IcyEagle: A Look at the Arrest of an Alleged Dark Web Vendor

Last month Aaron James Glende, 35, was arraigned in U.S. District Court in Atlanta on charges related to selling stolen bank account information on the Dark Web market AlphaBay. According to the indictment, Glende operated under the alias “IcyEagle” and began advertising his criminal services in late 2015.

Although the exact picture of how law enforcement managed track down and identify Glende remains unclear, the details released so far provide an interesting behind the scenes view of the cybercrime-related postings we often highlight on this blog.

IcyEagle_SunTrust
IcyEagle listed these high-balance SunTrust Bank accounts for sale on AlphaBay in May 2016. He sold similar items to an undercover FBI agent in March and April 2016.

SurfWatch Labs has observed IcyEagle selling information related to a variety of companies over the past 10 months, but the June 28 indictment mentions only one company by name, SunTrust Bank.

On multiple dates in March and April 2016, a Federal Bureau of Investigations (“FBI”) agent in the Northern District of Georgia, acting in an undercover capacity, accessed the AlphaBay website. While on the website, the agent purchased SunTrust account information from Icy Eagle using Bitcoin. A review of the information purchased from IcyEagle confirmed that it contained usernames, passwords, physical addresses, email addresses, telephone numbers, and bank account numbers that belonged to five different SunTrust Bank customers.

IcyEagle has listed SunTrust Bank accounts with a variety of balances this year, ranging from $250,000-$500,000 (selling for $229.99), to $100-$500 (selling for $9.99).

He also sold a 6-page guide on how to best cash out SunTrust Bank accounts, which includes sections on routing numbers, background checks, Bitcoin, and other tips.

IcyEagle_SunTrustGuide
IcyEagle sold guides on how to cash out compromised accounts, including SunTrust Bank accounts. As with many listings on Dark Web markets, guides on using those items or services are readily available.

“I bring you freshly hacked Sun Trust Bank Account Logins,” read one posting for SunTrust Bank accounts with balances between $30,000 and $150,000. “The accounts are notorious for having weak security.”

According to postings viewed by the FBI, IcyEagle sold at least 11 of these high-balance SunTrust Bank accounts and 32 of the lower-balance accounts.

Dozens of other listings not-related to SunTrust Bank were also posted by IcyEagle and likely sold this year, although those were not listed in the recent indictment. 

IcyEagle_Amazon
Amazon is one of the most popular companies tied to IcyEagle in SurfWatch Labs’ data, based on the number of listings we have observed on AlphaBay.

IcyEagle sold hacked Amazon gift balances for around one-tenth of the total balance. Other accounts for sale generally ranged from $2.99 to $14.99, depending on the type of account. These included email logins, dating website logins, customer reward program logins, logins for various financial services and more.

How was IcyEagle Caught?

An undercover officer purchased stolen bank account information from IcyEagle in March and April 2016, according to the indictment. Interestingly, Glende was also arrested by local police for selling drugs around the same time. A tip from U.S. Postal Inspectors led to police officers finding a “trove” of drugs at his Minnesota home in March.

“According to police, Postal inspectors reported finding packages connected to Glende that contained prescription pills,” wrote the Winona Post. “Officers executed a search warrant of Glende’s home on Friday, March 11, and reportedly found two U.S. Postal Service packages ready to be sent that contained the prescription narcotics Valium, Xanax, and oxycodone. Officers reportedly found a trove of other drugs at Glende’s home: nearly 600 Xanax pills, more than a dozen dextroampethamine capsules, 138 oxycodone pills, nearly 50 Valium pills, marijuana, and marijuana wax.”

The indictment states that IcyEagle began advertising his criminal services by early November 2015. SurfWatch Labs’ data matches these allegations, with our threat intelligence analysts first observing several listings by IcyEagle in October 2015. New listings continued to be posted until the end of May, shortly before his arrest. 

2016-08-10_IcyEagleActivity.png
SurfWatch Labs has been observing IcyEagle listing cybercrime-related items on AlphaBay Market since October 2015.

