Are We Phish in a Barrel?

With the rise of data breaches due to spear-phishing campaigns, how can companies keep sensitive data safe?

Unsecured servers are (unfortunately) nothing new, but at the end of 2019 we saw several data exposures that were notable—not just for their massive size, but also for the types of information included.

The record-breaking one uncovered by dark web researcher Vinny Troia, for example, contained 1.2 billion records that went beyond the usual credit cards and SSNs. This data exposure included home and cell phone numbers, email addresses, social media profiles and work histories.

Another unprotected TrueDialog database, discovered by the research team of vpnMentor a couple of weeks later, exposed tens of millions of SMS messages that spanned an unusually diverse data set. This leak included full names, metadata and message content and was primarily tied to business-related information.

One week after that, Fidus Information Security found a massive cache of exposed applications for U.S. birth certificate copies. Not only did this include personal information and historical data, but also the reason the applicant was asking for their copies—revealing details such as whether the individual was applying for a passport or researching family history.

In each of these cases, it’s disconcerting to see all of that information in one place, but it’s also dangerous. With so much personal information in these caches, they’re veritable gold mines for sophisticated spear-phishing attacks. Bad actors are able to use this type of information to create extremely convincing spoofed emails—ones that truly look legitimate. Having this much information about a person’s professional and personal lives readily available makes it easy for attackers to deceive their targets. These types of targeted attacks often bait individuals into clicking on malicious links or sharing credentials directly—both of which can be used against them down the line.

With this information, for example, I could text your mobile number with a fake password reset link for Facebook, then email you to tell you that someone tried to reset your password. If you didn’t fall for the text, you might fall for the follow-up email if it said something such as, “Didn’t request this change? Click here.”

Real-world examples of these social engineering attacks are on the rise as well. And not just among wealthy and high-profile businesspeople, but among those of average means and roles as well. Knowing that bad actors are being less discriminant about who they target with social engineering attacks certainly begs the question of whether previously breached information was so easily available that it provided an exceptionally high ROI.

What makes these threats particularly dangerous is that the victim often doesn’t realize they’ve been compromised. The attacks are so convincing that they don’t raise a red flag until things start going awry down the road. By then, the victim’s information is already being used for malicious purposes and you’re in response and recovery mode.

The information exposed in recent leaks also adds the risk of compromise for multi-factor authentication. The majority of 2FA is based on a user’s email or phone, so if an attacker does get access to those assets, they can bypass that type of security measure. This puts both personal and business accounts at risk.

From a business perspective, the good news is that even though spear-phishing attacks vary greatly based on the attacker and the target, there are certain tactics, techniques and procedures (TTPs) they almost all share. Even the most targeted campaigns are rarely isolated to a single user, so they can often be uncovered based on activity seen in network traffic. When even a small number of devices in an organization begin visiting new and suspect destination domains, organizations with sophisticated security operations should be able to spot that anomaly and take additional steps to further secure their systems.

The size, scale and character of these recent data exposures should have us all on high alert for suspicious activity and spear-phishing campaigns relying on the platforms and data encompassed in the leaks. In the meantime, businesses should be taking a close look at their authentication practices, as well as how their security operations uncover new TTPs and anomalies that need to be elevated. These complex forensics are the best line of defense against such targeted attacks.

David Pearson

Avatar photo

David Pearson

Having used Wireshark ever since it was Ethereal, David has been analyzing network traffic for well over a decade. He has spent the majority of his professional career understanding how networks and applications work, currently as Head of Threat Research for Awake Security, the only advanced network traffic analysis company that delivers answers, not alerts. David holds computer security degrees from the Rochester Institute of Technology (BS) and Carnegie Mellon University (MS).

david-pearson has 1 posts and counting.See all posts by david-pearson