Finding out the name of your pet could help hackers crack your passwords
April 27, 2016:Â While underground forum users and other crooks are still very much interested in stolen credit card numbers, they’re also increasingly keen to trade in another type of information: personal data.
Rather than just trying to grab credit card information, criminals are now looking for broader sets of data: names, addresses, dates of birth, and other identifying material which can be used to carry out fraud, blackmail, and other crimes.
“If you have a credit card number, a name, and any kind of personal information such as the name of their wife or the name of their pets — anything which can be used to guess a password — you can get your hands on anything you want. It’s a very efficient product” said Apolline Aigueperse, lead cyberrisk analyst at cybersecurity firm CybelAngel, speaking at the recent Security & Counter Terror Expo in London.
It’s for this reason, she explained, that hackers have become more interested in stealing personal data, because it “gives any kind of fraudster very precise information on you which really helps them really target the people they want”.
This rising demand for personal data is reflected in underground criminal forums, especially in Russia. CybelAngel examined information from thousands of actors, who posted 44,000 messages on 4,000 forum threads and found that stolen personal details are now in extremely high demand.
So why has there been this spike in interest?
“Because when you combine any kind of financial information with all the personal information you can get on an account holder, basically you have ready-to-use fraud scenarios which you can use to target pretty much anyone: governments, companies, and individuals,” Aigueperse said.
Those engaged in stealing and reselling data are becoming ever more professional, with those analysing the forums finding that even in this cybercriminal world are ratings to identify trusted sellers, terms and conditions to be adhered to, and even money-back guarantees in the event that information is bad or unusable.
This form of support network means “everything is well ordered and easy to exploit, even for low-level fraudsters,” said Aigueperse. The large number of dark web forum users appears to suggest that this is the case, with an ever-growing number of cybercriminals all wanting a piece of the pie.
But as people are making more and more information about themselves available online — especially when they’re using devices connected to the Internet of Things — there’s going to be more data available for cybercriminals to attempt to steal and exploit.
“There’s an intrinsic value in data and we as society, when we’re enjoying the benefits of hyper-connectivity of the Internet of Things or putting more personal information out there, and you’ve got be conscious of that and be aware that it introduces an additional risk,” Dr Scott McVicar, general manager of commercial solutions for EMEA at BAE Systems Applied Intelligence, told ZDNet.
The ‘pattern of life’ data generated by these products — detailing locations, routines and even possessions — could bring cybercrime to a whole new level, he claimed, with data stolen from insecure connected devices potentially enabling criminals to carry out physical thefts of specifically targeted items.
“That could be of value to criminals who identify high net-worth individuals or individuals with high value assets they’d want to steal,” he said, describing a potential scenario where stolen data from a connected home could be used to steal an expensive sports car.
“Parts of the garage like an automated door and a security system might be connected to the Internet of Things, and that could potentially give visibility about how the vehicle is secured. That pattern of life could be used to identify a high value asset, when it’s used, when it’s vulnerable and when it can be compromised,” McVicar explained, adding that if cybercriminals could access data about the target’s habits, it’d make the theft even easier.
“When the alarm system is set or when some of the systems go into energy saving mode when the house is vacant, like heating and lighting — if that kind of information is available, then that could be exploitable too,” he said.
“In the same way that credit card information is intrinsically valuable on the dark web, then similarly this pattern of life information could be valuable to those trying to target specific individuals or those trying to target high value assets which they’d seek to steal,” McVicar added.
By Danny Palmer