Introduction: On a call last week, with a local business the managing director asked me a simple question, he asked, “actually how do personal credentials get onto the dark web in the first place. We enforce strong passwords so how worried should I be”A pretty fair question I thought, and one that would make for a short blog. So here I go. In this article, I have attempted to explain how data gets onto the dark web in the first place. I cover the risks to both individuals and organisations, and finally I have put forward some suggestions highlighting how you might mitigate the risk.
To help illustrate the extent of the problem, I was reading an article recently that suggested that the number for credentials found on the dark web had increased by 430% year on year. The article went on to suggest that the average number of leaked credentials available on the dark web, for each organisation is around 17. If that is right, then that is pretty scary. This is especially worrying when you consider that those credentials can be used to access sensitive corporate and personal services.
The “how” is actually quite simple to explain. In the vast number of cases, data appears on the dark web via a data breach. You have probably read or heard about the recent breaches at Equifax and British Airways. Both organisations are highly professional and respected but even they aren’t infallible. In fact often the larger the enterprise, the greater the risk. Put another way, these organisations have an incredibly complex and extensive IT footprint, so it just becomes harder for them to secure everything all of the time.
So if these monolithic organisations can get hacked, then so can anyone. You can’t escape this fact and although you think you are storing your data in a secure place, actually it isn’t water tight, and the threat of personal data leaking onto the dark web is very real.
So clearly the main risk is that cyber criminals will use the stolen credentials to access either personal or corporate systems. This can lead to anything from credit card fraud right through to a ransomware attack. That said, in most cases the data will be used to impersonate an individual. They might use the data to apply for a bank loan, or worse they may try and trick your friends or family members into loaning you money. In the same context, a corporate email account could be used to trick your accounts department into making bogus payments.
We call this a supply chain attack and it is extremely common.
A friend of mine lost her job, because she innocently followed an instruction from her manager whilst on a train to make a payment to a supplier. The trouble was, it was a scammer pretending to be her manager. The scammer used her manager’s email account with a bank account that was in Nigeria. The scammers put her under pressure and by mistake, she fell for it, transferring over £20,000 – and she is not alone. It happens all the time. Very senior, intelligent people get scammed so be warned.
This is why many clients don’t just check for their own credentials on the dark web but they also monitor suppliers. If a supplier is compromised then this could affect you so it pays to keep an eye on leaked credentials throughout your supply chain.
I could go on, but even just a small amount of leaked data can be extremely damaging. As soon as a malicious actor gains access to an account there is no limit to what they can do. They could transfer funds, make fraudulent payments, open new accounts, apply for credit cards, communicate with board members and the list goes on.
Nothing is completely full proof but two factor authentication (2FA) or multi factor authentication (MFA) are great two methods for minimising the risk. Even with credentials the task of gaining access just becomes that much harder. The malicious hacker would have to communicate with the individual whose details they have stolen to try and lure them into providing the authentication code. The weakest link then becomes the individual which can be addressed by running a robust program of phishing assessments coupled with awareness training.
Summary: I think it is instinctively human nature to play down the threat that stolen credentials pose. After all, what can be done with an email address, right? Erm, no wrong. Cyber criminals are extremely sophisticated and intelligent and a stolen email address can become a significant threat in the wrong hands. It is also important to not just think about the individual threat. When considering the broader exposure you have to keep in mind the supply chain and the wider ramifications of leaked credentials. The assumption that strong passwords dramatically reduce risk is a myth. To really make the cyber criminal job harder you must adopt 2FA or MFA. This dramatically increases the effort required to breach the account and often the hackers will move onto easier targets. There are that many easy targets so why would they make life harder for themselves.
To sum up, I think it is clear that leaked credentials can pose a significant risk to an individual as well as an organisation. By monitoring the dark web what you are actually doing is creating an early warning system that could save you a tsunami of hassle further down the line. Key
Unlock continuous, real-time security monitoring with DarkInsight. Sign up for your free account today and start protecting your external attack surface from potential threats.
Create My Free Account