It’s unclear how — or even if — those two events are linked, but shortly after that drug-related arrest the FBI appears to have begun targeting IcyEagle’s postings on AlphaBay. We can speculate that after U.S. Postal Inspectors tied Glende to selling prescription drugs, the search warrant and subsequent investigation may have revealed evidence leading law enforcement to AlphaBay and IcyEagle — or vice versa. Either way, Glende is charged with performing cybercrime-related activities including five counts of bank fraud, four counts of aggravated identity theft, and one count of access device fraud.

Law enforcement officials continue to tout the arrests of alleged cybercriminals such as Glende as a sign that they will hold bad actors accountable for their actions despite the difficulties associated with such a task.

“The threat posed by cyber criminals is a persistently increasing problem for everyday citizens here in the U.S. and abroad,” said J. Britt Johnson, Special Agent in Charge, FBI Atlanta Field Office, in a press release. “This investigation and resulting arrest clearly illustrates that the FBI, however, will not cease in its effort to identify, locate, arrest and seek prosecution of these criminals regardless of how deep in the digital underground they reside.” 

IcyEagle was just a drop in the bucket when compared to the thousands of pieces of Dark Web threat intelligence SurfWatch Labs analysts have recently observed. Nevertheless, cases like this serve as an important reminder of the insight that can be gained by watching these markets — not just for law enforcement, but for the companies that bear the brunt of this malicious cybercrime activity.

Payment Transactions Face New Data Breaches and Exploits

The last few weeks have not been kind to businesses and customers concerning payment transactions and digital currency. Several point-of-sale systems and digital wallet services have come under fire for data breaches and potential financial theft — not to mention the recent theft of $68 million worth of bitcoin.

The most wide-reaching event may be the breach at software company Oracle Corp, which was reported by Brian Krebs on Monday. A Russian cybercrime group appears to be behind an attack that saw the compromise of hundreds of computers system, including a customer support portal for Oracle’s MICROS point-of-sale credit card payment systems.

This could be a potentially huge breach, as more than 330,000 cash registers around the world utilize Oracle’s MICROS point-of-sale system. In 2014, the company said that about 200,000 food and beverage outlets, 100,000 retail sites, and 30,000 hotels used the software.

It is currently unknown how many organizations were affected by the breach or how long the breach took place. The investigation is ongoing, but potential ties to the Carbanak Gang have raised the level of concern. Oracle did tell Brian Krebs that the company “detected and addressed malicious code in certain legacy MICROS systems,” and that Oracle asked customers to reset their MICROS passwords.

Digital Wallets Face Scrutiny

At last week’s Black Hat conference, a security researcher presented on a flaw in the mobile payment system Samsung Pay. Samsung Pay allows customers to save payment cards on a digital wallet, providing users the option to select the payment card of their choice with the added security of a PIN or fingerprint scan to complete a purchase.

Security expert Salvador Mendoza discovered several problems with Samsung pay, including static passwords used to protect databases, weak obfuscation, and comments in the code. Mendoza also discovered issues with the tokens that are used to complete transactions. Cybercriminals could potentially predict future tokens from studying previous tokens used to make fraudulent transactions.

“Samsung Pay has to work harder on the token’s expiration date to suspend it as quickly as possible after the app generates a new one, or the app may dispose of the tokens which were not implemented to make a purchase,” Mendoza explained. “Also, Samsung Pay needs to avoid using static passwords to ‘encrypt’ its files and databases with the same function because eventually someone will be able to reverse it.”

Samsung responded to Mendoza’s claims by saying “reports implying that Samsung Pay is flawed are simply not true.”

However, in a separate document Samsung did admit that “skimming” a token is possible, although extremely difficult.

“Samsung Pay’s multiple layers of security make it extremely difficult to make a purchase by skimming a token,” the company wrote. “This skimming attack model has been a known issue reviewed by the card networks and Samsung pay and our partners deemed this potential risk acceptable given the extremely low likelihood of a successful token relay attack.”

