How cybercriminals turn ‘harmless’ stolen or leaked data into dollars

Now nearly halfway into 2021, more than two-dozen high-profile data breaches have already occurred, some involving brands such as Facebook, LinkedIn, Instagram, US Cellular, T-Mobile, Geico and Experian. Data stolen during those intrusions will affect millions of users, even though some of that data may be as innocent as an email address. That’s because stolen data doesn’t live in a silo.

“These things don’t exist in a vacuum,” explains Jeff Pollard, VP and principal analyst at Forrester Research. “There might be an email address in one breach and more information in another breach that corresponds to that email address.”

Pollard cautions against viewing each breach separately as data can be aggregated and compiled to collect more details about a person. “One bread crumb leads to another,” he says, “and because of the ubiquity of breaches, things can be put together that can lead back to someone.”

Urge to merge data

Threat actors have become sophisticated in how they treat stolen data. They’re taking any new data they get and merging it with data they already have to grow their databases. In one dataset, they might have a first name and last name. In another, a first name, last name and email address. In a third, data on likes and interests.

“All these things by themselves don’t seem that important, but if I’m able to merge those things together in a single database, then I have something I can use for a phishing attack or to obtain a credit report,” says John Kinsella, chief cloud architect for Accurics, a provider of security and compliance tools.

Currently, these merged data sets are being used by the threat actors who create them, but that’s expected to change. “The next step will be renting these merged data sets for phishing campaigns,” Kinsella says.

While criminals are writing custom software to merge data sets, bigger players may be taking things to another level. “I’m willing to bet money that nation-states are doing it with some kind of big data platform to leverage the scale of the data they have,” Kinsella says. “We’re seeing leaks of 700 gigabytes, 7 terabytes in size. Those are large data sets that you’ll want to deal with [using] something like [analytics engine] Spark.”

Attackers target organizational charts

These merged data sets pose a threat to both businesses and consumers. Email addresses, for example, can be used to flesh out the hierarchy of an organization. An analysis of merged data from multiple data breaches might reveal a collection of email addresses for a company that could be a promising target for compromise.

“Now they’ve got a bunch of names, they can start looking around and figuring out what the titles are for those positions,” Kinsella says. “Then they can start building a picture of the business’s organization.” That knowledge allows them to craft more targeted communication with members of that organization for more effective social engineering attacks.

Better crafted communication allows a threat actor to establish credibility and trust with a target. “A lot of cybercrime comes down to a numbers game,” says Elena Elkina, a partner with Aleada Consulting, a privacy and data protection consultancy. “Hackers and scammers only need a small number of people to click on a bad link, download a malicious app, or provide their login information to the wrong person. Just like big data can help advertisers guide clicks to their sites, hackers can guide clicks to theirs.”

“This is a concern for businesses as well as consumers, because consumers are employees, too,” Elkina adds. “It does not matter whether the email is tricking an individual into giving up their tax information or surrendering their employee authentication. Cybercrime often starts with an individual’s mistake.”

Using non-sensitive data to build trust

Roger Grimes, a defense evangelist at security awareness training provider KnowBe4, says that non-personally identifiable information (PII) is used to compromise people more than PII data by a huge margin. “This is because non-PII data, by its very nature, is less protected and more widespread than PII data,” he explains.

Anything an attacker can learn about someone’s interests and efforts gives that attacker a chance to build a close trust relationship. “If you think about it,” Grimes says, “it’s entirely the way we build relationships and friendships in the real world. Humans love to share and sharing builds familiarity and friendships. It’s the same thing with phishing and social engineering.”

Attempts to use non-PII data to gain more trust is called pretexting. The idea is that if you interact and develop a trust relationship in areas where high trust is not needed, it will be easier to transfer that trust to situations that should require higher levels of trust.

For example, a hacker learning that a targeted victim company uses a particular payroll processing vendor could call the targeted victim organization’s HR or payroll department and pretend to be calling from the payroll company. They could introduce themselves, be friendly, talk about how there’s some upcoming system change in the future that’s driving them crazy, and how the victim company can expect some new instructions in a few weeks, apologize for the inconvenience, and then hang up.

“Because the victim was not asked to do something risky on the first call, they immediately trust that caller more than they otherwise should,” says Grimes. “Maybe they are empathizing with the caller because they, too, have been through past system upgrades and remember how frustrating that was.”

“The hacker might call back once or twice more, not asking for action to be done, just doing things that further the relationship and its trust,” Grimes continues. “Then at some future point in time, the hacker comes back with the ‘new instructions’ and the targeted victim company follows them blindly without validating with other people before they begin to perform the requested actions. Next thing you know, the victim organization is out hundreds of thousands to millions of dollars. It happens nearly every day.”

All stolen personal data presents risk

Even adversaries who don’t have the resources to go the merged data route can turn low sensitivity data into trouble for their targets. “The common assumption is that if a hacker doesn’t intercept highly sensitive information—such as your Social Security number or a credit card number—and instead gets hold of other personally identifiable information, you’ll probably be fine. This assumption is simply false,” says Trevor Morgan, a product manager at comforte AG, a data de-identification company. “Starting with a single piece of PII, whether sensitive or not, a threat actor can begin to piece together the puzzle. The journey to identity theft begins with that single step.”

The threat actor can use less sensitive types of data such as usernames, physical addresses, and email as seed information to tease out more data and build a more complete identity profile. “The overall risk is that your full identity, including highly sensitive personal and transactional information, can be stolen in time and used to create new accounts in your name,” Morgan says. “If nothing else pans out, a hacker can sell your less-sensitive information to questionable marketing organizations, which can then increase the amount of frustrating exposure you have to unsolicited products and services.”

The same risk applies to the enterprise, according to Morgan. “With that single piece of information and perhaps knowledge that you are an employee at a particular company, you can become a target for sophisticated phishing scams that might result in the theft of intellectual property or other damaging information.”