For some cyber-criminals, faking a data breach is all it takes to inflict real economic and reputation damage on a company without having to spend time and effort to actually break in and steal data.
Malicious actors are increasingly relying on false claims about massive data breaches to make it seem as if established firms have lost control of their critical data, Deloitte & Touche warned in a recently released research note. They may brag about breaching the company on Twitter or other social media platforms and post links to what they assert are samples of the stolen data. A data dump doesn’t automatically mean a company has been breached. That data dump might not even contain real data, Deloitte analyst Allison Nixon wrote in the note.
Consider a recent event: An unknown individual posted account credentials purported to be stolen from Dropbox on text-sharing site Pastebin in early October. The list claimed to be part of a larger trove of 7 million accounts, except that Dropbox said the list didn’t come from its servers. The usernames and passwords appeared to have been stolen from other online services and older breaches, the cloud storage company said at the time.
Dropbox is a good example of how attackers recycle previously stolen data to craft a fake breach. There are plenty of such sources. The Adobe breach in 2013 alone exposed millions of credentials online.
Affected firms, journalists, and other interested parties should verify authenticity of online data dumps before these breach claims gain traction, wrote Nixon. The report lists quantitative methods such as checking the user accounts in the breach actually exist, analyzing the passwords and supposed credit card numbers to verify they are valid, and looking at the names themselves. Someone claiming the complex passwords came out of a cracked hash list would also be suspect, according to the report.
“A breach in America yielding credit cards mostly issued by banks in the Netherlands would raise some questions,” Nixon said.
Search public repositories of past data breach dumps to see if the data in the current dump has been exposed before. If it shows up, that’s a good hint the data is recycled. “Seek out unique-looking artifacts such as passwords, different names, text snippets from the rant in the preamble, etc., and simply perform a search for them,” Nixon wrote.
Most sites don’t allow the same email addresses to be used across multiple accounts. One way to check for “email uniqueness” is to try to change the email address associated with an existing account to one of the addresses listed in the fake dump. In the case of Dropbox, if the investigator logs into his or her account and tries to change the email address to something else, Dropbox will let you know if that email is already in use. The same logic can be used for usernames. If the site lets you create a username listed in the data dump, then that is another clue. “If unique identifiers are shown in the leaked dump, attempt to duplicate them on the live site,” Nixon said.
If the site doesn’t allow passwords shorter than six characters, a dump containing four-character strings are automatically suspicious. “Conversely, if no password policy exists, and no users have absurdly simple passwords like ‘123456,’ the leak should be treated with suspicion,” Nixon said.
Companies can also apply a “smell test” and consider how plausible the dump itself is. Cyber-criminals sitting on a treasure trove of credit card numbers are unlikely to just post them publicly, especially since they stand to make millions by selling them off on underground forums. “Credit card dumps retain high dollar values on fraud markets and releasing a list for free would not be rational,” said Nixon.
Recycling data stolen from earlier incidents is very common and low-effort for the scammer, the report said. Investigating potential leaks and trying to determine what happened, on the other hand, is time-consuming, resource-intensive, and a distraction from other security activities. The organization’s defenders trying to get to the bottom of a phony data dump could miss signs of a real data breach, the report warned.
Bad actors using distraction methods to hide real attacks are not new. Security teams are frequently understaffed, and a fake data breach can use up time and resources the organization can’t afford. Gartner analyst Avivah Litan has repeatedly warned that criminals launch their fraud campaigns while the defenders are busy fighting off distributed denial-of-service attacks.
A fake data dump doesn’t impact the end-user all that much (other than the annoyance of changing passwords yet again), but it can have a significant effect on the company’s reputation, the report said.
The actors may not be that dangerous since they are relying on smokes and mirrors instead of their skills in breaking into the network. But for the “victim” company, the idea that they were breached sticks in the public consciousness for a long time. The recent incident where StubHub accounts were used for fraudulent ticket sales is a good example.