Fraud Landscape Shifts as EMV Adoption Becomes More Widespread

It’s been just over two years since the liability shift around EMV pushed retailers and financial institutions towards adopting chip-enabled cards and terminals, and the fraud landscape for cybercriminals has shifted along with that adoption.

In June, Visa reported that it had issued nearly 450 million chip cards and that 50% of U.S. storefronts now accept the more secure payment cards. Visa also said that merchants who have upgraded their systems saw their counterfeit fraud dollars drop substantially from the previous year.

However, fraud is not disappearing, it’s just shifting, said Monica Eaton-Cardone, the co-founder and COO of Chargebacks911, on SurfWatch Labs recent Cyber Chat podcast.

“We have enough adoption — enough people, enough merchants are making that transition — that it’s already scared a lot of the criminals who were preying on these card-present ways of stealing cards, and they’ve already started leaving that market,” Eaton-Cardone said. “Unfortunately, what has happened is that all of that criminal activity has just migrated to the online environment.”

Squeeze one area of fraud, and malicious actors will simply rush to exploit other areas — a “fraud balloon,” as SurfWatch Labs Adam Meyer describes it. For example, in recent months SurfWatch Labs has observed an increase in both cryptocurrency attacks and attacks against consumer accounts tied to payment card information, and gift card fraud is expected to surge in the coming months as well.

Although the fraud landscape is shifting, ample opportunity still remains for fraudsters to exploit the old payment cards. The EMV liability shift for gas station pumps, which holds merchants using outdated technology responsible for fraudulent transactions on EMV cards, was originally set to go into affect last month — but that has since been pushed back until October 2020. Visa said the delay was due, in part, to gas stations needing more time to upgrade because of issues with a sufficient supply of regulatory-compliant EMV hardware and software.

Merchants have traditionally been focused on removing friction from purchases and making the process as fast as possible, Eaton-Cardone said. As a case in point, Chipotle announced a point-of-sale breach earlier this year after reportedly stating prior to the 2015 EMV deadline that it did not plan on upgrading its point-of-sale systems due to concerns such as increased transaction times.

“When you’re focused on speed, you’re probably not as focused on security, so maintaining that balance really can be a lifesaving item when it comes to protecting your business from liability,” Eaton-Cardone said.

That security should start with the basics, she said, such as:

  • continually keeping software up to date in order to avoid known exploits,
  • having a layered approach to fraud that includes both technology and human review so there is more than one line of defense,
  • and putting a key focus on protecting data by following the Payment Card Industry Data Security Standard (PCI-DSS) and other well-established best practices.

Fraud is a dynamic issue, not a static one, and organizations need to adapt as the landscape changes — and that shift is increasingly towards the theft of data, Eaton-Cardone said.

“The world is transforming into a digital environment. It’s no longer cash is king. It’s really data is king.”

Listen to the podcast for more from Monica Eaton-Cardone on EMV technology, how organizations can defend against fraud, and what the fraud landscape will look like in the future.

‘Tis the Season: Gift Card Fraud Rampant on the Dark Web

The holiday shopping season is right around the corner, and gift cards are expected to remain as the most requested holiday gift for the tenth year in a row. It should come as no surprise then that gift card fraud has become a booming business for cybercriminals as they attempt to grab a slice of that $140 billion pie.

In fact, gift cards are one of the most frequently listed items on dark web marketplaces, and SurfWatch Labs expects the number of compromised gift cards for sale to rise in the coming months. As we noted last week in “How Cybercriminals Perpetuate Gift Card Fraud,” fraudsters employ a variety of simple tricks to find active gift card numbers and codes to steal — and millions of gift cards will soon be loaded with active balances across the country.

2017-10-25_GiftCardGroups.png
The top 10 groups associated with gift-card-related cybercrime so far in 2017 include specialty retailers, which includes Amazon; business support services, which includes Visa; IT services and consulting, which includes Google and eBay; and computer hardware, which includes Apple.

