Vulnerabilities / Threats

5/26/2017
10:20 AM
50%
50%

FTC: It Takes Criminals Just 9 Minutes to Use Stolen Consumer Info

Federal Trade Commission experiment lured hackers to learn about how they use stolen consumer information.

The Federal Trade Commission (FTC)'s Office of Technology conducted an experiment to learn how hackers use stolen information. Experts created a database of fake consumer credentials and posted them twice on a site that hackers use to make stolen data public.

This false information was made realistic by using popular names based on Census data, US-based addresses and phone numbers, common email address naming strategies, and one of three types of payment info (online payment service, bitcoin wallet, and credit card). Following the second posting of fake data, it took hackers just nine minutes to try and access it.

There were more than 1,200 attempts to access the information, which hackers tried to use to pay for things like food, clothing, games, and online dating memberships. The FTC advises consumers to stay safe with two-factor authentication, which prevented the thieves from gaining access.

Read more details here.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/5/2017 | 5:25:41 AM
Re: 9 Minutes?
No, I don't think so. I think what the piece is trying to communicate is that once they had already accessed the information, they took mere minutes to use the compromised information. The 9-minute figure has nothing to do with the breach itself.
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
6/5/2017 | 5:23:36 AM
Re: When you want it, you want it.
Is it? How many of them, I wonder, already had an ecommerce portal open in another browser tab at the time?
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:32:40 PM
NSA
At the same time, this is may be another vulnerability that was exploited and not shared with the vendor and hackers now know it. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:32:03 PM
Re: When you want it, you want it.
"you often want it right away"

Agree. 9 minutes is quite impressive.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:31:06 PM
Re: Interesting Honeypot
"Interesting Honeypot"

I like the idea that they try to understand what would happen.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
5/30/2017 | 12:29:06 PM
9 Minutes?
So they know a backdoor that we do not. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/28/2017 | 3:05:52 PM
When you want it, you want it.
Makes sense. When you're in the market for something -- whether it's stolen PII or something else -- you often want it right away.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/27/2017 | 1:53:07 PM
Interesting Honeypot
This is an interesting exercise to show the value of compromising personal records from the attackers perspective. 
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
How Data Breaches Affect the Enterprise
How Data Breaches Affect the Enterprise
This report, offers new data on the frequency of data breaches, the losses they cause, and the steps that organizations are taking to prevent them in the future. Read the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...
CVE-2018-16515
PUBLISHED: 2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2018-16794
PUBLISHED: 2018-09-18
Microsoft ADFS 4.0 Windows Server 2016 and previous (Active Directory Federation Services) has an SSRF vulnerability via the txtBoxEmail parameter in /adfs/ls.