Benjamin Franklin said that only two things are certain in life: death, and taxes. With the advent of the internet, a third certainty arises: data breaches.
This week, Tumblr. Last week, Reddit. The week before, LinkedIn. In fact, over 600M user accounts have been compromised, that we know about. Troy Hunt’s excellent haveibeenpwned site keeps tabs on these accounts. Check it out to get a sense of who, when, and how big.
What do hackers want with these accounts? They’re being used for account takeovers, which in turn is useful for fraud, identity theft, to further penetrate organizations infrastructures, or purely to be sold. Let me explain two scenarios in which these accounts are used:
- Mass attacks:
Hackers decide to use a botnet that tries every single one of those 600M stolen credentials against an ecommerce site. Some users of that site use the same username (frequently the email address) and password that they use for Tumbler, Reddit, or LinkedIn. For those users, the hackers will “pop” those accounts. Depending on the nature of the site, this hit rate has been reported to be as high as 8%, but more commonly around the 1% range. Even at that lower estimate, for a site that has 10 million users, that’s around 100 thousand accounts that can be compromised. Every one of those accounts has a value (Uber accounts had a price around $4 each at one point ). One can start to see the financial incentives behind this scheme. This attack is easy to pull off, credentials are readily available, botnets that can run these types of attacks can be rented by the hour, and you are almost guaranteed to pop some accounts.
- Targeted attacks:
Hackers decide to attack a financial firm X. Instead of scanning the network, looking for outdated software or vulnerable endpoints, they decide it is easier to see if any of those 600M accounts contain @X.com email addresses. They find 800 that match. They’ll then start trying to use each of these 800 accounts against all known web sites in the X.com domain (www.X.com, customer.X.com, support.X.com, etc…). If one of them matches, then they’ve got one foot into an account in that organization. They’ll then work from there. Double whammy if the account belongs to an admin, or if it is a VPN server account, or a web-based email account.
As I stated in a previous blog post, this is now the biggest hacking method (Stolen Credentials) of the biggest hacking vector (Web Applications) according to the Verizon Data Breach investigations report.
We at IMMUNIO have been defending against these attacks for quite some time now, and we believe that our multi-pronged approach is the most effective in stopping these attacks as they happen, as well as identifying and protecting your users that have had their accounts compromised already.
While data breaches, and specifically these types of stolen credential attacks are certain, there is something you can do to mitigate them, with practically immediate results.