SurfWatch Labs’ threat intelligence data has already shown a significant increase in fraud in the third quarter, and those fraud concerns will remain elevated throughout the holiday season.

Stolen Gift Cards on Marketplaces

Compromised gift cards are often sold on cybercriminal markets; however, legitimate gift card marketplaces have grown rapidly over the past few years and criminals have begun leveraging them to sell stolen gift cards or to aid in laundering money.

Marketplaces like Raise often provide customers links to help check gift card balances before listing. However, researchers have shown that balance-checking websites can be exploited by cybercriminals to determine active cards if the websites do not implement proper security measures.

2017-10-31_Raise.PNG
Legitimate marketplaces like Raise provide a place for users to buy and sell unused gift cards.

As Raise has grown in popularity, customers have reported multiple instances of gift cards having their balances completely or partially gone by the time buyers used them, as well as instances of tens of thousands of gift cards being used to launder stolen credit card money through the site.  Those issues may have helped push the company to expand its money-back guarantee on gift cards last year from 100 days to 365 days in order to help assuage some of the concerns users had about buying potentially compromised cards.

Stolen Gift Cards on the Dark Web

The dark web is in a more fluid state heading into this holiday season than it was in 2016, and that’s largely due to the law enforcement takedown of two of the top three most popular markets, AlphaBay and Hansa Market, this past summer. However, finding gift cards for sale on various smaller marketplaces is still relatively easy.

2017-10-25_Hooters
Gift cards for a variety of restaurants, retailers, and other organizations are frequently posted for sale on Dark Web markets.

Over the past few months, SurfWatch Labs has observed a variety of gift cards for sale for popular organizations on cybercriminal markets. SurfWatch Labs has not purchased the cards or verified the legitimacy of the postings, but they include:

  • gift cards for popular chains such as Whole Foods ($100 for $35), Hooters ($50 for $10), and Starbucks ($10-$20 for $3);
  • various gift cards that may be partially used, such as a $17 Applebee’s gift card for $6.80, and a $32 Five Guys gift card for $12.80;
  • and sellers claiming to have gift cards for dozens of other restaurants, specialty retailers, hospitality organizations, entertainment venues, and more at similarly discounted prices.

It’s unclear how the numerous gift cards for sale were stolen — or what percentage are actually legitimate — but a quick search of a dozen random companies listed found that nearly all had websites where users could check their balances. And of those, only a few required CAPTCHAs, which researchers have suggested be implemented to help slow down automated attacks.

Other common gift card fraud prevention tactics include making sure that unactivated gift cards are not easily accessible and that their numbers are hidden behind scratch-off coverings, that organizations don’t use sequential numbering or other easily recognizable patterns with their gift cards, and that consumers who have gift cards use them in a reasonable time so the window for potential attacks is shortened. In addition, some stores have implemented limits on the amount of gift cards that can be purchased at once, have begun requiring photo ID for high-dollar purchases, and are attempting to warn buyers of potential scams related to gift cards.

However, until those increased protections become more widespread, we will likely once again see a rise in gift cards being leveraged for fraud and other illicit purposes this holiday season.

‘Tis the Season: How Cybercriminals Perpetuate Gift Card Fraud

Two months ago, Fan Xia, a 29-year-old research assistant from UW-Milwaukee’s engineering department, was arrested for laundering more than $300,000 via an international scheme involving gift cards. According to the criminal complaint, Xia would receive gift card information from scammers in India, use that information to buy iTunes and Google Play gift cards, and then scratch off the codes and forward the information to another set of individuals in China.

