Spotlight on RH-ISAC Member: SpyCloud: How the Grinch Stole Your Customer’s Account

Spycloud: How the Grinch Stole Your Customer’s Account

It’s mid- November and the hectic holiday season is top of mind for many organizations.  There are only a few more days before the threat level increases.  As early deal-hunters start to strategize ahead of Black Friday and Cyber Monday, so too, are cyber criminals strategizing to exploit the fact that security teams will be taking time off. With the existing fraud levels at an all-time high for sectors traditionally hit hard by holiday fraudsters (such as Retail, and Media and Entertainment), it’s never too early to prepare.

‘Tis the season to be vigilant

The increased risk of account takeover and other types of fraud during the holidays is no big surprise. According to electronic payments solution provider ACI Worldwide, twice as many fraud attempts were observed between Thanksgiving Day and December 31, 2016 as were during those same dates in 2015. In their January 2017 report, ACI reported that fraud attempts were observed in greatest concentration on Christmas Eve and on Shipment Cut-Off days. This may suggest that criminals are indeed going after last-minute shoppers making purchases as the season winds down.

Further, as the holidays approach, your organization is laser-focused on revenue. Many organizations enter into a lockdown period – a time when they do not allow changes to their infrastructure to minimize impact on payment processing systems.  While this can ensure stability for incoming revenue, it can spell trouble during a security incident by limiting the ability to react quickly. That’s why it pays to have account takeover (ATO) prevention in place before the ability to implement new security features is diminished.

How does the Grinch do it?

The sequence of events that follows a breach has become fairly predictable, leading to secondary ATO compromises on a variety of sites.

A breach occurs or a site is compromised in some other manner.

The threat actor acquires leaked credentials directly from the breach or by purchasing pre-assembled lists of username/password pairs (combo lists) from an underground market. Some underground websites even advertise the expected success rates of their combo lists.

The criminal loads his combo list in an automated credential stuffing tool, and with the help of botnets, tests the stolen credentials against many other sites at once (for instance banking, gift card, or online marketplace sites). One such credential stuffing tool that has gained in popularity for its ease-of-use is Sentry MBA.

Upon successful login, the attacker is able to perform account fraud, spam, and PII theft. 

How are attackers getting this information so easily? On average, attackers are seeing up to a 2% success rate for gaining access to additional accounts belonging to the same user due to one simple thing: password reuse.

It’s actually surprising that the success rate isn’t higher. A recent password-use study of roughly 1 billion leaked user accounts concluded that 20% of users were reusing passwords and 27% of users used a password that was nearly identical to other account passwords.Because password reuse is so rampant across all industries, threat actors can usually expect a decent return on their investments when purchasing fresh credential dumps on the black market.

How can SpyCloud help?

At SpyCloud, we aim to empower our customers through actionable and proactive solutions by automating ATO prevention and letting them know their exposure so that they can remediate potential problems before they occur.  Our researchers have deep expertise in the tactics used by threat actors. We routinely see credentials along with a victim’s PII for sale on dark net markets and within private communities. This information translates directly to identity theft as the use of theses compromised credentials can be automated to scale attacks to massive levels.

Our team of researchers discovers and recovers stolen credentials and other assets primarily through human intelligence collection and analysis. Each month, we acquire hundreds of millions of records from the dark corners of the internet. These records impact individuals and organizations globally. We validate and ingest these records into a central database, then analyze and match the assets which correspond to items in our customers’ watchlists. When we find a match, we force a password reset and notify our customers immediately so that they can mitigate damage proactively.


Full blog post on the 

More Recent Blog Posts