“Air cover” – cybercriminal marketing and the media

17 August 2016

For a new or relatively unknown cybercriminal actor looking to sell compromised data, attracting buyers can be a difficult task. Actors without established reputations are significantly less likely to be trusted and, as a result, are unlikely to be on other actors’ buying radars. Recent months have seen a number of actors adopting an approach not normally adopted by traditional criminals – proactively talking to the media.

While cybercriminals engaging with journalists is not a new phenomenon (an actor using the name Impact Team spoke with Motherboard Vice in August 2015 following their successful breach of Ashley Madison) a recent trend has been observed of previously unknown actors using the media to self-publicize and advertise the data they have for sale. In June 2016 alone Peace (AKA Peace of Mind), Tessa88 and thedarkoverlord, none of whom were previously well-known outside the security community, all spoke to journalists about compromised data they were offering for sale in what we assessed as likely to be attempts to garner publicity and thereby attract buyers. Speaking to journalists can address two of the problems faced by unknown data merchants – they gain immediate publicity when an article is published, which in turn can drive traffic to the locations where they sell, and if a sample of data is provided for a journalist to verify, the likelihood that potential buyers will trust that the data is genuine will be increased. This approach is very comparable to the marketing tactic of providing leads on stories to journalists in order to boost mentions of a company in the media, known as establishing “air cover.”

 

Wired Peace Interview

Headline from Wired's June 2016 interview with Peace.

Journalists working for technology-focused publications face pressure to report on major data breaches and major breaches make good stories so the offer of an interview with the actor responsible can be hard to pass up. However, by publishing interviews with criminal actors, the resulting news story will likely serve the criminal’s, as well as the journalist’s, ends.

Some measures can be taken to minimize this risk. It is important to always critically analyze a criminal’s claims – and call them out when they are found to be lying – rather than taking what they say at face value. Similarly, it is important to avoid publishing identifiers associated with the criminal. Not revealing which sites they operate on (including by publishing screenshots) or providing their username makes it much harder for prospective buyers to locate the actor online, immediately reducing the benefit of the interview to the criminal. Perhaps most importantly, when a journalist is provided with inside information on a data breach, it is imperative that they inform both the victim and the relevant law enforcement bodies and provide all possible assistance to mitigating the effects of these crimes.

Criminals and journalists both benefit from this kind of interaction, but by taking precautions it is entirely possible for journalists to inform their readers without playing into the criminals’ hands.