Your personal details are one of the Dark Web’s most valuable commodities. Jon Inns, Product Director at Crossword Cybersecurity explains how and why your credentials are being bought and sold online and the steps you can take to keep your them safe from criminals.
For most of us, the Dark Web is a mysterious world that we’ve all heard of but don’t understand. We know it’s a marketplace for illegal activities, and that it’s pretty scary. But as most of us don’t use it, and wouldn’t even know how to access it, we don’t truly consider the implications it could have on our lives.
The reality is, while the Dark Web is a place where you can order drugs, or guns, or other items more commonly associated with criminal activity, one of its most valuable commodities is one that impacts the vast majority: personal and professional data. Vast numbers of user login details frequently obtained through 3rd party data breaches are bought and sold on the Dark Web every day. There are over 24 billion username and password combinations on the Dark Web- a number that has increased by 65% since 2020, which means it’s almost inevitable that every person reading this has probably had data leaked and shared in some way.
Personal data is highly valuable, no matter who you are. When criminals have access to it, there is almost no end to what they can do with it. From making purchases with your payment details to using your National Insurance number to apply for benefits, these criminals will take every opportunity to exploit whatever angle they can with the informational that they have. And it doesn’t stop there, the data possessed by criminals can be used to orchestrate corporate cyber breaches, which in the simplest terms possible means: your login credentials could be used in an attack against your place of employment.
When breached credentials are used to access a corporate system, the cybercriminals are privy to all kind of sensitive information like client and personal data, and even financial data. They can access email communications, which makes it easy to attempt things like invoice fraud, or masquerade as a senior level employee or client in order to instruct or authorise payment transfers.
Data breaches have a rippling effect too as it's not just the organisation that's getting compromised that's suffering; the data that's being lost is constantly being weaponised against other future targets. So every time information is stolen, the problem gets bigger for all of us.
So how are your login credentials getting stolen?
Unfortunately, this isn’t as difficult as it should be.
One approach is using phishing techniques - which is a well-known and highly successful technique where a convincing email is sent to someone with a link asking them to carry out some kind of online activity such as updating their login details or newsletter preferences. The page presented is actually fake and controlled by an attacker who is rewarded with a valid username and password if someone falls victim to the scam.
Another method is from data leaks from 3rd party online applications. According to a Verizon DBIR report, 37% of all breaches stole or used credentials. Millions of usernames and passwords are leaked every month through attacks against applications we all use every day, such as personal shopping sites, online games, business forums and so on.
The impact of this can have a snowball effect due to the fact that over 90% of people reuse passwords. For example, if you use a password like Bristol#1995!, it might appear that this is a strong password, however, if you’re using the same password everywhere, the moment it has been stolen from a site, it then could potentially become clearly visible to attackers, who can then use it to try and login to every other service where you’ve used it, including things like work email and cloud accounts which have sensitive info on them. Or if your passwords follow a pattern, say different football players from the same team, or cities you’ve lived in, it’s easy for criminals to understand your thought process for choosing your passwords and then use that pattern to try and compromise your accounts. Though passwords are intended to be secrets, it’s safer just to assume that they may not remain so.
Criminals often share this leaked data among one other too, knowing that many of their targets (us) use the same password for multiple services. Imagine for a moment that you subscribe to an industry newsletter, and you sign up to that service with your work email and a favourite password. A few months later, that newsletter marketing site gets hacked, and the data is stolen. An attacker now has your work email address and password; more importantly, they know you might use that password frequently. This could be very useful for hacking into a corporate system. Now think about the impact this could have on your organisation.
What else do I need to know about cyber attacks?
In IT security, we talk a lot about Defence-in-Depth. What that means is that there are multiple ways you could be attacked, and therefore you need multiple layers to help protect yourself.
Here are a few things to bear in mind:
Cyber attackers are a bit like school bullies: they pick on the vulnerable because it’s easier. The same goes for the majority of cyber attacks, where criminals are looking for the weakest industries and organisations. If your IT is not well maintained or your staff aren’t trained in what to look out for, then you will become an effective target.
It’s not about being too big, or too small to be worth the trouble - if your security controls are weak, you will probably suffer an attack at some point. If an attacker can find a way to extract your cash, then it’s worth their time trying.
Despite what you hear in the news, most cyber attacks are not actually highly sophisticated, they often use simple but effective tricks, so you need to focus on taking the appropriate security steps to avoid falling into the “weakest” bracket.
How can businesses protect themselves from being vulnerable to attack?
There are many preventative steps that you can take to protect your systems from cyber attacks:
To avoid invoice fraud, have a process that prevents payments to new or updated payee account details without rigorous checks and balances, even if the request is from someone well known, such as a senior manager or trusted supplier. Never rely on an email being genuine; it could be someone manipulating the system from outside of the organisation.
Keep all your IT patched and up to date. Malware takes advantage of software flaws that are fixed by vendors, but if you don’t patch your software, flaws remain exposed. If you work in retail – don’t forget your Point of Sales systems which are frequently neglected.
Implement two-factor authentication on systems like email whenever possible.
If you have public-facing web applications, have them independently checked frequently (at least annually) for security vulnerabilities by ethical penetration testers.
Have a recovery plan. Know that you can restore your files and systems if you get hit by ransomware. It’s here for the long haul so be prepared.
Avoid saving your passwords in your browser and use a password vault instead. Attackers are finding ways to extract passwords stored in browsers.
If the worst does happen - don’t forget to communicate. Nobody wants to be attacked, but that’s what it is – an attack. Organisations who quickly and transparently communicate an attack are often applauded by industry. Organisations who bury the news rarely enjoy the same admiration when the news eventually comes out. There are lots of specialists available who can help you handle your incident if you need them.
Invest in a monitoring service that will keep you on aware and on top of breached credentials. Data breaches happen on a nearly daily basis so having constant visibility of stolen credentials available on the dark web is critical to reducing your security risks.
Our Trillion™ solution is a breached account mining platform that continuously tracks, correlates and analyses billions of stolen usernames and passwords, hunting for digital identities that could belong to your employees and alerts you if it discovers email accounts that might affect your organisation.
Find out more about Trillion here.