What data breaches teach us about the future of malware: Your own data could dupe you

When a eBay suffered a massive data breach a few weeks ago, most of the attention revolved around the compromise of passwords and the vulnerabilities in the sites security. While those are legitimate concerns, they obscure the most glaringly weak link in the security chain: people.

Indeed, it was not a sophisticated exploit that facilitated the eBay breach, but an old-fashioned con. Its been determined that as many as 100 eBay employees were likely victims of a social engineering scheme: an attack where the perpetrators arm themselves with enough information to pass themselves off as a known and trusted individual or organization and convince the victim to reveal valuable personal informationin the case of the eBay employees, their logins.

Thats actually not surprising. When I recently asked a number of security experts to weigh in on innovative new attacks we should look out for, I was told the most concerning trend couldnt be remedied by patching and updating applications or thwarted by your security software.

The lowest hanging fruit is still humans, said Ken Westin, a security researcher for Tripwire. As long as attacks against humans still work consistently attackers will use them on their own, or as part of sophisticated, integrated campaigns.

Increasingly, those campaigns are tightly targeted to individuals and use carefully mined personal data to gain their trust. A person is likely to dismiss a typical phishing attack message that starts Dear Customer and contains only general information. But if a criminal can tailor a message that addresses the recipient by name; includes their personal details such as home address, phone number, or birth date; and looks like it comes from a company they do business with, the odds are much higher that even a cautious person will respond or take action.

The more pertinent personal information attackers can obtain, the easier it is for them to craft realistic-looking spearphishing scams. This is what makes companies like Target and eBay so appealing to hackerstheir customer databases are a treasure trove of data about millions upon millions of consumers.

Look, for example, at the eBay breach, says Dwayne Melancon, CTO of Tripwire. Millions of users personal information was disclosedfar more than just email addresses and user names. Those who possess the eBay data are now armed with dates of birth, locations, and even phone numbers , from which they can craft some of the most convincing phishing sites weve ever seen. By mentioning details from your local area, adding details that would appeal to you based on your age, and so forth cybercriminals can greatly increase the odds you will respond to a phishing email.

The customer databases of popular companies like Target are a goldmine for hackers who want to craft social engineering schemes.

This doesn't mean you should abandon conventional security measures. You should absolutely have a firewall in place and antimalware tools that are kept up to date. Those things are table stakes that are required just to maintain the status quo for computer security. But theyre not enough. You also have to exercise some degree of skepticism about emails, text messages, or other communications you receive.

Users have been conditioned for years not to open file attachments or click on links in email messages from unknown or suspicious sources. The way attacks are evolving, though, you now need to approach everything with similar caution. Attackers go wherever there are potential victims. As social networks and mobile devices have spiked in usage, cybercriminals have targeted users there as well, and many users who know better have been caught off-guard.

The secondand more importantissue is that its no longer just about communications from unknown sources. The sheer volume of sensitive, personal information that has been compromised means that attackers know a lot about you, where you live, and which companies you do business with. It means that attackers who just used to cast a wide net and hope to find a gullible victim can now target victims with much greater precision using accurate and relevant information.

Your security software cant help you hereonly awareness and common sense can block these types of attacks.

Users must be ever vigilant, otherwise they will become victims, Melancon said. Unfortunately, vigilance doesnt come naturally to most users.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about eBayTripwire

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts