The Dark Art of Turning Mountains of Stolen Data Into Cash


We’re only two months into a new year, and already hundreds of millions of personal records have been compromised, including 123 million employee and customer records from sporting retailer Decathlon and another 10.6 million records of former guests of MGM Resorts hotels.

These announcements followed fuel and convenience chain Wawa’s revelation that it was the victim of a nine-month-long breach of its payment card systems at 850 locations nationwide.

In addition, Microsoft earlier this month said a data breach spanning 14 years exposed 250 million of its customer records.

Data breaches have become so common that experts agree it isn’t a matter of if but rather when a company will become a victim. A recovery plan, therefore, should focus on how to deal with a breach of employee/customer/client data, how to handle a ransomware attack, and what to do to make sure exploits are plugged so that additional hackers don’t use the same ones again.

In the case of the Wawa breach, hackers claimed on dark websites such as fraud bazaar Joker’s Stash that they had 30 million records for sale. Whether that was true or not highlights the likelihood that there may be far more exposed data than even hackers can handle.

Big Data Haul

The data that typically is stolen can vary, but in the case of MGM, the breach included full names, home addresses, phone numbers, emails, and even dates of birth. For the Decathlon breach, the information included unencrypted passwords, employment contract information, Social Security Numbers, and working hours.

The MGM breach did not include credit card data, however.

“It’s important to realize that no payment data was involved in this particular incident,” said Gary Roboff, senior advisor at The Santa Fe Group.

However, “the effects of this hotel data leak may be even more insidious than some expect,” warned Mike Jordan, vice president of research at risk management firm Shared Assessments.

The last big breach of a hotel occurred in 2018 when Marriott was compromised, but that wasn’t really a profit-driven breach.

“It was attributed to alleged China-sponsored attackers for the purposes of intelligence and perhaps ultimately coercion,” Jordan told TechNewsWorld.

State Actors

One other factor contributing to the sheer number of breaches is that they aren’t always conducted by cybercriminals, as in the Marriott example.

“Statecraft by intelligence organizations often relies on basic information such as how and where to find people,” explained Jordan.

“Getting this information in bulk or using it to verify existing data is a key component to building an effective intelligence program,” he added.

“This information leak would be quite useful for those purposes, considering there are some particularly wealthy patrons on that list,” noted Jordan.

Because the MGM information was posted to a public forum, it is very unlikely that the perpetrators were the same as those responsible for the Marriott breach.

“However, this information could be just as useful to malicious parties, and more of them now have access to it,” suggested Jordan.

Supply and Demand

As a result of these breaches, it seems that a vast amount of data is being offered for sale on the dark Web — almost to the point that the big data is getting too big for cybercrooks to handle.

“Based solely on the law of supply and demand, the cost of a record has dropped significantly,” said Matt Keil, director of product marketing at Cequence Security.

“There are huge breaches still being revealed regularly,” warned Jim Purtilo, associate professor of computer science at the University of Maryland.

“Remember that just because your data are exposed once doesn’t mean every miscreant has it. More breaches place your data in more hands, meaning there are just that many more opportunities for some criminal mind to do something with it,” he told TechNewsWorld.

The issue is what the data contains, said James McQuiggan, security awareness advocate at KnowBe4.

“People need to consider that their information is out there, like Social Security Numbers, names, emails and passwords and addresses,” he told TechNewsWorld.

“It’s important for folks to monitor their credit and accounts, along with being vigilant towards emails they receive,” McQuiggan added. “While they can’t ignore all of their emails, they need to verify if something is too good to be true or suspicious.”

Cybercriminals tend to be highly inventive when it comes to finding profitable ways to use stolen data.

“In the hands of a motivated bad actor, this data can be used in an account takeover attack against MGM itself and — based on the propensity to reuse passwords — against other resorts,” Keil told TechNewsWorld.

“If successful, the value then becomes significantly greater because the bad actor will then be able to steal or use reward points,” he added. “The resultant fraud is an added expense to MGM, and longer-term impacts their users negatively. Statistics show that customers are far more likely to use a different vendor when their personal information is stolen.”

The Evil Lottery

Following the breaches at Equifax, the government’s Office of Personnel Management, and Target, as well as countless other cyberattacks, it is very likely that most Americans have had some personal data exposed in recent years. The good news is that, in many cases, there is so much data that much of it won’t be used by the bad guys.