The case is hardly unusual — fraud leveraging gift cards has become more the norm than the exception — but it does highlight several ways in which criminals typically exploit gift cards:

  • Police were tipped off to the fraud ring after a Wisconsin man reported that a caller impersonating the IRS requested he pay via gift cards $4,987 in back taxes, which is the exact type of gift card scam the IRS has been warning about the past couple years.
  • The man fell for the scam and bought three Target gift cards, two worth the maximum $2,000 and one worth $987. Those cards were then used to launder the scammed money via numerous iTunes and Google Play gift cards allegedly purchased by Xia. Police said Xia had taken pictures of the scratched-off codes of approximately 6,100 such cards over an 11-month period, totalling $305,000.
  • The victim who was duped by the IRS impersonator grew suspicious and tried to cancel the cards after providing the scammers the information, but the active gift cards were quickly used by Xia, who was allegedly buying up to $3,000 worth gift cards a day with the data from India.
2017-10-25_CashOut
Malicious actors use gift cards for a variety of purposes, including cashing out stolen credit cards. This guide on a Dark Web market claims to walk fraudsters through 10 steps of that process.

As the holiday season grows closer, there will likely be renewed warnings for both consumers and organizations about similar scams. The gift card market has grown to become a $140 billion dollar industry, and the average consumer will purchase at least two gift cards during the holidays. However, those gift cards remain relatively insecure compared to traditional payment cards, and cybercriminals will likely continue to exploit those weaknesses as consumer activity ramps up in the coming months.

How Cybercriminals Exploit Gift Cards

To use money on a gift card, fraudsters need the card code or number and, in some instances, the associated PIN. In the case involving Xia, he is alleged to have bought and scratched off the iTunes and Google Play codes himself to help launder money originally stolen from phone scam victims. However, there are several methods in which fraudsters can gain access to gift card codes without paying for them.

2017-10-25_GiftCards
Walmart gift cards have a 16-digit card number and PIN, whereas iTunes gift cards have a 16-digit alphanumeric code.

The most straightforward method for fraudsters to get codes off of physical gift cards is by simply grabbing a stack of inactive cards, which tend to be easily accessible at most stores. If the cards use magnetic strips, the card data may be stolen and cloned with a magnetic stripe reader/writer. If the cards use redeemable codes, fraudsters can scratch off the codes, copy them, and then replace the scratch-off label. Some companies don’t even bother hiding gift card numbers behind a scratch-off since they’re not usable until purchased, which makes it even easier for fraudsters to steal the data.

The fraudsters then return the cards for legitimate consumers to purchase — without knowing that the card numbers or codes they are buying are already in the possession of malicious actors.

2017-10-25_ScratchOffLabels
Replacement scratch-off stickers, magnetic stripe readers, and other legitimate tools that can be repurposed for fraud are easily purchased on sites such as Amazon and eBay.

That method, though simple, is pretty difficult to scale. Larger fraud operations tend to leverage technology, along with weaknesses in gift card security, in order to automate the compromise of gift cards.

Professional pen-tester Will Caput recently gave a presentation on how he was able to exploit the patterns of various organizations’ gift cards in order to brute force his way to discovering active card numbers. For example, Caput noticed that the gift card numbers one Mexican restaurant used were identical except for one incrementing number and the randomized last four digits. He told Wired that he could target the website used to check gift card balances with the bruteforcing software Burp Intruder to cycle through all 10,000 possible values for the last four random digits in about 10 minutes. Rinse and repeat that process via the incrementing number and a fraudster can easily generate a large number of active cards to use or to sell via cybercriminal markets.

In fact, cybercriminals used a similar approach earlier this year with GiftGhostBot, which was detected performing automated attacks against nearly 1,000 customer websites in order to check millions of gift card numbers for active cards.

Attacks like GiftGhostBot have led some companies to disable their gift card balance-check websites — or to implement CAPTCHAs and other measures to combat automated attacks. Unfortunately, many gift cards remain vulnerable to simple attacks, and cybercriminals continue to shift their attention towards gift cards as traditional payment cards become more secure due to the adoption of EMV and other fraud-prevention tactics.

Many of those compromised gift cards are then bought, sold, and traded on dark web markets and other websites, a practice we’ll examine in the second part of this blog series.