Samsung Pay isn’t the only digital wallet in the news for potential cybersecurity issues.  Venmo — a digital wallet service that allows users to interact with friends by sending money, making purchases, and sharing payments — made headlines recently for flaws that could potentially lead to malicious purchases.

A flaw in an optional SMS-based feature could allow a criminal to easily steal money from people’s accounts, according to researchers. Because Venmo allows users to charge friends through shared bill pay, that friend has to authorize the charge before payment is made. A hacker with physical access to a Venmo user’s phone could steal money from another user’s account by replying to a notification text message with a provided 6-digit code. A feature in Siri that allows users to reply to text messages from locked devices along with the iOS text message preview feature make this attack possible.

“A hacker could have sent a payment request to a targeted user, and if they had access to the victim’s locked device, they could have used Siri to send the approval code displayed on the screen, ” said Eduard Kovacs of SecurityWeek. “The maximum amount of money an attacker could have stolen from one user was $2,999.99 per week, which is the weekly limit set by the developer.”

Keeping Payments Safe

As we’ve highlighted on this blog and in recent threat intelligence reports, high-profile payment-related breaches aren’t at the forefront of cybercrime in the way they were several years ago. However, recent events prove that these payment systems — traditional point-of-sale systems, digital wallets and digital currencies — can lead to significant direct losses as well as brand damage and other consequences from the negative press generated by discovered vulnerabilities.

As SurfWatch Labs’ Chief Security Strategist Adam Meyer recently wrote, cybersecurity is largely about identifying and removing opportunity for malicious actors to do bad things — either directly or indirectly.  There are clear best practices that can be utilized by both businesses and customers to help protect sensitive payment data. Unfortunately, data is only as safe as the methods used to protect it.

Cybercriminals are constantly coming up with new methods and tricks to crack software and trick people into divulging their sensitive information. Cyber threat intelligence can help organizations remain mindful of the many new and evolving threats, identify their weaknesses, and deploy safeguards to protect data — whether that is payment-related data or other sensitive information.

 

Top Dark Web Markets: TheRealDeal, Paranoia and Zero-Day Exploits

In trying to demystify the Dark Web, we’ve talked about the customer-friendly features of markets, the hand-holding nature of cybercrime-as-a-service, and the secure payment options that can protect anonymous buyers.

As we turn our attention to the exploit-centric TheRealDeal Market, it gives us a chance to examine an aspect of the Dark Web that isn’t so rose-colored: the paranoia that runs deep for many buyers, sellers and market operators.

A Quick Look at TheRealDeal Market

Of the many Dark Web markets, TheRealDeal Market has perhaps the most interesting backstory. While other markets focus on things such as drugs and stolen payment card information, TheRealDeal Market launched in 2015 with a focus on code — from zero-day exploits to known vulnerabilities to source code. This led to stories in high-profile outlets such as Wired, which described TheRealDeal as “a new marketplace [that] hopes to formalize that digital arms trade.”

Shortly after making those headlines, several members were arrested, the site went offline, came back online for a short period, and then disappeared again. Finally, half a year later, it relaunched in December 2015.

TheRealDeal9
Exploits such as this alleged zero-day for ecommerce software are frequently listed on TheRealDeal Market.

The main reason for the long downtime was “paranoia,” as the site admin put it in an interview. That paranoia was grounded in real world events.

On July 13, 2015, the popular cybercrime forum Hell was shut down after its administrator, Ping, was arrested. A few days later — on July 15, 2015 — the FBI announced the dismantling of a dark web forum known as Darkode, which U.S. Attorney David J. Hickton described as “a cyber hornets’ nest of criminal hackers ” and “one of the gravest threats to the integrity of data on computers in the United States and around the world.” The coordinated law enforcement effort, known as Operation Shrouded Horizon, led to 70 Darkode members and associates across 20 countries being charged, arrested or searched.

As DeepDotWeb reported, those arrests tied up several members of TheRealDeal Market team.

“What I can say is that most of the original team is not with us at the moment,” TheRealDeal admin said in December. “Currently, at least for the time being, the market will be under the management of me (identified in support as admin S.P.), an old vendor that has stuck with us from the beginning, and a couple of trustworthy people from other darknet communities. I can also add that the main reason of the last down time was paranoia, if it turned out to be justifiable or not, I cannot say.”