That doesn’t mean we shouldn’t be worried.

“We have become immune to the regularity of data breaches,” suggested Keil.” No longer do we see the outrage and backlash that occurred with the breaches of yesteryear — aka Target.”

Right now, it isn’t a question of if or really even a question of when, but more likely how frequently our data could be exposed. We all could be participants in an “evil lottery.” Instead of winning a jackpot, we’re singled out for the unpleasantness that comes with our data actually being used by the bad guys.

That’s unfortunately true, said Shared Assessments’ Jordan.

“Our data is of value for targeting individuals using currently legal and illegal means — data is a raw material commodity like copper or soybeans that needs refining,” he explained.

Due to changes to our information over time, data has a shelf life, Jordan noted, “so new breaches are needed to keep their data valuable.”

Breach and Repeat

Many security breaches occur because they are easy to pull off. All too often, companies see data theft as an added cost of doing business. Even seemingly “public” information can have value.

“It isn’t my intention to draw a road map for how to do this, but exposing just an address and DOB can be problematic enough,” explained the University of Maryland’s Purtilo.

“Someone who acquires those in a smash and grabs on some site can flip them for some trivial amount per record and move on — it’s not quite free money, but close to it,” he said.

A harsher impact occurs when the data is aggregated in the hands of someone with patience.

“One’s address and DOB are sufficient to open all sorts of innocuous accounts in someone’s name, which creates a thin backdrop of credibility for when the hacker goes “pretexting” or pretending to be that person for purposes of persuading a utility company, financial firm or medical provider to reset an account for the identity thief,” Purtilo explained.

The result is that in very short order, a legitimate data owner will find himself locked out of services while the hacker picks him clean.

“The more data spilled in a breach, the less of a story must be manufactured in order persuade firms to give away your goods, but even a little data can be exploited when blended with patience,” said Purtilo.

It is no small task for cybercriminals to pull this off, either. Unlike what movies and TV shows suggest, it isn’t a matter of instantly turning the data into bitcoin — it takes real effort to make the data worth something without alerting the authorities.

“Figuring out how to test the accuracy of pilfered identity credentials but without triggering an alert at a credit reporting firm becomes a real art,” said Purtilo. “An identity thief can work all around the periphery of someone’s digital profile creating a backdrop before going in for a more upscale breach at some financial firm.”

Beyond Breaches

There are other significant cyberthreats that are unlikely to stop, so recovery, unfortunately, has become the next best course of action.

“There is so much money being made in ransomware attacks that the attackers can afford to creatively develop and test new ways to attack organizations,” said Erich Kron, security awareness advocate at KnowBe4.

“The costs of phishing attacks — about (US)$65 to send 50,000 phishing emails from Dark Web operators — is so low, has such a low risk of being caught, and has such a high payout, that it is nearly impossible for cybercriminals to resist,” he told TechNewsWorld.

These attacks have proven themselves over decades and have mastered the ability to manipulate human behavior, added Kron.

“The key to avoiding these attacks is training people how to spot them and report them within the organization,” he suggested. “They also need to monitor traffic in and out of the network, looking for sensitive data or unusual traffic patterns. In addition, data at rest should be encrypted wherever possible to minimize the risk of sensitive data that is being leaked, even if it is exfiltrated.”

Technology Fighting Back

Fortunately, there are now simple yet effective methods to help make some of the data worth less to hackers, if not exactly worthless. Two-factor authentication can render many of the exposed passwords useless, while security features are being added to payment solutions.

“Since chip cards were finally introduced in this country, we’ve seen a sharp decrease in the amount of useable credit and debit card information captured at the physical point of sale,” The Santa Fe Group’s Roboff told TechNewsWorld.

“The use of dynamic payments data generated by EMV-compliant cards and the increased use of payments tokens online — and biometrics to authenticate users initiating token-based payments on Apple and Android devices — has helped reduce payments fraud,” he added.

However, the best solution may be better practices on the part of individuals.

“Users need to take more control, paying closer attention to their password hygiene. Move to using a password manager for all uses, not just the important ones,” added Cequence Security’s Keil, “and wherever possible, two-factor authentication should be enabled.”

Peter Suciu

Peter Suciu has been an ECT News Network reporter since 2012. His areas of focus include cybersecurity, mobile phones, displays, streaming media, pay TV and autonomous vehicles. He has written and edited for numerous publications and websites, including Newsweek, Wired and Peter.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels