But not email addresses,
and not banking affiliations and account numbers. A crafty attacker can
easily match the names and birthdays of the Equifax breach to the names and
birthdays of the Yahoo! breach, automatically generating very powerful
combinations. With this combined intelligence, the attacker can contact
banks, posing as banking customers, and gain access to accounts.
If you still think “so what?”, I have news for you. This could be your
ruin, even if you have no money in your bank account.
Here is what could happen: The criminal adds himself to your bank account.
Now he can withdraw money from the account. Then he deposits a large -
albeit forged - check, say $100,000. According to banking regulations, 50%
of the deposited amount must be available to account owners within three
days, which is when the criminal withdraws $50,000 from your/his account.
When the check bounces, that is your problem. It is your account, and you
may be liable for the entire amount, depending on the policies and
discretion of the individual bank. But this is just an example, and the
criminals have many more opportunities to monetize their bounty, and have
years to do so.
While there are no signs today of criminals consolidating and reselling
data from different breaches, it is an obvious concern as the value-add of
the packaging would be substantial.
When such consolidated breach data eventually hits the black market–and
this is only a matter of criminal initiative, as all the data is out there–
then new and more targeted attacks will be enabled on a large scale. By
then, we as a society must be ready to withstand this threat, which comes
down to having defenses that do not rely to any extent on the caution of
the end user, but which identify and address deception in an automated way.
While such systems exist today, the extent to which they are deployed is
still very limited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171208/9fb6cbc6/attachment.html>
More information about the BreachExchange
mailing list