That paranoia tends to run throughout all dark web markets — paranoia of law enforcement, paranoia of exit scams, paranoia of other users. As one drug vendor from the now-defunct Evolution Market said in a 2014 interview, “In this business it’s always better to be too paranoid than not paranoid enough.”

Feeding into that paranoia is the fact that the main administrator appears to have vanished recently and support has stopped replying to messages, at least according to one popular vendor.

“This [is] very strange by just leaving the market like this without any management or any notice for leaving,” the vendor told Motherboard in an online chat.

Yesterday, TheRealDeal Reddit account said the reason for the absence was an accident.

“Admin not dead, just almost,” the account wrote. “The only guy with the actual keys to the kingdom had a small accident. … More coming soon.”

What’s For Sale on TheRealDeal Market?

Since its December 2015 relaunch, TheRealDeal Market has once again been making national news. Most recently was a vendor selling a 200 million-strong database of alleged Yahoo user credentials, most likely stolen in 2012, for 3 bitcoin (around $1800). A Yahoo spokesperson said the company is aware of the listing and is investigating whether the data is legitimate.

The same vendor has recently sold massive databases of credentials from LinkedIn and MySpace.

TheRealDeal2
A posting from TheRealDeal Market claiming to contain 200 million user passwords for Yahoo.

TheRealDeal Market sparked another national story this summer when a different vendor began offering a series of healthcare databases for sale. That actor was able to use the media — along with initial price tags in the hundreds of thousands of dollars — to generate a significant amount of attention around the postings, his or her alias, and TheRealDeal Market. A half dozen databases have since been posted ranging from 23,000 records to 9.3 million records.

One of the more recent postings is from a healthcare organization in Fairview, Illinois.

TheRealDeal7.jpg
The seller claimed he or she was able to access various healthcare databases due to a zero-day vulnerability “within the RDP protocol that gave direct access to this sensitive information.”

“[The data] was retrieved from an accessible internal network using account credentials that were garnered through the token impersonation of an employee,” the listing reads. “First stage access was accomplished using RDP 0day.”

Although various stolen databases have generated most of the media attention around TheRealDeal Market, code-related items are a staple of the market — and one of the reasons it was founded.

“We actually tried selling such information and codes ourselves at some point [on established marketplaces] but it seems that all people want on those markets is credit cards and tutorials on how to make money with credit cards,” an admin said in an interview in April 2015. “The problem is that 90% of these dealers are scammers. People with a lot of experience can always do their best to determine if what they are buying is real based on technical information and demos but some of these ‘vendors’ are very clever and very sneaky. We decided it would be much better if there was a place where people can trade such pieces of information and code combined with a system that will prevent fraud and also provide high anonymity.”

The past month SurfWatch Labs has observed various alleged zero-day exploits for sale on TheRealDeal Market.

These include a listing claiming “a remote code execution that allows installation of any APK file on any Android phone that has [a certain gambling application] running.”

TheRealDeal4
The alleged zero-day exploit is selling for 12 bitcoin (around $7000).

There is also a posting claiming a local privilege escalation zero-day that will “go from user to SYSTEM in a few lines of code.”

TheRealDeal6
This alleged local privilege escalation zero-day is also selling for 12 bitcoin (around $7000).

Then there is an alleged zero-day in a popular messaging app, which can lead to denial of service.

TheRealDeal5
This denial-of-service exploit for a popular app is listed for 7.5 bitcoin (around $4,500).

In addition to zero-days and known exploits, there is also a variety of source code and other listings that can be found on the TheRealDeal Market.

For example, a recent listing claims to be selling information stolen from a large HL7 developer located in the United States.

“In addition to the source code for the HL7 Interface Engine software, the private keys for signing the code will also be included as well as the licensing database that entails a full record of all clients and their status information,” the listing reads. “There are many legitimate and nefarious uses for this exclusive package offer. You are only limited by your imagination.”

