Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

2/18/2016
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

The Secret Life Of Stolen Credentials

Bitglass Threat Research Team's Project Cumulus demonstrates what happens when Google Drive credentials are 'stolen.'

Everyone knows that stolen credentials can have disastrous effects on people's most critical accounts, but there's often no clear timeline for how exactly criminals put them to use. That changed this week with a new experiment from researchers with cloud access security broker (CASB) Bitglass, who put together a fictional digital identity and then leaked its credentials to the Dark Web to track the secret life of credentials once they're stolen.

This is the second-year running that Bitglass has done a "where's your data?" experiment. For this one, dubbed Project Cumulus, the Bitglass Threat Research Team created an online persona of an employee for a fictitious bank. This included creating a phony Google Drive account with fake bank data and files containing real credit card numbers and other data made to look like something someone would produce on the job. The drive was then tracked using Bitglass watermarks embedded in the files and its CASB technology in monitor-only mode.

From there, the team leaked the credentials for the Google Drive in a way that made it appear they were stolen during a larger phishing campaign. They found there was an immediate spike in activity when the credentials were leaked, with over 1,400 visits recorded to them and to the fictitious bank's Web portal.

From there, about 94% of the hackers who accessed the drive in question then also found the victim's other online accounts, including the faked bank Web portal. One in ten of them immediately attempted to log into Google itself with the Google Drive credentials in hand. And 12% of hackers attempted to download files containing sensitive content, with a handful cracking encrypted files after they were downloaded.

"Our second data-tracking experiment reveals the dangers of reusing passwords and shows just how quickly phished credentials can spread, exposing sensitive corporate and personal data," says Nat Kausik, CEO of Bitglass.

[Experiment tracked the Dark Web journey of a cache of phony names, SSNs, credit cards, and other personal information. Read What Happens When Personal Information Hits The Dark Web.]

Project Cumulus was the next step in Bitglass' experimentation on tracking stolen credentials or documents in the wild. Last year, it leaked watermarked documents and found these files were viewed 200 times in just the first few days of leaking. At that time, not many attackers used any methods to anonymize their traffic to the documents in question.

In stark contrast, this second incarnation had 68% of all logins coming from Tor-anonymized IP addresses.

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
KeithB787
50%
50%
KeithB787,
User Rank: Apprentice
2/19/2016 | 3:11:59 PM
Hacking is truly a global threat
Very interesting article. It's incredible to see how fast and thoroughly the data was attacked by hackers – the first hack was within 48 hours and 1400 hackers were that interested in this data. It was also good to see the geographic location of those hackers – they were spread over 6 continents and located in 30 different countries.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-4719
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
CVE-2020-15604
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-24560
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
CVE-2020-25596
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
CVE-2020-25597
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...