Security Experts:

The Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & Equifax

Until quite recently, people believed that a dizzying one billion accounts were compromised in the 2013 Yahoo! breach… and then it was revealed that the real number is about three billion accounts. 

That raises the question: so what? Isn’t all the damage from a four-year-old breach already done?

The answer: not at all. For those who have taken control of the compromised accounts, or who possess confidential information about a billion or more individuals, the Yahoo! breach is the gift that will keep on giving.

First of all, the consequences of the breach are not yet fully realized. Criminals have only recently started using compromised email accounts to spread ransomware and spam. As email service providers increasingly use the age of the sending account as an indicator of risk, the value to criminals of long-established but compromised accounts has started to increase. These accounts become a circumvention strategy for criminals wishing to reliably deliver malicious emails. As the value of an established account goes up, the damage that can be done by using the compromised accounts does, too. 

Second, criminals have only recently started to mine the contents of compromised accounts to identify promising opportunities – but that is increasingly happening now, and is becoming another source of value to the Yahoo! attackers (and anybody who has already purchased compromised accounts from them.) To a large extent, we are still in the “manual effort” phase of this type of attack, wherein attackers have not yet understood exactly what they are looking for, and therefore, have not yet written scripts to automate the task. Once their understanding matures and they automate the process, the vast volumes of compromised accounts will turn into new criminal opportunities. 

And the automated extraction of meaningful content will dramatically increase the yield of the attacks that the criminals will be able to mount. Think of it like this: if your account was compromised, and a good friend or colleague gets an email from you … or rather, your email account … with a malicious attachment, will they open it? If the email is obvious spam, they probably won’t, but if the message makes sense, they will; and if the attacker knows what you and your contact normally talk about, that isn’t difficult to do.

There is also a multiplier effect as the number of major breaches of consumer data rises.

In the recent Equifax breach, criminals made off with information for more than 145 million Americans, including names, mother’s maiden names, social security numbers, addresses, birthdays, and more. But not email addresses, and not banking affiliations and account numbers. A crafty attacker can easily match the names and birthdays of the Equifax breach to the names and birthdays of the Yahoo! breach, automatically generating very powerful combinations. With this combined intelligence, the attacker can contact banks, posing as banking customers, and gain access to accounts. 

If you still think “so what?”, I have news for you. This could be your ruin, even if you have no money in your bank account. 

Here is what could happen: The criminal adds himself to your bank account. Now he can withdraw money from the account. Then he deposits a large - albeit forged - check, say $100,000. According to banking regulations, 50% of the deposited amount must be available to account owners within three days, which is when the criminal withdraws $50,000 from your/his account. When the check bounces, that is your problem. It is your account, and you may be liable for the entire amount, depending on the policies and discretion of the individual bank. But this is just an example, and the criminals have many more opportunities to monetize their bounty, and have years to do so.

While there are no signs today of criminals consolidating and reselling data from different breaches, it is an obvious concern as the value-add of the packaging would be substantial.

When such consolidated breach data eventually hits the black market–and this is only a matter of criminal initiative, as all the data is out there– then new and more targeted attacks will be enabled on a large scale. By then, we as a society must be ready to withstand this threat, which comes down to having defenses that do not rely to any extent on the caution of the end user, but which identify and address deception in an automated way. While such systems exist today, the extent to which they are deployed is still very limited.

view counter
Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups – ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master’s degrees from both the University of California, San Diego and Lund University in Sweden.