It’s scary to think about how cybercriminals glean massive amounts of sensitive data from breaches. Even worse, bad actors are increasingly turning to publicly available information for malicious purposes as well. Sometimes, these are seasoned hackers innovating new malware or threat vectors. But more often, cybercriminals don’t require exotic new approaches. Some quite rudimentary tools and techniques, applied with criminal persistence, have been weaponised at volume and are being leveraged at scale to harm individuals and businesses financially and reputationally. Even further, these attacks put our nation’s democracy at risk, and our vulnerability is heightened with U.S. elections around the corner.
How do they create these easy-to-use toolkits? Chances are, bad actors have hacked, dumped or leaked your credentials in the past, and subsequently, may very well have sold or traded these details in underground communities. While it’s not difficult to gain access to these underground marketplaces, there are other easy ways to access an individual’s personally identifiable information (PII) just by looking on the surface or social web. Nefarious actors use this information to piece together an individual’s digital footprint, which can lead to identity theft and account takeovers. Sometimes users make it even easier by unknowingly handing over their information on a silver platter through their social media platforms.
The advent of social media has only made cybercriminals’ jobs that much easier. As users, it’s important for us to take caution when it comes to entering and displaying private information. Of course, there are varying degrees of PII – you won’t exactly hide your first and last name from the world, but your social security number, obviously, is something you want to keep private.
The content, the when and the where
What about your birth date? Email address? Location? People willingly enter certain details into their social media profiles that they don’t think twice about sharing but could actually pose a risk to their cybersecurity. Facebook, for instance, might list your full name, email, and date of birth. With just this information, along with persistence and tools at their disposal, bad actors can steal your identity and do anything from access your financial accounts to scam your friends and family. The logical step is to change your settings to make your account private. Even without these public profiles, however, cybercriminals still have many other methods for obtaining this information.
It’s not just the content of the information, but also when you say it and where. Through simple social engineering techniques, hackers can gain access and lock you out of an account. Phishing attacks, for instance, in which an individual poses as a trustworthy entity to obtain sensitive information, are quite common. Most of the time, you can spot suspicious activity pretty easily, whether you notice glaring typos or an unusual email address, but it’s a numbers game for these bad actors. They are banking on only a small amount of people to fall for their tactics.
If a malicious actor has your full name and email address, they can look up where you work and reach out to all of your colleagues. If they have your phone number, they can spoof it and reach out to your bank or cable provider to try and pry all sorts of data. In January 2020, mobile provider Sprint’s internal customer support forum, Social Care, was exposed to the Internet, and although payment card data wasn’t accessible, scammers could have potentially seen customer account information such as names and device identifiers. Bad actors could leverage this information for social engineering attacks against Sprint employees, and according to Brian Krebs, “perpetrate other types of fraud, including unauthorised SIM swaps or in gleaning more account information from targeted customers.”
You're not helpless
Voter registration records are made public, and list information that is far more accurate than social media. Depending on the state, bad actors have access to voters’ full names, email addresses, dates of birth, genders, party affiliations, home addresses, phone numbers, and more. The amount of data and level of accessibility ranges from state to state, but, unfortunately, not all states make you jump through hoops to search voter records. For everyday Americans, exercising their right to vote should not come at the cost of privacy – yet that seems to be the case.
Hackers also weaponize breaches to create new sources of intelligence. Our 2019 Identity Breach Report found a 291 per cent increase in information from government sector breaches circulating in underground communities in 2018. Leading up to the 2016 election, in underground communities, we saw an uptick in trading and selling of voter registration records, and we are noticing a similar trend heading into this year’s U.S. presidential election. Nation-state actors are aggregating troves of data to fuel fake news and election fraud, among other objectives, which we are exploring further and will discuss at-length in an upcoming 2020 report.
While you may feel helpless, just know that there are some steps everyone can take to mitigate their risk of a breach. For consumers, this begins with using unique, strong passwords for all accounts. Implement multi-factor authentication as well, whenever possible. Limit the amount of PII you post online, do your research before creating an account with a new site/company (i.e. does this company have a history of breaches?), and remain vigilant for suspicious activity. You can also work with a credible identity theft solution provider that can notify you when your PII is compromised and circulating in the deep and dark web.
For businesses, implement company-wide cybersecurity training. According to Egress, “83 per cent of security professionals believe that employees have accidentally exposed customer or business sensitive data at their organisation.” Make sure you – and your supply chain – meet all regulatory compliance requirements. Should a breach occur, move swiftly to remediate the situation, make the data obsolete, and perform a security audit to better prepare for future attacks.
Ultimately, we need to raise the level of conversation regarding cybersecurity in the United States – this is something Presidential candidates should be emphasising. The system is broken. It is the government’s responsibility to strive to keep our sensitive data secure. It’s one thing to opt-in to put your personal information on social media; it’s another to not have a say in what sensitive information is publicly available. We need more stringent security measures, otherwise, we’ll be asking the same questions of ourselves as we did after the 2016 election.
Claire Umeda, Vice President, 4iQ