Thieves Move Quickly with Your Exposed Credentials

Cybercriminals took a mere 9 minutes before they began using leaked credentials that had been publicly posted online for identity theft, a new study found. 

At their recent conference on identity theft, the Federal Trade Commission (FTC) shared the details of a recent experiment that was designed to track how Personally Identifiable Information (PII) is obtained and used for Identity Theft. Led by Tina Yeung and Dan Salsburg from the FTC Office of Technology Research and Investigation, the study aimed to determine what happens to leaked credentials, and if and how consumer credentials, when made public, are used. 

In particular, the experiment looked at how long it took for thieves to attempt to access an email, a payment account or make a purchase attempt. 

On April 27 and May 4 of this year, a data dump of approximately 100 consumer credentials were posted to a paste site, a public website often used to publicize leaked or confidential information. The same information was posted in both instances and contained the following data for each of the ~100 individuals:

  1. Name
  2. Address
  3. Phone number
  4. Email address
  5. Password
  6. Payment mechanism (either a credit card number, an online payment account or a Bitcoin wallet)

What was not publicized, however, was that none of these individuals were real people, nor were any of the associated credentials. In fact, these fraudulent identities were created by FTC researches who thoughtfully crafted each identity to appear as legitimate as possible, and tracked each data point to see how - or if - the information would be used for criminal purposes.

“ID thieves are looking for consumer credentials and pounce when they find them.”
— Dan Salsburg, Office of Technology Research and Investigation

The first time the fake consumer credentials were publicized, it would take over an hour until the first attempt at misuse of the data. The second time, however, it took a mere nine minutes.

By the time the study concluded, there had been 1,228 total number of unauthorized access attempts and $12,825.53 worth of total attempted unauthorized charges.

At a higher level, the study found that would-be identity thieves attempted to log in to 97% of all email services, make charges to over 97% of the posted credit cards and log in to over 90% of payment accounts.

Researchers also took a closer look at the IP addresses of each attempted use to see if they could geographically map where each cyber "crime" took place. To do so, they used a third-party service that assigned each IP address a probability that it came from a VPN, a proxy or tor exit node. Roughly half of all IPs in the study fell into one of those categories, thus the initial assessment of IP locations was misleading as the majority were intentionally masking their true whereabouts. 

The first major takeaway, according to Dan Salsburg, is that "ID thieves are looking for consumer credentials and pounce when they find them." Another is that paste sites, where leaked credentials are often made public, should be monitored.

While many data leaks or credential dumps are associated with the darknet, this information can often find itself propagated on the surface web as well - which is why monitoring for PII can require looking beyond the darknet. For this, we call on DARKINT, or darknet intelligence, which includes information from the darknet and high-risk surface web sites, such as the paste site used in this study. 

Monitoring for confidential, personal or otherwise meaninful information using DARKINT is the most comprehensive way to be aware of and mitigate cyber crime. Our DarkOwl Vision platform provides the world’s largest commercially available database of DARKINT and the tools and services to efficiently find leaked or otherwise compromised sensitive data. Unlike conventional offerings, which rely heavily on manpower, DarkOwl Vision automatically, anonymously and continuously collects, indexes and ranks actionable darknet data. The DarkOwl Vision engine scrapes more relevant DARKINT in one hour than an intelligence analyst can discover in one month. By shortening the timeframe to detection of compromised data on the darknet, organizations can swiftly detect security gaps and mitigate damage prior to misuse of their data.