- V3 Apps
Data breaches have been a common theme for headlines so far in 2014, with numerous big-name companies, including Target, Tesco and most recently crowdfunding site Kickstarter, falling victim to data thieves.
These attacks already put numerous customers at risk of financial loss. But, as noted by numerous security experts, they can be doubly dangerous as they can be used as a platform to launch even more sophisticated follow-up attacks.
This was proved earlier in February when hackers successfully compromised 2,239 Tesco customer accounts, using details stolen during other data breaches to guess the email and password combinations of their logins for the site.
Veracode solutions architect Paul Farrington said: "It is not necessarily the size of the [Tesco] breach that is concerning here, but the worrying part of this story is that the attackers were able to use previous information disclosures of user credentials to create the list of Tesco victims to attack – and it's likely that the hackers will use the same method to attack again."
With the recent Kickstarter hack, this trend seems as if it will continue. Kickstarter confirmed falling victim to hackers over the weekend. The raid saw the hackers make off with key bits of Kickstarter user information including their usernames, email addresses, mailing addresses, phone numbers and encrypted passwords.
Trend Micro's vice president of security research Rik Ferguson told V3 the attack on Kickstarter is undoubtedly the first step in a wider cyber campaign.
"Any data haul of this type is ripe for further exploitation outside of the confines of where it was stolen from," he said. "Probably the greatest risk to Kickstarter users right now is a targeted attack campaign that leverages the data stolen to make very credible-looking email-borne attacks, inducing the victim to click a link and get compromised, have their credentials phished. Or scam investment campaigns are [also] on the cards for the next few months at least."
F-Secure security advisor Sean Sullivan mirrored Ferguson's argument, saying that even if encrypted, the data could be used to create advanced phishing campaigns.
"The passwords were encrypted. But people should be wary of phishing attacks using the usernames, email addresses, mailing addresses and phone numbers. Also of spear phishing that attempts to link to malware hosting exploit servers," he said.
Ferguson said layered attacks such as these are the result of a wider shift within the threat landscape. "Certainly we are seeing more focus from online criminals on online aggregations of data, this is a trend that has been on the ascendant for at least the past three years, but has really gained traction now," he said.
"Obviously personal data, such as names addresses and email, has its own value, but when the online data aggregations also represent an easy way to monetise, such as credit card details or the Tesco vouchers from last week, then the attraction becomes even more obvious."
Sullivan said the trend is largely due to the attack campaigns' high success rate and an ongoing lack of awareness about cyber best practices in businesses. He highlighted the recent Kickstarter hack as proof of his claim.
"They [Kickstarter] must have been pwned [hacked] by malware via a watering hole attack and/or phishing. Between the watering hole breaches last year and the recent Syrian Electronic Army phishing campaigns – this should not be tripping up sites such as Kickstarter. Every such site should know by now – they are all targets," he said.
Educating businesses has been an ongoing goal of the UK government's Cyber Security Strategy. The strategy launched in 2011 when the government pledged to invest £650m to help improve the nation's cyber defences.
The strategy has seen numerous education campaigns and services launch. The UK Home Office launched a new Cyber Streetwise campaign in January, to help educate small to medium-sized businesses about cyber best practice.