Payment Card Fraud and Cryptocurrency Attacks Saw Significant Increase Last Quarter

The financials sector saw an increase in incident volume in the third quarter of 2017, and much of that increase revolved around cyber-attacks targeting various cryptocurrency platforms, as well as payment card breaches in the consumer goods sector that led to increased fraud activity on cybercriminal markets.

2017-10-12_FinancialRisk
The financial sector (blue) saw above average risk scores for incident volume, effect impact, and targeted asset in Q3 when compared to all sectors (black).

Key takeaways from SurfWatch Labs’ threat intelligence findings for the period include:

  • Banks remained as the top trending group associated with cybercrime in the financials sector, accounting for nearly one quarter (24.4%) of the negative cyber events collected by SurfWatch Labs; however, that percentage was down from 38.1% in the first half 2017 and 35.8% across all of 2016.
  • That drop was largely attributed to increased activity in the specialty financials group, which saw its percentage of threat intelligence jump from 7.4% in the first half of 2017 to 19.4% in Q3 as malicious actors increasingly targeted cryptocurrency platforms.
  • Payment cards were the dark web target category to see the most significant increase, accounting for 14.6% of the financials sector’s dark web threat intelligence – a rise from 7.1% in the first half of 2017.
2017-10-12_FinancialIncidentVolume
The financials sector saw an increase in the amount of threat intelligence collected by SurfWatch Labs beginning in July, and that increased volume continued throughout Q3 2017.

Malicious Actors Increasingly Targeting Cryptocurrency

Cybercrime incidents related to the banking group remained the most widespread in SurfWatch Labs’ Q3 threat intelligence data. However, when excluding our dark web data, many of the most noteable cyber-attacks – including all five of the top trending incidents for the period – occurred at cryptocurrency organizations in the specialty financials group.

2017-10-12_FinancialGroupsAll
Specialty financials accounted for 19.4% of the cybercrime threat intelligence collected by SurfWatch Labs during Q3, a significant increase from the 7.4% during the first half of 2017.

Several of the top trending cyber-attacks in Q3 revolved around the hijacking of Ethereum Initial Coin Offerings (ICO) in order to steal cryptocurrency. Notable attacks include:

    • In July, Coindash said that an actor gained access to its website during the company’s ICO and changed the text on the site to a fraudulent Ether wallet address – resulting in $10 million worth of Ether being stolen from investors.
    • Veritaseum also reported in July that it had $8.4 million worth of tokens stolen during its ICO as a result of a “very sophisticated” attack, which may have involved at least one corporate partner dropping the ball, according to the company’s founder.
    • In August, Enigma Catalyst said that investors were scammed out of approximately $500,000 of Ether when malicious actors hijacked the company’s website, mailing lists, and Slack accounts and subsequently offered a fake pre-sale to investors ahead of the company’s upcoming ICO.

In addition, there were a variety of other cryptocurrency-related attacks during the period. For example, a bug was found in the multi-signature wallet code used as part of Parity Wallet software, which led to wallets being exploited and reports of approximately $34 million worth of Ether being stolen before white hat hackers intervened to prevent an additional $85 million in theft. In addition, a malicious actor was also able to trick the hosting provider of the open source Classic Ether Wallet into hijacking the Classic Ether Wallet domain, resulting in potential theft as transactions were made on the site.

As cryptocurrencies continue to gain legitimacy and value, it is likely that malicious actors will continue to shift towards targeting them in both the near and long term. For example, one group is tracking over 150 active Ethereum scams heading into the fourth quarter of the year.  Exploiting the popularity of cryptocurrencies has proven to be highly profitable for both cybercriminals and state actors, such as North Korea.

Fraud Activity Increases on the Dark Web

SurfWatch Labs also observed an increase in the amount of fraud-related activity in Q3, with fraud accounting for 43.6% of financials dark web threat intelligence – a significant jump from previous periods. In the first half of 2017, fraud accounted for 24.4% of collected dark web intelligence, and during 2016 it accounted for 24%.

