Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

10/29/2014
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Keep Calm & Verify: How To Spot A Fake Online Data Dump

Determining whether a data dump on Pastebin or elsewhere online is legit can be time-consuming and resource-intensive. Deloitte & Touche offers tips for how to weed out the fake hacks.

You've seen the online claims and headlines: hackers boasting on Twitter or another online forum that they've hacked a major company's database or website and have leaked the stolen user credentials or credit-card numbers for all to see on Pastebin or another site.

But just because a data dump is posted online doesn't mean it's legitimate. The victimized organization and threat intelligence experts have to investigate the leaks, a process that can be time-consuming, resource-intensive, and even hurt other security projects or monitoring. Worst-case, investigating a phony data dump could detract from an enterprise's efforts to detect or mitigate a real data breach.

Allison Nixon, a threat researcher with Deloitte & Touche LLP, has seen the phony data breach dump scenario many times as a researcher with experience investigating them. "It's pretty common that data dumps that come to me were actually fake," says Nixon, who has authored a new report with recommended techniques for vetting the authenticity of a data dump. "I would say it's a waste of everyone's time" to have to investigate phony ones, which can take days to verify. Not only that, but a company's reputation can easily be damaged by a phony data dump that wasn't tied to a real breach, she says.

Online data dumps traditionally are the handiwork of hacktivists or others looking for notoriety, but they also can be a tool for duping other bad guys or even just to taint the purported victim organization's reputation. So who's behind the fake data dumps? "I wouldn't consider these really dangerous people," Nixon says, because if they had the skills to perpetrate a real breach, they'd have done so instead.

There are several possible motivations for posting phony stolen data such as fake usernames, passwords, or credit-card numbers. One MO is using phony data as a marketing tool for the cyber underground. "The notion of dumping fake data is nothing new. Those kind of dumps are usually used as a 'proof' to sell a bigger dump in underground forums," so they defraud fellow bad guys, says Aviv Raff, CTO at Seculert.

"There is no honor amongst criminals," Raff notes. "So, the same way they cheat the good guys, they also try to cheat the other bad guys. Needless to say, most of the criminals are not that stupid, and this is why we don't see those fake dumps so often."

While the notion of fake data being posted online may seem benign to the purported victim, even these made-up data dumps can be dangerous to a company's reputation. And in today's lucrative cybercrime world, the most worrisome scenario would be a phony data dump used as a distraction or smokescreen for waging a real attack on the victim, akin to how some distributed denial-of-service (DDoS) attacks are used to detract from an actual attack on the victim's internal network.

"It actually goes deeper" in some situations, as state actors or competitors can use bad news or rumors to influence capital markets, says Robert Capps, senior director of customer success at RedSeal Networks and the former head of security and anti-fraud at StubHub.

"What if it's a cover? What if it's an attempt to draw attention to a fake breach and then someone is actually breaching" the victim in the background, he says. "You may miss some sort of hit on a workstation that suddenly has malware on it. A lot of these teams are massively understaffed, so they are not in a position to even respond" without some outside help, he says.

Even the insinuation that a firm was hacked, as in the recent case of StubHub users whose stolen credentials were used for ticket fraud, can stick. "Some called it a breach at StubHub even though it wasn't," Capps says.

Deloitte's Nixon has come up with a streamlined way to vet data dumps to save time and resources. Among her suggestions:

Check for recycled booty: This is a way to determine if the data is just older stolen information being presented as new booty. "Seek out unique-looking artifacts such as passwords, different names, text snippets from the rant in the preamble, etc., and simply perform a search for them," Nixon writes.

Check email redundancy: Two user accounts can't typically use the same email address, so check for what Nixon calls "email uniqueness." That entails checking to see if an email exists on the "victim" website's database. "If the company does enforce email uniqueness, the veracity of the leak can be tested by changing an account’s email to randomly selected emails in the leak. Almost all emails should be traceable to the company’s site; untraceable emails indicate that the leak is very likely fake."

Confirm that the username exists: "If account creation is allowed on the site, attempting to create accounts with usernames from the dump should result in error messages if duplicates are not allowed. This technique works using the same fundamental concept as the 'email uniqueness' section above: If unique identifiers are shown in the leaked dump, attempt to duplicate them on the live site." If the website allows you to view another user's profile, you can verify its validity as well, she says.

Check for adherence to password policy: Match the quality of the passwords by the site's password policy. "It would be suspicious if the policy is generally enforced but a large number of leaked credentials are not in adherence to the site’s password policy. Conversely, if no password policy exists, and no users have absurdly simple passwords like '123456,' the leak should be treated with suspicion."

Analyze the password origin: Stolen, complex passwords that the attacker says came out of a cracked hash list "are suspect," the report says.

Check credit card formats: Check the format of the credit card accounts that were dumped, the report says. You can also spot phony accounts by checking the issuing banks: "For example, a breach in America yielding credit cards mostly issued by banks in the Netherlands would raise some questions."

Contact the victim: You can also try to track down the people listed in the dump to determine whether they exist and their information is compromised, according to the report.

Take the "smell test": Then there's the smell test. "For example, a claim by a hacking group that it plans to release a vast credit card dump should be met with suspicion. Credit card dumps retain high dollar values on fraud markets and releasing a list for free would not be rational."

An "FBI breach" dump on Pastebin, for example, that includes "passwords123" as an FBI user password would obviously raise suspicion, according to the report.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
11/1/2014 | 7:41:36 PM
Re: Most likely Scenario
Yes--definitely some even more nefarious scenarios here.
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
10/31/2014 | 5:14:09 PM
Most likely Scenario
"It actually goes deeper, in some situations, as state actors or competitors can use bad news or rumors to influence capital markets"

When I read this headline, this was my exact thoughts on what a fake dump could be used for.  Imagine a situation where someone has a large number of stocks invested in company A.  Company B is a direct competitor of company A.  By releasing a massive fake dump of Company B's records you could hope to artificially increase the stock price of company A.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
10/31/2014 | 9:37:58 AM
Re: Seems like this is reprinted on several sites
We all must have been briefed on it by Deloitte and wrote pieces on it. :-)

I misunderstood your initial comment--I thought you meant our actual article had been posted on other sites. 

 
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/31/2014 | 9:35:37 AM
Re: Seems like this is reprinted on several sites
Sure I read this on Krebs and saw a reference there to a similar article on CSOonline.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/30/2014 | 5:51:33 PM
Re: Seems like this is reprinted on several sites
I hope not. Can you tell me where else you're seeing this article? thanks!
SgS125
50%
50%
SgS125,
User Rank: Ninja
10/30/2014 | 4:04:28 PM
Seems like this is reprinted on several sites
Must be a slow news day, this same article, almost repeated in some paragraphs in on several sites.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .