In our first installment of Sifting Through Digital Exhaust, we discussed the rapidly growing amount of personal data that’s captured by the various services we subscribe to, and the various ways our data becomes exposed online. In Part II, we will discuss what threat actors can do with your exposed data, and what you can do to protect yourself, even if your data is already out there and steps you can take to remove exposed data.
Read Part 1 of Sifting Through Digital Exhaust
First Step to Remove Exposed Data: Understand Your Adversaries & Digital Footprint
Alberto Casares
VP of Threat Research
Digital Identity Threat Landscape
Your exposed personal data allows a threat actor to launch a number of attacks against you, including an account takeover attack using your exposed password to blackmail or impersonate you. The threat landscape is quite broad. Your exposed password can help a threat actor gain access to a number of your online accounts, which could lead to you being impersonated online, or your important files held for ransom. If you have data exposed from a sensitive source, indicating you once belong to a certain site (for example, we see quite a few professional email addresses appear in the breach of AshleyMadison.com, a dating site for having an affair), you may be blackmailed to keep your secret safe.
A New Era of Insider Recruitment
As the saying goes, if you don’t ask, the answer is always, “no.” These days, however, threat actors have learned to ask—and what they’re asking for will scare any business owner and IT Security professional back into the days of offline business. While we’ve focused primarily on your personal information, it’s important to understand that businesses are even bigger targets for digital adversaries. Cybercriminals such as the Lapsus$ cyber gang have been known to post ads, requesting employees of large software companies, telecommunication companies, call centers or web hosts to provide VPN credentials to access the company’s network—in exchange for money. Employers beware, your online adversaries are recruiting disgruntled employees to leak access to your corporate network in exchange for money.
Data in the Wild
The Dark Web in Numbers
It’s no surprise that much of your personal data eventually winds up on the dark web—after all, you’ve heard of elusive underground marketplaces like SilkRoad where you can buy nearly anything, legal or otherwise, ranging from weapons and drugs to personal identity data. And based on news reports you’ve heard, you might be left with the impression that most of what’s sold at these marketplaces is the former. But if we take a closer look at the data, examining forum chatter and the contents of dark web pages, only about 6% relates to drugs and weapons, whereas a staggering 57% relates to compromised documents and identity data.
What’s Your Data Worth on the Dark Web?
If our personal data is so prevalent across dark web marketplaces, how much exactly is it worth?
You might be surprised to know that your Social Security Number is only worth about $15-20 to a malicious actor, whereas your Driver’s License is worth about 10-times as much and a diploma could be worth as much as $400.
Your login credentials vary in value depending on who you are and what type of account it unlocks. For example, an online payment services login is worth anywhere between $20 and $200, depending on the estimated value of your account. Non-financial logins and credit card numbers, on the other hand, are worth about $1 each.
Access to your subscription services may be worth up to $10, loyalty accounts $20 and medical records range significantly between $1 and $1,000, depending on the specifics.
A United States Passport is worth between $1,000-$2,000, having nearly doubled in price from 2020 to 2021.
Common Attacks
Account Takeover
This is a topic we discuss frequently—so it shouldn’t surprise you that account takeover attacks are the number one attack vector, as it tends to open quite a few doors for hackers. We can’t stress enough the importance of using unique passwords for every login . Through no fault of your own, it’s inevitable one or more of your passwords will be leaked and wind up on a dark web marketplace. Hackers who buy these credentials are willing to pay for your old password because they recognize that most people re-use passwords. You may not be terrible concerned to learn that your password for the online fan club for a local sports team was exposed, or the password you created to play Words with Friends with your grandma got leaked—you didn’t have any financial information or your real name tied to these accounts, so why does it matter? If you’re in the majority, those insignificant passwords are being reused on a number of your other accounts, and hackers have tools to very quickly check which sites they can access with your exposed credentials. You can minimize any damage to yourself by using a truly unique password for every site you sign up for, and regularly change those passwords .
VIP Blackmailing
Corporate credentials are no exception to the data that gets exposed on the dark web—in fact, this can be exceptionally valuable to malicious actors. With readily available information from data aggregators, social media, and marketing sites, it’s not difficult for malicious actors to find the names and emails of higher-ups, execs and VIPs of large corporations, allowing them to leverage exposed information about these people for a particularly sizeable gain. For starters, exposed credentials for a corporate exec can be the fastest route to gain unauthorized access to a company’s infrastructure. This may allow the hacker to impersonate an executive to authorize the release of funds at the company’s financial institution, persuade the CFO to pay an invoice to a fake vendor, or even impersonate a rank-and-file employee to ask the finance department to update payment instructions for a vendor. Lastly, even some corporate execs and VIPs have their indiscretions and sign up for affair dating sites, or dating sites in general, or perhaps use their corporate email to sign up for an adult website. Malicious actors will leverage knowledge of the victim’s stature within their organization or community to blackmail the executive in exchange for keeping quiet about their embarrassing secret.
