Payment Card Data Isn't The Only Lucrative Loot In A Data Breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.forbes.com/sites/frontline/2014/07/07/payment-card-data-isnt-the-only-lucrative-loot-in-a-data-breach/

Hackers love payment card information. After all, it’s lucrative and easily
sold on the black market. However, as we continue to see during our
post-breach forensics investigations, payment card information is not the
only popular loot. Criminals are diversifying, targeting any kind of
information that they can turn into a profit.

According to our 2014 Trustwave Global Security Report, 45 percent of data
thefts in 2013 involved non-payment card data.  This includes data such as
users’ login credentials, confidential documents, address books, social
security numbers and other personally identifiable information that can be
monetized through resale, wire transfers, identity theft, and extortion.

For example, the primary function of the Zeus malware family is to steal
bank credentials. Criminals surreptitiously install the malware on users’
computers either by luring them to click on a malicious link or open a
malicious attachment, or by exploiting a weakness in their computer like an
unpatched web browser. Once the malware is planted, it waits for users to
log into their bank’s website and then steals their credentials. The
criminals can then either resell the credentials or use them to empty the
victims’ bank accounts.

Another malware family, Pony, focuses on stealing not just banking
credentials, but also all other credentials on users’ computers. Hackers
may use the information to hijack victims’ email, social network accounts,
or other online accounts. Pony malware can also steal cryptocurrency
wallets (think Bitcoin) that criminals can quickly convert into real cash.

Criminals may use non-payment card information to launch additional attacks
against victims. For example, they may steal email address lists, which are
the lifeblood of spammers, to push out more malware or links to malware
that they use when luring new victims.

Non-payment card information is also the target of corporate espionage
campaigns. Campaigns like “Night Dragon” outline a massive threat that
specifically targets large organizations such as utility companies for data
like contracts, bidding information, competitive operations and any
financial information.

Even hardware can be advantageous. Criminals can use individuals’ bandwidth
and Internet access to help launch a Distributed Denial of Service (DDoS)
attack. DDoS attacks flood a victim’s web server with so much traffic that
the site crashes. These attacks are typically followed by an extortion
demand.

And while we’re on the subject of extortion, criminals may use specialized
malware to extort money directly from their victims. Malware like
Blackshades hijacks webcams enabling hackers to collect embarrassing
pictures and videos and then present them to the victim in order to extort
money from them. Ransomware like Cryptowall encrypts valuable data on
computers and then extorts a ransom to decrypt the users’ files.

Similar to payment card data, non-payment card data is typically resold in
underground markets and forums. Full packages of personal information like
a victim’s name, social security number and address can be sold for
hundreds of dollars, while an email address book may fetch far less.
Criminals will often use crypto-currency or direct wire transfers to
exchange funds.

By no means are criminals leaving the world of payment card data hacking
behind, they are just extending the target base. The capabilities of modern
botnets, exploit kits and malware make it easier than ever for criminals to
reap specific data from an infected system, and anonymous online forums
provide criminals with a ready market place to sell their stolen goods.
Most data has some value attached and it’s just a matter of a few days to a
few weeks for criminals to parse it out and find a buyer.

This means that when creating their security strategies, businesses must
consider all of their data that may be valuable to criminals. Identify
where that data lives and build protections around it. To help combat
sophisticated malware attacks, use antimalware controls that can detect and
block malware in real-time. Employees also need to keep security at the
forefront of their minds when browsing the Web and checking emails. If your
colleague sends an email asking you to open a link, it’s best to confirm
with your colleague first that he sent it before you click on the link.
Create strong passwords and use two-factor authentication to add an extra
layer of security that could prevent a hacker from stealing your
credentials.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!