Faux phishing scheme shows CIOs how hacks unfold

Security software maker Bitglass created a dummy online persona and proffered it on the Dark Web as a phishing scam payload to see what hackers would do with it. The robust activity on the account underscores the seriousness of cybersecurity threats.

Many CIOs have implemented software that dupes employees into clicking on links and attachments that simulate phishing scams, an increasingly common educational tool to warn workers about the dangers of suspicious email messages. Security software maker Bitglass has reversed the shenanigans by leaking faked Google Apps credentials on the Dark Web, a hacker's playground for trafficking in stolen data. Then it tracked the activity, watching the many ways in which hackers wreaked havoc with supposed stolen online identities.

rich campagna

Rich Campagna, vice president of products and marketing at Bitglass,

The results, including more than 1,400 visits to the credentials and a corresponding bank website, were startling and serves as yet another wake-up call for organizations, whose employees are perennially the weakest link to enterprise security. It should also tell CIOs that enterprising criminals are easily enticed by corporate information housed in the darkest corners of the Web.

For the experiment, dubbed Project Cumulus, Bitglass forged “Dennis,” a fictitious online persona working for a fake retail bank, along with a functional bank Web portal. It created a Google Drive account loaded with emails, files with credit card information and proprietary work documents, and rounded out the Dennis persona with Facebook and LinkedIn profiles. Then it ceded Dennis’ data to sites on the Dark Web that host stolen information, and advertised it as reaped from a phishing campaign, says Rich Campagna, vice president of products and marketing at Bitglass, whose software monitors cloud software corporate employees access.

Fake persona attracts flurry of hacking activity

Bitglass used its monitoring software to "watermark" or track activity on Dennis’ Google Drive files, including logins and downloads. "We could see everything these users were doing, where they're coming from and whose downloading what," Campagna says.

[ Related: This is how much spear phishing costs companies ]

Within the first 24 hours, Bitglass logged five attempted bank logins and three attempted Google Drive logins. Files containing real credit-card information were downloaded from Dennis’ account within 48 hours of the initial leak. Over a 30-day period, his account was viewed hundreds of times and many hackers used the Drive credentials to access the victim’s other online accounts. Some 12 percent of hackers downloaded Google Drive download files, with several cracking the encrypted files. The hackers hailed from more than 30 countries around the world, including Russia, U.S. and China.

Bitglass' successful trolling for unsuspecting hackers didn't reap many surprises, given the efficacy with which it made data available on the Dark Web. What stood out to Campagna was that 94 percent of hackers who accessed the Google Drive account uncovered the victim’s other online accounts, and used the data to log into the bank's Web portal -- a shockingly high percentage.

Hackers are getting more discreet

Campagna also found the Project Cumulus hackers proved better at covering their tracks, in sharp contrast to a similar Dark Web scam Bitglass ran last year. In that scam, which included 1,568 fake names, Social Security numbers and credit card numbers stored in an Excel spreadsheet, hackers were easy to track because few used Tor, the preferred Web browser for surfing the Dark Web anonymously. “Almost nobody covered their tracks, so we knew exactly where they were coming from, right down to their individual IP addresses,” Campagna says.

[ Related: Employees can become assets in anti-phishing battle ]

But with Cumulus, 68 percent all logins came from IP addresses anonymized via Tor, masking their IP addresses. Campagna says that Bitglass researchers noticed a large number of downloads via Tor over the past eight months. This, coupled with the high rate of Tor usage in the bank experiment, suggests hackers are becoming more security conscious, realizing that they need to mask IPs when possible to avoid getting caught, he says.

More broadly, Bitglass' new results suggest CIOs and CISOs must be vigilant about protecting corporate assets. Campagna recommends organizations exercise good cybersecurity hygiene, including strong identity management policies, such as regular password refreshes and multi-factor authentication. Data leakage prevention policies and systems that alert IT departments about anonymous behaviors are also essential. “Oftentimes these strong identity policies kind of went out the window when they moved to the cloud, but we need to return to that,” says Campagna.

bitglass cumulus

More 1,400 hackers flocked to Bitglass' bogus credentials of a fictitious online persona working for a fake retail bank. (Click for larger image.)

cumulus 2

A whopping 94 percent of hackers who accessed the Bitglass-created Google Drive account uncovered the victim’s other online accounts, and used the data to log into the bank's Web portal. (Click for larger image.)

Join the CSO newsletter!

Error: Please check your email address.

More about ClickExcelFacebookGoogle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Clint Boulton

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place