All the latest UK technology news, reviews and analysis

Tesco and Kickstarter data thefts pose double trouble for web users

17 Feb 2014
Security threats - password theft

Data breaches have been a common theme for headlines so far in 2014, with numerous big-name companies, including Target, Tesco and most recently crowdfunding site Kickstarter, falling victim to data thieves.

These attacks already put numerous customers at risk of financial loss. But, as noted by numerous security experts, they can be doubly dangerous as they can be used as a platform to launch even more sophisticated follow-up attacks.

This was proved earlier in February when hackers successfully compromised 2,239 Tesco customer accounts, using details stolen during other data breaches to guess the email and password combinations of their logins for the site.

Veracode solutions architect Paul Farrington said: "It is not necessarily the size of the [Tesco] breach that is concerning here, but the worrying part of this story is that the attackers were able to use previous information disclosures of user credentials to create the list of Tesco victims to attack – and it's likely that the hackers will use the same method to attack again."

With the recent Kickstarter hack, this trend seems as if it will continue. Kickstarter confirmed falling victim to hackers over the weekend. The raid saw the hackers make off with key bits of Kickstarter user information including their usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.

Trend Micro's vice president of security research Rik Ferguson told V3 the attack on Kickstarter is undoubtedly the first step in a wider cyber campaign.

"Any data haul of this type is ripe for further exploitation outside of the confines of where it was stolen from," he said. "Probably the greatest risk to Kickstarter users right now is a targeted attack campaign that leverages the data stolen to make very credible-looking email-borne attacks, inducing the victim to click a link and get compromised, have their credentials phished. Or scam investment campaigns are [also] on the cards for the next few months at least."

F-Secure security advisor Sean Sullivan mirrored Ferguson's argument, saying that even if encrypted, the data could be used to create advanced phishing campaigns.

"The passwords were encrypted. But people should be wary of phishing attacks using the usernames, email addresses, mailing addresses and phone numbers. Also of spear phishing that attempts to link to malware hosting exploit servers," he said.

Ferguson said layered attacks such as these are the result of a wider shift within the threat landscape. "Certainly we are seeing more focus from online criminals on online aggregations of data, this is a trend that has been on the ascendant for at least the past three years, but has really gained traction now," he said.

"Obviously personal data, such as names addresses and email, has its own value, but when the online data aggregations also represent an easy way to monetise, such as credit card details or the Tesco vouchers from last week, then the attraction becomes even more obvious."

Sullivan said the trend is largely due to the attack campaigns' high success rate and an ongoing lack of awareness about cyber best practices in businesses. He highlighted the recent Kickstarter hack as proof of his claim.

"They [Kickstarter] must have been pwned [hacked] by malware via a watering hole attack and/or phishing. Between the watering hole breaches last year and the recent Syrian Electronic Army phishing campaigns – this should not be tripping up sites such as Kickstarter. Every such site should know by now – they are all targets," he said.

Educating businesses has been an ongoing goal of the UK government's Cyber Security Strategy. The strategy launched in 2011 when the government pledged to invest £650m to help improve the nation's cyber defences.

The strategy has seen numerous education campaigns and services launch. The UK Home Office launched a new Cyber Streetwise campaign in January, to help educate small to medium-sized businesses about cyber best practice.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Work location poll - office, remote or home?

Where do you spend most time working on your primary work device?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Beacon technology: what are the opportunities and how does the technology work?

This paper seeks to provide education and technical insight to beacons, in addition to providing insight to Apple's iBeacon specification


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

Data Delivery Analyst (French Speaking)

Data Delivery Analyst (French Speaking) Using...

Software Engineer (Java) - Contract

Software Engineer (Java), Cambridge 3 month contract...

Junior HTML Email Developer

Your main responsibilities will be to code clean and...

Data Scientist - R, Python, Machine Learning, SQL, Statistics, Analytics, Maths, Hadoop

Senior Data Scientist - Python | Hadoop | R | Machine...
To send to more than one email address, simply separate each address with a comma.