2017-10-12_FinancialEffectMacrosDarkWeb
SurfWatch Labs collected a much larger percentage of fraud-related threat intelligence in Q3 2017 than during any other recent period.

Digging deeper into the data, it is clear that point-of-sale (POS) and other payment card breaches helped to drive a significant portion of fraud activity in Q3. In the first half of 2017, the target tag of “payment cards” appeared in only 8.3% of the dark web threat intelligence collected by SurfWatch Labs. In Q3 that number rose to 14.5%.

Some of the notable payment card breaches announced during Q3 include:

2017-10-12_ITTPaymentCards

  • The fast food chain Sonic has been tied to at least a portion of five million fresh payment cards being sold on a cybercriminal market.
  • Whole Foods announced a POS breach involving its taprooms and restaurants.
  • Avanti announced a POS breach affecting an undisclosed number of the company’s self-serve snack kiosks.
  • Equifax’s massive breach included more than 200,000 payment cards.
  • B&B Theaters announced it was investigating a payment card breach that may date all the way back to 2015.
  • Sabre announced a breach affecting its SynXis Central Reservations system back in May, and affected hotels continued to issue breach notification letters throughout Q3.
  • Third-party vendor Aptos continues to be tied to payment card breaches at online retailers.

Other payment card breach notifications and investigations have continued to be announced in the days since Q3 ended, including a POS breach at Hyatt Hotels and Irish retailer Musgrave warning SuperValu, Centra, and Mace customers to be on the lookout for fraud. In addition, Flexshopper announced it exposed payment card information, and Tommie Cooper and Cricut announced they discovered malware on their website checkout pages.

Numerous organizations also warned of payment cards phishing scams during the period – including Netflix, Uber, E-ZPass, Newcastle University, and more. A number of other data breaches and leaks involved partial payment card information.

Conclusion

The financials sector continues to be the target of a wide range of attacks due to the nature of the data organizations hold and the services they provide. As we noted in our Fraud and the Dark Web whitepaper, the number of avenues through which malicious actors can carry out fraud has increased along with the number of digital accounts tied to financial information. However, Q3 saw an increase in more traditional payment card fraud activity on the dark web – likely resulting from several large one-off POS breaches, as well as issues at vendors that have spread through the supply chain to affect both in-person and online purchases.

On the flip side, the number of cryptocurrency related breaches, particularly those tied to Ethereum, have highlighted a shift that may have legs – particularly since there is less regulation and, in some cases, less security to circumvent in order to pull off multi-million dollar heists. For example, it was reported that at least one Slack account with administrative privileges at Enigma used a previously leaked password and didn’t require two-factor authentication. Likewise, the incident involving Classic Ether Wallet began by simply socially engineering a third party over the phone by impersonating the site’s owner. Malicious actors are quick to copy the successful techniques of their peers, and we will likely see similar attempts against cryptocurrency organizations in the future.

Sonic Investigates Breach, 5 Million Cards For Sale on Cybercriminal Market

The fast-food chain Sonic said yesterday that it is investigating a possible payment card breach at its stores, and security blogger Brian Krebs reported that the incident may be tied to a batch of five million fresh payment cards being offered for sale on the stolen credit card shop known as Joker’s Stash.

Sonic said its payment card processor informed the company last week of unusual activity regarding cards used at its stores. Krebs reported that two sources purchased a handful of payment cards from the batch of five million credit and debit cards listed on Joker’s Stash, and those sources said the stolen cards had all been recently used at Sonic locations.

A Sonic spokesperson said that the breach investigation is still in its early stages and it is unclear how many of the company’s nearly 3,600 locations may have been impacted.