TheRealDeal1
This source code, signing keys and licensing database from a U.S. HL7 software developer comes with a hefty price tag of 40 bitcoin (around $23,000).

Another listing offers an enterprise code signing certificate.

“No timewasters please, if you don’t know why this is so expensive or what to do with it  — don’t bother,” the seller wrote.

TheRealDeal3.jpg
This enterprise code signing certificate is listed for 15 bitcoin (around $9,000).

These are just a sampling of the many recent listings on TheRealDeal Market.

Although TheRealDeal Market may not be as popular as AlphaBay or other markets that we’ve profiled over recent months — which tend to be dominated by things such as illegal drugs, hacking tutorials, payment card information and stolen credentials — TheRealDeal Market has managed to frequently make headlines for the types of information sold there, connections to other high-profile arrests, and now, the recent disappearance of the current admin.

Hacking the Presidency: Will Data Breaches Help Decide the 2016 Presidential Election?

The 2016 presidential election hasn’t been without controversy. Both candidates have blemishes on their records that have left many Americans with a bitter pill to swallow when voting comes in November, and cybersecurity has been put front and center in a way never before seen in a U.S. election. Email hacks, data breaches, cybersecurity ineptitude — they’re not just conversation topics among infosec wonks; but major campaign talking points.

Cybercrime has already infiltrated many facets of our everyday lives. Account information, payment card information, trade secrets, and more are regularly obtained and sold like merchandise on underground markets. Cyber-espionage also remains a huge threat as organizations and governments attempt to secure their precious secrets. With such a divided nation over who will become our next president, could the recent data breach of Democratic National Committee (DNC) data be a sign of what’s to come in this election?

More importantly, could this be the first presidential campaign ultimately swung by leaked information obtained in a data breach?

The information released by WikiLeaks from the DNC email breach caused an uproar from American citizens as the emails released showed a clear bias for Hillary Clinton over Bernie Sanders — a claim made by the Sanders campaign months before the DNC data breach. While none of the DNC information shows correspondence from Hillary Clinton directly, the DNC breach– along with other related cybersecurity issues — has had a big impact in Clinton’s polling numbers. However, the latest polls show Clinton above Trump by a favorable margin.

Clinton isn’t out of hot water yet. WikiLeaks founder Julian Assange told PBS’s Judy WoodRuff in a recent interview there would be more information released that will negatively affect Clinton’s campaign:

It’s a wide range of material. It covers a number of important issues. There’s a variety of natural batches and some thematic constellations that we’re working on.

It’s interesting material. We have done enough work now that we are comfortable with the material’s authenticity. And so now it’s a matter of completing the format, layout to make it easy and accessible and so that journalists can easily extract material from it, extract stories from it, and also the general public.

DNC Fallout from Breach

DNC chairwoman Debbie Wasserman Schultz announced her resignation as national party chair following the leak of the stolen DNC emails. Since the Democratic National Convention has wrapped up, more high-profile DNC officials have announced their resignation as well.

Chief Executive Amy Dacey, Chief Financial Officer Brad Marshall, and Communications Director Luis Miranda have all resigned just days after a new chair took over for Schultz. Luis Miranda was one of the key figures whose email account was breached and leaked by WikiLeaks.

The rest of the DNC members whose accounts were hacked have not resigned, including National Finance Director Jordon Kaplan, Finance Chief of Staff Scott Comer, Finance Director of Data & Strategic Initiatives Daniel Parrish, Finance Director Allen Zachary, Senior Advisor Andrew Wright, and Northern California Finance Director Robert Stowe.

Donald Trump in the Mix

During the DNC breach investigation, evidence was discovered linking Russia to the cyber-attack. Based off of this information, Trump called for Russia to conduct cyber-espionage against Hillary Clinton:

“Russia, if you’re listening, I hope you’re able to find the 30,000 emails that are missing,” Trump said referencing Clinton’s email scandal. “I think you will probably be rewarded mightily by our press.”

Trump later said he was kidding about his comment.