Swatting Attacks
Swatting is a criminal harassment tactic of deceiving an emergency service into sending a police and emergency service response team to another person’s address. Malicious actors will use spoofed phone numbers to file an anonymous report with the police claiming someone at the victim’s address is a danger to themselves and others. Police departments are obligated to investigate these claims, even if the target has been the victim of a swatting attack several times in the past. For example, political journalist Tim Pool has been swatted 9 times in 2022 alone, including once during a live broadcast. Swatters take advantage of certain key words and phrases in their fake 911 calls to trigger a mandatory response from police SWAT teams.
As you might expect, streamers, VIPs, influences and celebrities whose physical addresses have been exposed as a part of a doxxing attack or breach exposure are at a heightened risk of being victimized in a swatting attack.
Doxxing
Doxxing attacks are unfortunately easy to carry out—doxxing simply refers to publishing someone’s private information without their consent. While many high-profile individuals work hard to hide their home address from public view, it’s not impossible to find by a determined person. Once Doxxed, this information becomes displayed publicly in a prominent way. For example, several US Supreme Court Justices were doxxed, revealing their home addresses, as a result of a leak of a draft decision to overturn Roe v Wade. Abortion activists used this information to take their protest to the front doorstep of these justices, creating a significant physical threat for them and their families
So, How do I Protect Myself & Limit My Data Exposure?
In simple terms: reduce your digital footprint. Consider the following 10 guidelines to remind yourself, and your non-infosec friends and family.
1. Free is not Free
If it’s free, you are the product.
2. Ask vendors why they need your PII and how they will secure, use, and disclose it
Only supply minimal information.
3. Make a list of every vendor you use and investigate opt-out options
This can be as simple as using advanced Google queries such as: site:[company.com] “opt out”
4. Pull your credit report annually
For those of you in the US, you’re entitled to a free annual credit report. Also consider subscribing to a credit and identity monitoring service for more frequent check-ins.
5. Freeze your credit at every bureau
Freezing your credit can help ensure that only you can make a credit inquiry or open a line of credit and become immediately aware of a new inquiry or attempt to open an account. This is especially important to do for your minor children, as a child’s SSN can be used for fraud, but you’re not accustomed to checking their credit for fraudulent activity.
6. Avoid using work email addresses outside of work-related services
Keep your personal matters personal.
7. Use temporary email addresses when possible
If you can avoid providing your email address, you’ll reduce your risk of exposure. Some sites will require you to sign up, even if you intend to make a quick one-time-use of their service. You can leverage Apple’s “hide my email” feature if you’re an iOS or macOS user, or a number of free online services such as 10minutemail.com.
8. Do not re-use passwords and use Multi-Factor Authentication when available
Use a password manager to keep track of your passwords so you can use complex and unique passwords for each site. (Don’t think that you can get away with using “password1,” “password2”, “password3”!) If you can’t bring yourself to using unique passwords for every login, you should certainly avoid re-using work-related passwords for personal accounts and vice versa. You should enable multi-factor authentication (often called two-factor authentication) when available.
9. Limit use of personal data in all your online interactions
Particularly in social media, avoid posting unnecessary personal details. If you prefer to keep friends and family in the loop about your daily adventures, make sure your post privacy settings limit who can view your posts, but if you can avoid a social media presence altogether, you’ll benefit from it.
10. Don’t click links, type in website addresses; Don’t call business numbers in SMS, voicemail or emails, look them up and call
You may receive a text message or email that appears to have been sent by an organization you do business with. Often times, these communications include a simple call-to-action such as asking you to update your contact information, ask if a recent login attempt was truly you, or a number of different requests that appear to be legitimate day-to-day operations. In the event the email or text message you’ve opened is a phishing or smishing attack, very likely the URL you’re being asked to click does not take you to the website you think you’re being taken to. You’ll be taken to a phishing site that looks almost exactly like the site you wanted to visit, and it’ll capture the credentials you enter to log in. Similarly, if you get a text message or voicemail from a company you do business with asking for a call back, make sure to look up the number instead of trusting the number given in the communication.
DIY-Discovery, Opt-Outs and Information Removal
We strongly recommend that you sign up for a credit and identity monitoring service in addition to remaining vigilant in protecting your own data. However, there are “DIY” options at your disposal as well.
Start with an inventory of your less sensitive PII attributes:
- Full name, variations and misspellings
• Spouse’s name
• Children’s names
• Parents/grandparents names - Address(es)
• Childhood
• College
• Current - Phone Number(s)
• Current/Former
Take your inventory to the road! Search for your information on search engines, social media platforms and other OSINT channels. This will be a painstaking process, but it will help you identify where your data is exposed, and help you build of list of places where you should be opting out and requesting removal of your data.
Opt-Out Process:
1. Set up a new throw-away email address
a. Yahoo and Gmail allow multiple sub-aliases, which you will need
b. Often times, opt-out requests will ask your email address, and you certainly don’t want to provide your “real” email
2. Place out-out site list into a spreadsheet
3. Work on 5-10 opt-outs per week until you’ve run through your list
a. Save URLs for future validation that your request has been processed
Learn about Constella’s Dome Digital Risk Protection Platform
What type of threats are you or your organization facing? Check your exposure risk and see if you or your employees credentials have already been exposed in a data breach. Safeguarding your employees and organization begins here.