2017-09-27_SonicBreachJokersStash
Cybercriminal markets like Joker’s Stash often allow the filtering of stolen payment cards based on various options such as location, which allows malicious actors to target affluent areas or to buy cards located near them so that fraudulent transactions are harder to detect.

“It remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs wrote. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”

Fast food chains have been at the center of some of the most impactful and widely discussed payment card breaches over the past several years. In July 2016, Wendy’s announced that more than 1,000 stores were affected by point-of-sale malware, leading the fast-food chain to become the top trending company tied to a payment card breach last year. Likewise, Arby’s point-of-sale breach is the top trending consumer goods payment card breach of 2017, and other major restaurant chains such as Chipotle and Shoney’s have announced similar breaches this year.

2017-09-27_ConsumerGoodITT
Arby’s is the top trending consumer good target associated with payment card cybercrime so far this year, although it remains to be see how impactful the Sonic breach will be.

An interesting breach announcement trend in 2017 is the attempt to obfuscate the total number of breached locations behind clunky websites that divide the affected locations into searches not just by state, but by city. Case in point, the breach lookup webpage provided by Arby’s, which mimics the cumbersome and now-defunct webpage set up by InterContinental Hotels Group (IHG) for its recent breach. The IHG website divided the affected locations across hundreds of individual cities, and that tool, along with the news that IHG would update the list as more hotels confirmed breaches, meant frequent travelers had to comb through numerous searches repeatedly in order to find out if they were impacted by a single breach.

The Wendy’s breach, which affected franchise locations serviced by a third-party payment provider, was particularly painful for financial institutions as some locations were re-compromised after initially clearing the malware — leading to customer payment cards having to be re-issued multiple times. The Arby’s breach, by contrast, was caused by malware placed on systems inside corporate stores rather than franchise locations.

It’s unclear at this point which Sonic stores were affected, but the a 2016 report to stockholders said that 3,212 of the company’s 3,557 locations are franchised. The company also announced in 2014 that it was rolling out a new point-of-sale system and proprietary point-of-personalized service technology based on a Micros Oracle platform. In April 2017 it was reported that the update had made its way to 77 percent of Shoney’s locations.

Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

  • online accounts for banking and financial services;
  • online store accounts, as both buyers and sellers;
  • accounts tied to monthly subscriptions or other recurring services;
  • accounts related to the growing number of digital cryptocurrencies;
  • and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

  • Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
  • Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
  • Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
  • Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do
Capture.PNG

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Impact of Massive Equifax Breach Will Likely Ripple Into the Future

On Thursday, the consumer credit reporting agency Equifax announced a massive data breach affecting 143 million U.S. consumers, and today several actors on the dark web and Twitter are claiming to have the data for sale.

Equifax said the breach was caused by a website application vulnerability that provided malicious actors access to sensitive data from mid-May through when the intrusion was detected on July 29. That data includes the theft of consumers’ Social Security numbers, dates of birth and addresses, as well as the credit card numbers of 209,000 consumers, dispute documents with personal identifying information for another 182,000 consumers, and an unreported number of driver’s license numbers. In addition, the company said that “limited personal information for certain UK and Canadian residents” was also compromised.

Breach Causes Authentication Concerns

In addition to being one of the largest breaches of recent memory, the type of information that was stolen is a treasure trove for cybercriminals looking to carry out fraudulent activities in the future. As SurfWatch Labs chief security strategist Adam Meyer noted, the type of information that Equifax holds is often used for authentication purposes as well.

“You will see plenty of commentary regarding tax and various banking fraud scenarios, but there is one area that concerns me more, and that is the credit-based identity space,” Meyer said, referring to the types of questions that are pulled from consumers’ credit reports for knowledged-based authentication. “While full credit report information has not been disclosed as being compromised, it is possible that what has been compromised can still help with that authentication process. When you call a help desk for a transaction, what do they use to authenticate you? Name, address, Social Security numbers — all the same information that was just breached on a massive scale.”