Not every politician found his remarks funny. Democratic Senators Chris Coons of Delaware and Sheldon Whitehouse of Rhode Island recently petitioned Senator and former Presidential candidate Ted Cruz to conduct an investigation into Trump’s support of involvement from Russia in U.S. elections. The Senators wrote the letter to Cruz because he chairs the Senate Judiciary Subcommittee on Oversight, which potentially could have jurisdiction in the matter. Cruz has not responded to the letter and his involvement in the matter is not likely.

Still, the damage has been done to Trump as the Clinton campaign is alleging him of having ties with Russian President Vladimir Putin, which makes his “joke” no laughing matter.

The data breach of the DNC, the controversy surrounding Clinton’s emails, accusations that Russia is trying to directly influence the election — this is the first time a presidential election cycle has been so heavily dominated by cybersecurity events.

The effects, at least for the candidates, have been relatively mild so far, but with WikiLeaks promising more leaks painting Hillary Clinton in a bad light, there is the potential that a close election in November could ultimately be decided based on cybersecurity.

No matter the outcome, cybersecurity has gained a national stage and everyone should take notice. Understanding cyber threats and the potential consequences of those threats is vital, whether you’re an employee, an executive, or a presidential candidate.

OurMine Hacking Group Trending, What Are They After?

As we mentioned in a previous post, hacktivism activity has been down in 2016 — with the exception of Anonymous. However, there is a new hacktivist group that has been showing up in SurfWatch Labs’ data — OurMine.

Over the last two months, OurMine has been the top trending hacktivist group.

2016-08-02_hacktivist

OurMine made multiple headlines over the past month after successfully hacking the LinkedIn and Pinterest accounts of billionaire Facebook CEO Mark Zuckerberg. The hack provided some embarrassment for Zuckerberg, as it was discovered that the password he used for both accounts was “dadada.”

The group’s latest target was the CEO of Pokemon GO, John Hanke. OurMine hacked into Hanke’s Twitter account, saying that the hack was “for Brazil.”

Here are the top trending targets associated with the OurMine hacking team over the last two months.

2016-08-02_ourminetargets

What is OurMine After?

What separates OurMine from other hacktivists is their claim for hacking. In each of the group’s attacks, they claim they are a security firm that is testing their target’s security, and have even gone as far to say they were going to offer security services to their victims. The hacking group even has a website advertising their services.

OurMine has shown an aptitude for hacking. In several of their hacks — like Mark Zuckerberg’s social media — they were able to take advantage of a weak password to compromise the account. In other attacks — such as the attack against Google’s CEO Sundar Pichai’s Quora account — they have been able to exploit website platform vulnerabilities.

The group isn’t only after high profile businessman. OurMine has also targeted Minecraft player accounts, defaced websites like TechCrunch, and completely disabled the servers of HSBC bank.

It appears that all of these attacks are used as a method to promote their services. OurMine has yet to cause significant damage with any of their attacks other than a minor nuisance. Is this group’s supposed white hat hacking attempts really an effort to promote their security services and point out security weaknesses for companies? Only time will tell.

Cyber Skills Shortage Continues To Be An Issue

It has been long documented that cybersecurity organizations are struggling to hire qualified personnel. A recent study on the cybersecurity professional gap has reaffirmed this dilemma.

Intel Security and the Center for Strategic and International Studies (CSIS) released a global report that outlined the cybersecurity talent shortage crisis. The report, Hacking the Skills Shortage, outlined how the talent shortage crisis has impacted both companies and nations. Eighty-two percent of respondents said there is a clear shortage in cybersecurity, while 71 percent of respondents said this talent shortage has been a primary contributor to the amount of cyber-attacks — because organizations who lack qualified personnel are more desirable hacking targets.

“A shortage of people with cybersecurity skills results in direct damage to companies, including the loss of proprietary data and IP,” said James A. Lewis, senior vice president and director of the Strategic Technologies Program at CSIS. “This is a global problem. A majority of respondents in all countries surveyed could link their workforce shortage to damage to their organization.”

As we noted in June, more companies need talent, so companies are going to continue to be easier targets.

