Are You at Risk? What Cybercriminals Do With Your Personal Data

[Jake Kouns <jkouns () opensecurityfoundation org>]

http://www.networkworld.com/news/2012/012612-are-you-at-risk-what-255369.html?hpg1=bn

When Zappos notified its customers that their names, email addresses,
billing and shipping addresses, phone numbers and the last four digits
of their credit card numbers may have been exposed during a data
breach earlier this month, the online shoe retailer emphasized that
"critical credit card and other payment data was NOT affected or
accessed."

That's definitely a relief. It means that the 24 million customers
whose information may have been compromised in the breach don't
immediately have to worry about finding mysterious charges on their
credit card statements at the end of the month.

So what do they have to worry about? According to experts, the most
likely security risks for consumers range from the annoying (more spam
in their email inboxes) to potentially much more dangerous targeted
"phishing" emails, where the sender disguises himself as a trusted
individual or organization in order to trick the recipient into
clicking a link that will download malware onto his or her computer or
into giving the sender confidential information such as a password,
credit card or Social Security number.

The hackers who infiltrated Zappos' databases certainly accessed a
bundle of information. Other breaches, such as some of the web server
attacks perpetrated by hacktivists, expose only names and email
addresses. Whether large or small, these breaches raise a number of
questions:

Why is this information valuable to cybercriminals?
What's the actual, monetary value of this information?
What's the minimum amount of information cybercriminals need to
perpetrate their misdeeds?
When a company gets hacked, how long does it take before
cybercriminals start exploiting the information they obtain?
What's the risk to consumers when cybercriminals get this information?
What are the odds of those risks occurring?
Why is this information valuable to cybercriminals?

Personal information is the currency of the underground economy. It's
literally what cybercriminals trade in. Hackers who obtain this data
can sell it to a variety of buyers, including identity thieves,
organized crime rings, spammers and botnet operators, who use the data
to make even more money.

Spammers, for example, might get a fresh list of email addresses to
which they can send Viagra and Cialis offers. They make money (say $1
per click) off response rates or website/pop-up ad impressions.
Meanwhile, identity thieves could use the email addresses to create a
phishing scheme designed to trick people into giving up their bank
account or credit card numbers.

Rod Rasmussen, president and CTO of Internet Identity, a Tacoma,
Wash.-based Internet security company, says cybercriminals trade this
information among each other to create a more complete picture of an
individual. "The idea is, you put together more information on people
so you can do more damage. You get their name, credit card number, PIN
number, email address, phone number from different sources to get
their full information."

What's the actual monetary value of this information?

A name or email address is worth anywhere from fractions of a cent to
$1 per record, depending on the quality and freshness of the data,
information security experts say.

"There's so much data flowing around, you have to have lots of it in
order to get money for it in the underground," says Rasmussen. "Even
credit card numbers are going for under $1."

That may not sound like a windfall, but when you multiply it by
millions of records, it quickly adds up. Take the Zappos breach as an
example: If hackers in fact obtained data on 24 million customers,
even if they sell only 5 million email addresses at five cents a
pop--cha-ching--they've just made $250,000 off of one hack.

Botnet operators make even more money. Say you own a botnet that
consists of 100,000 computers. You may rent it out to spammers for
$1,000 per hour, says Stu Sjouwerman, founder and CEO of KnowB4, a
provider of Internet security awareness training based in Clearwater,
Fla. If you rent or buy the 24 million records from Zappos' so that
you can then send malware to those email addresses, even if only 20
percent of recipients get infected with your malware that takes
control of their computer, you've still grown your botnet by about 5
million computers with very little work, he adds.

"Now you can charge $5,000 an hour instead of $1,000 per hour for 5
million bots that start sending spam," says Sjouwerman. "These guys
make money hand over fist." Of course, their illegal activity also
means criminal charges, jail time and financial restitution.

What's the minimum amount of information cybercriminals need to
perpetrate their misdeeds?

Sjouwerman says all cybercriminals require to start doing damage is an
individual's email address. With that, they can inundate victims'
inboxes with spam.

To steal people's identities or commit credit card fraud,
cybercriminals need a password, credit card or Social Security number,
says Rasmussen. If they have people's email addresses, they can
sometimes obtain that more sensitive data by sending phishing emails
or distributing malware via email, says Sjouwerman. Some malware
installs key-logging software that records usernames and passwords
when they log on to their various online accounts, he says. If one of
those accounts is a bank account, cybercriminals can quickly empty it.

If cybercriminals get only the last four digits of your credit or
debit card, they may be able to use it to reset your password on an
ecommerce site, says Rasmussen. Some companies use the last four
digits of customers' credit cards as a PIN code, and they may ask for
it if you need to reset your password, he says. So cybercriminals may
use it to reset your password so that they can make purchases using
your account. But more likely, adds Rasmussen, "They'll sell that
information to someone else who will do some other attack."

When an organization gets hacked, how long does it take before
cybercriminals start exploiting the information they obtain?

It depends on the criminal and the information they obtained, says
Rasmussen. If credit card numbers are involved, fraudsters will start
using that information immediately, he notes. Cybercriminals who use
emails for phishing schemes may also act quickly. To trick more people
into downloading malware onto their computers or giving out sensitive
information, cybercriminals may send a fake breach disclosure
notification asking victims to reset their passwords on a website that
looks real but is, in fact, fake, before the company that was hacked
sends out a disclosure notice, says Sjouwerman.

[..]
_______________________________________________
Dataloss-discuss Mailing List (dataloss-discuss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://datalossdb.org/mailing_list

Small, inexpensive USB drives pose huge threats to organizations left unprotected. 
Download Chapter 1 of CREDANT Technologies eBook
Data Protection to the Rescue
http://www.credant.com/campaigns/external_media_ebook/chapter1/lp/