Meyer also noted that if malicious actors could leverage this information to get even more data and answer more knowledge-based authentication questions, it could be a problem for organizations.

“Aside from the obvious impacts of PII being leveraged as it has in the past, I am worried that this particular breach has an impact to a utilized authentication stack that many organizations and federal agencies use to combat their own forms of fraud that are all integrated,” Meyer said. “These are services that support employment verification, social services verification, identity proofing as they call it. The strength in this authentication is the fact that only the user should know this information when challenged; however, with this breach approximately 60 percent of the working age U.S. population’s PII could be out there and available to use [by malicious actors] to potentially authenticate [as those users].”

Actors Claim to Have Equifax Data

SurfWatch Labs’ team of analysts has observed several actors claiming to be in possession of the breached Equifax data, although we do not have much confidence in their legitimacy at this point.

One website on the dark web is threatening to publish all of the stolen data except credit card information if they don’t receive 600 bitcoins (approximately $2.6 million) in ransom by September 15.

2017-09-08_Equifax.png
A likely scam website on the dark web alleging to have the Equifax database and demanding a ransom from Equifax.

“Equifax executives sold 3 million dollars in shares taking advantage of their insider information after the attack,” the actors behind the site wrote in justifying their exorbitant ransom demand.

However, Bloomberg reported that the shares sold by three senior executives several days following the breach totalled $1.8 million and that the executives said they were not aware of the breach at the time of the sale.

In addition, researchers have also discovered other users claiming to have data for sale, such as this Twitter user. However, we again caution that this sale is likely not legitimate.

2017-09-08_Equifax2
A Twitter user claiming to have the Equifax data for sale.

Scams on the Horizon

Those claiming to have the data so far may well be scams, but that should come as no surprise. As we noted last week about Hurricane Harvey scams, malicious actors will attempt to exploit any event or news story that grabs the attention of a large group of people. With 143 million people affected by the incident, scammers who gain access to the breached data will have an enormous group of engaged victims that they can exploit through emails, phone calls and other social engineering means in the coming days, weeks and months. In fact, those scammers may already have enough data to open fraudulent accounts, lines of credit, or carry out other forms of identity theft.

In addition, the data could be used to add legitimacy to a number of other scams.

For example, one could easily imagine a simple scam where malicious actors impersonate Equifax representatives enrolling victims in identity theft services and gain credibility by providing actual Social Security numbers and driver’s license numbers to “confirm” victims’ identities — before using that gained trust to pivot to other scam opportunities.

Leaked Data Could Lead to Additional Incidents

It’s also worth stressing, yet again, that there is no right to be forgotten in the cybercriminal world. As we noted in our 2016 Cyber Trends Report, once your data is exposed, it will likely forever remain in the cybercriminal domain. With this new Equifax breach, the pool of compromised information that can be leveraged by malicious actors grows deeper and the ripple effect of that breach will likely widen to impact more organizations in the future.

In addition, as Meyer noted, Equifax offers authentication services that include knowledge-based authentication, and the leaked Social Security numbers, driver’s license numbers and other sensitive information could be used a stepping stone in further breaches, he warned.

“My worry is that with this information a malicious actor could authenticate to a service like this using the already disclosed information [from the Equifax breach] and with just some public information sleuthing and maybe a good guess or two could answer the credit report follow up questions and likely pass go more often than not, especially when there is 145 million records available,” Meyer said.

Equifax has provided a website with more information about the breach, as well the ability to check to see if you are affected and to receive a future date to enroll in an identity protection service. It’s worth noting that Equifax is requiring consumers enter both their last name and the last six digits of their Social Security number to enroll, rather than the typical last four digits — reinforcing the idea that as more data gets leaked, proper authentication becomes more difficult.

As Meyer said, “With this I get the constant sense of déjà vu, maybe it is breach fatigue, or maybe it’s the fact that we all should never have to pay for credit monitoring again in our lifetime because our PII has been breached so many times.”