By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA
Although the title of this blog may call to mind the first line of quite a number of old jokes, it appears that hacktivists, phishers and the everyday Internet user have enough in common to raise concerns of financial fraud, especially in light of the recent hacktivist-conceived operation dubbed #OpUSA.
While it is true that most cyber-attacks orchestrated by hacktivists focus on DDoS onslaughts targeting authority-type entities and banks, all too many times they add a sting to the operation and hack into immense databases containing private user information.
Hacktivism: Disruption or Corruption?
On their quest for notoriety, media attention and overall making their points, critics say that hacktivists tend to cross the line when they publicly release untoldamounts of data, providing links to the trove and facilitating its free-for-all download.
Some hacktivists will call out every target on their list and post their threats publicly and well in advance, while those targeted will prepare to fend off the attack and advise users as needed. But at the end of the day, who plays the role of the defenseless meek? Not the targeted entities who are expecting the blow, but rather, very much like other wars—innocent bystanders and ‘average Joes.’
Out Go The Hacktivists, In Come the Phisherman
In one of the largest hacks perpetrated in the name of hacktivist ideals, the end result, beyond the damaged brand reputation of a multinational corporation, was a public leak of account information belonging to nearly 25 million Sony Entertainment users. That was about a third of a previous leak of over 70 million accounts, also inflicted by hackers operating in the name of an opinion they formed and acted upon.
Taking the Sony case as a mere example, because hacktivist cases such as these have been increasingly plaguing the Internet, it is clear that the one party that did not expect the hack – other than Sony, of course – were the millions of ordinary users whose data was offered up freely thereafter. Those same users were also the ones who did not have advisors, lawyers and information security experts to help them recover from the actual and potential damages of the hack and its possible effects on their identities and personal finances.
For fraudsters, the large-scale hacks are like candy. Hacktivists will set up publicly available download links for anyone to be able to see the exposed databases, their hunting trophy, and end their part there. But as soon as the links are public, phishers and fraudsters – the vultures, if you will – will access and download it before it is taken down by the hosting authorities. By that time, the real damage to these average Joes is nearly done.
Large hacks containing a database replete with email addresses, not to mention payment cards or other financial data, are an attractive loot for phishers to come for and discuss in underground communities. Instead of having to do their own hacking, collecting and stealing, they can enjoy the spoils and bank on the “freshly” dumped data, compliments of zealous hacktivists, paving a shortcut to fraud scenarios that make a phisher’s daily bread:
- Monetizing gaming account credentials by selling them to other gamers
- Enjoying a list of valid email addresses to target with phishing spam
- Leading potential victims to phishing and malware sites and getting paid per install
- Harvesting financial information that can be sold to fraudsters and CC shops
- Using leaked and stolen data for fraud and identity theft
- Checking what other accounts that user has, because as recent research shows, 61% of accounts are set-up with reused passwords.
It’s easy to see how an attack that stems from idealistic motivations, targeting very large entities and supposedly conceived in order to protect people’s rights to information, ends up serving the fraudsters and flooding the Internet with confidential data.
With the variety of actors that gain access to information publicly posted online, hacktivists end up inadvertently damaging the very people whose interests they claim to represent.
The number of phishing attacks recorded monthly is known to vary, fluctuating upwards and downwards and there’s limited capability to forecast a trend that is so dependent on fraudster resources.
Although totals are often tricky to predict, some seasonal trends do repeat every year, and perhaps, without realizing, a rise in phishing is to be expected after large database hacks that release millions of account addresses into the cybercrime wild.
Phishing attacks in April 2013 have so far only shown a moderate increase over the previous month, likely linked with tax season-themed attacks, but as OpUSA is executed, and news of hacked accounts wash through Pastebin and the Internet, we may just see a more significant rise before the quarter is out.
Limor Kessem is one of the top Cyber Intelligence experts at RSA, The Security Division of EMC. She is the driving force behind the cutting-edge RSA FraudAction Research Lab blog Speaking of Security. Outside of work you can find Limor dancing salsa, reading science fiction or tweeting security items on her Twitter feed @iCyberFighter