The lack of qualified candidates makes using the resources your organization does have that much more important. That’s one of the many reasons SurfWatch Labs stresses the importance of threat intelligence.

The Hacking and Skill Shortage report also mentioned diversity as being a huge challenge in the cybersecurity skills gap. The report referenced a 2014 Taulbee Survey and an ISC report to address the women and minority diversity challenge:

“In North America, a dearth of women and minorities in the cybersecurity industry mirrors trends in academia, according to a survey of academic institutions that provide degrees in computer science and engineering or information security. In this study, only 2.6% of doctoral graduates of these programs in 2014 were non-Asian minorities, a decrease from 3% in 2013. Women comprise only 17 to 18% of doctoral graduates in computer science, engineering, and information security. This mirrors industry trends, as an (ISC) study of 306,000 professionals in cybersecurity revealed only 11% were women. Anecdotal evidence from our interviews suggests that while relevant technical programs are slowly adding more women, black and Hispanic students remain in short supply.”

If women and minorities are so poorly represented in the cybersecurity workforce, organizations need to recognize this issue and put a plan in action. This is the same with threat intelligence; it’s not enough to do the bare minimum and meet security requirements, you have to recognize where your organization is vulnerable and address those threats head on with practical tools and intelligence.

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

2016-07-27_thirdparty.png
SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

o2
Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups
While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

  • Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
  • Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.” 

Cyber-Insurance, Threat Intelligence and the Wendy’s Breach: Interview with Larry Bowman

Data breaches and other cyber threats have plagued business over the past decade often resulting in a long and expensive recovery process. Luckily for businesses, cyber-insurance can help alleviate some of the financial burden of these cyber-attacks.

“If you were to Google top ten losses due to data breaches in 2015 you would start off with a low of about $46 million for the Home Depot, move into the hundreds of millions with Anthem and Target, and as you get closer to Epsilon you get into the hundred to a billion mark,” said  Larry Bowman, Director at Kane Russell Coleman and Logan PC. “The Veteran’s Administration hack was valued at about $500 million.  These totals are for notification costs, response, cleaning up the computer system, implementing changes to increase encryption and security protection in the system. But, this does not take into account the loss of business and revenue.”

We had a chance to speak with Bowman about cyber-insurance: what is it, what it covers, and how threat intelligence fits into the equation. Bowman also provides some insight on the current Wendy’s point-of-sale data breach. Our conversation follows.

To kick things off, can you explain what cyber-insurance is and what exactly it covers?

To explain cyber-insurance, it’s helpful to first start with a brief explanationLarry Bowman of traditional insurance and then explain the difference between it and cyber-insurance. Traditionally, insurance is for tangible property – such as if you own a home, business, or rent space. You insure property against the risk of loss, and that property is typically tangible property. So, you’ll see language in first-party property insurance – which is insurance industry lingo for like your homeowner’s policy – that is set up to protect you from that. The core insuring agreement – in exchange for premium money – insures the risk of loss which is usually defined in terms as direct physical loss to tangible property.

Secondly, there is a form of insurance called liability insurance. The industry acronym for it is CGL – commercial general liability insurance. And once again, if you act negligently – you being the insured – and you cause damage to some third party’s tangible property, your liability insurance will indemnify you for your legal obligation, which will then indemnify the people you hurt for the damage that you caused to their property.

Along comes hacking and cybercrime and data breaches. The people who are victimized by these third-party attacks make claims to their property insurance coverage. In most instances, whether it is a claim submitted under a traditional property or liability insurance policy , the courts look at these policies’ language  and say there is no coverage because there is no loss to direct tangible property. This doesn’t exist in the virtual world of data and data breaches. There have been some cases where damage has been done to a computer system that looks like it is physical damage. Stuxnet is a great example of how a computer program can damage tangible property. In those cases, traditional policies may cover an insured’s losses.  The bottom line is though, with the outlying cases aside, most cases say for there to be property or liability insurance coverage you have to have physical damage to tangible property, and that doesn’t exist when the insured has lost electronic data.

The losses from companies who suffer a data breach and the lack of insurance from the traditional market created  a market for cyber-insurance. What has happened over the last few years has been the development of specialty insurance products designed to insure against the losses companies face when their computer systems or data is breached or hacked. These policies operate like traditional property or liability policies. But, there is no longer a requirement to have direct physical loss to tangible property. Cyber-insurance policies cover things like the cost of notifications to people affected by a data breach, the cost of hiring security professionals and lawyers to deal with the situation, and the cost of government compliance. It may or may not cover lost revenues or profits. Of course, the scope of coverage is specific to the policy itself.

What are some of the problems with the cyber-insurance industry?

There are a couple problems the insurance industry currently faces. First, the industry only has about  a decade of experience in covering cyber losses – which isn’t a lot of time in the historical knowledge-base of the insurance industry – that makes pricing policies difficult. However, that is a problem in the process of being solved because the quantifiers are coming up with increasingly better models and formulas to allow an insurance company to set up a policy and price it accordingly. The insurance companies like certainty; they like probability. As time goes by and as data improves, this will be easier and easier to do – within reason.

The second problem is the lack of a consensus standard of care for data protection; although there are numerous proposed standards and guidelines for data protection – such as NIST’s cybersecurity framework.   What I am talking about here is that it is nice to know what the rules are. The SEC, FDIC, and FTC have all pronounced in the last couple of years that they think cybersecurity is a board of directors-level issue that requires hands-on knowledge and attention and an effective remedy at the board of high management level. When you fill in the blanks, there are conflicting messages about what a board should do to enable reasonable cyber protections.

At SurfWatch Labs, we believe that robust security features such as firewalls and antivirus software are paramount to a well-rounded cybersecurity strategy. Perhaps just as important, we believe cyber threat intelligence – knowing what threats are out there and knowing how to proceed with security – is just as important. Some of the problems you mentioned with cyber-insurance is a lack of understanding around reasonable cyber protections. Do you believe cyber threat intelligence is a logical step in solving that issue?

As part of the initial application for cyber-insurance a lot of insurance companies will require the company applying for insurance to fill out a detailed form describing what its current cybersecurity policies are. I don’t know if those forms require cyber threat intelligence, but that would be a source of beneficial information. And it may be something that insurance companies should require from insurance applicants.

Are companies utilizing cyber-insurance to protect their assets in case of a data breach?

If you were to Google the amounts spent on cyber-insurance it started out small, but it really started to get off the ground with these well-publicized data breaches. In a few years, this is going to be a multi-billion dollar market. As a matter of fact, I believe it is already up to the billion-dollar mark already, and it is expected to get to about $5 billion by 2020. As the consensus standard gets better defined, using due diligence to protect your company’s assets and customer’s assets is certainly going to be a part of liability cyber-insurance coverage.

I would love to get your take on the current events tied to the Wendy’s data breach. It seems like the number of restaurants affected by point-of-sale malware increases every week.

The loss to Wendy’s is similar to the Target loss. The bad guys have gotten control of point-of-sale information, which means they have people’s credit card information. So what is the exposure to Wendy’s? Wendy’s gets sued by multiple customers who are saying they failed to implement reasonable measures and allowed our payment card information to be obtained by these hackers.

Now, their insurance policy will define what out-of-pocket costs are covered. That’s part of the fun right now is defining what those costs are. Some of those costs are driven by state and federal laws – like notification. If you are a retail company in possession of thousands of credit cards and those cards are obtained by a third-party, you have to notify all of those people about the event.

It’s not just notification costs; it’s everything that is done to investigate the data breach. They might have to pay experts, lawyers, and pay for forensic measures to make sure a breach doesn’t happen again.  There may be costs with complying with regulatory action or government investigations.  Those are just some of the out-of-pocket costs from the breach. Who knows, maybe people won’t trust Wendy’s anymore with their credit card information and consumers may simply avoid the restaurant.

 

 

Podcast: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 76: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends:

The popular Pokemon Go was this week’s top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici’s Pizza’s point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.

Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: info.surfwatchlabs.com/cyber-threat-…eport-1h-2016

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.