Minimize your digital risk by detecting data loss, securing your online brand, and reducing your attack surface.
A powerful, easy-to-use search engine that combines structured technical data with content from the open, deep, and dark web.
Digital Risk Protection
Read our new practical guide to reducing digital risk.
New report recognizes Digital Shadows for strongest current offering, strategy, and market presence of 14 vendors profiled
Read Full Report
On September 7th, credit reporting agency Equifax announced “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.” To put this in context, at this time, this incident is almost seven times larger than the Office of Personnel Management breach of 2015. Equifax discovered the unauthorized access on July 29th and determined that the intrusion began in mid-May. Equifax stated that “the information accessed primarily includes names, Social Security Numbers (SSNs), birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.” In addition, the “limited personal information” for Canadian and United Kingdom citizens was all accessed. The initial attack vector was reported as a “web application vulnerability.”
Figure 1. Chairman and Chief Executive Officer, Richard F. Smith discusses the Equifax Breach
Whenever doing any sort of analysis, it is important to state what we don’t know. Simply put there is a great deal we don’t know and most of the public will never know (despite what some talking heads might claim). As a former incident responder, I know that investigations aren’t completed in the time it takes to complete an episode of TV drama Scorpion. (Did you know that Scorpion is starting its fourth season?) Equifax stated that the investigation is “substantially complete,” but wisely added that “it remains ongoing and is expected to be completed in the coming weeks.”
There are a wide range of possibilities depending on the goals of the threat actor responsible for the Equifax intrusion. By the way, did I mention that attribution is challenging? Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks.
Tax Return Fraud
SSNs are highly valuable for criminals looking to commit tax refund fraud. Fraudsters use SSNs to file a tax return claiming a fraudulent refund and it can be hard to find out if you’re a victim until it is too late. There is some good advice from the IRS about what to do should you suffer from this form of fraud. You can read more about tax fraud in a blog we wrote earlier this year.
Opening fraudulent accounts
There is no shortage of alternative finance companies, such as those who provide short term loans. Fraudsters can successful open accounts in another individual’s name, using a combination of SSNs, fraudulent gas statements and other personally identifiable information (PII). Individuals should be extra vigilant for any evidence of accounts being opened in their name.
PII is valuable to payment card fraudsters, who require such information to bypass security controls such as “Verified by Visa”, which sometimes ask for digits of cardholders’ SSNs. There are plenty of high-quality cards that criminals use which do not require extra validation, but the lower-level carders must turn to SSNs to enrich lower-quality card dumps. It’s important to remember that SSNs and payment card fraud are inextricably linked.
Figure 2: An example of a security control for online credit card payments
Benefits Fraud and Medical care fraud
Although less glamorous than tax return fraud and carding, benefit and medical care fraud is a real risk. As with tax return fraud, this is hard to detect when it happens, but individuals can be vigilant when checking their Explanation of Benefits statement and flag any unfamiliar activity to their insurance provider.
Resale of data
It’s important to note that the individuals responsible for the breach are unlikely to be the same criminals conducting the day-to-day fraud. In the case of the Experian breach, this stolen data soon made its way on the (now defunct) Hansa marketplace. As I’ve previously mentioned; there’s already a market for SSNs to enrich credit card information, so it’s likely that many actors could end up getting a piece of the pie.
For lower level criminals, the expenses associated with criminal activities will get even lower. SSNs are already cheap; on one AVC (Automated Vending Cart) site (shown in Figure 3), there are over 3.4 million SSNs for sale at only $1. This includes full names, addresses, and – for a large number of accounts – dates of birth. In California alone, there were 334,000 SSNs for sale.
With tens (and potentially hundreds) of millions more SSNs potentially entering the market, the opportunities for criminals to commit fraud will increase and the price will decrease even more.
Figure 3: A screenshot of an AVC selling Social Security Numbers
So far, I’ve focused heavily on SSNs – but credit card information was also accessed. However, in the breach. While this number is hundreds of thousands (209,000), it is unlikely to have a significant impact on an already burgeoning black market for card credit information.
Enablement of nation state campaigns
Although Equifax claimed this intrusion was conducted by a criminal threat actor, it is possible that this was a nation state actor. (Quick reminder to re-read my note from above “attribution is always a challenge.”) In the event that a nation state actor is responsible for the intrusion, then like the OPM breach, we won’t see the data being monetized in the criminal underground. The stolen data will be leveraged to enable nation states’ campaigns against their intelligence targets.
Enablement of hacktivist campaigns
If we are going to consider nation state actors, we should also consider hacktivist threat actors and their activities around the stolen data. If hacktivists were responsible (I think this is a pretty unlikely scenario, let’s call it #OPunlikely) you could expect to see them use the data to target organizations and individuals that run counter to their world views. Embarrassment and dox’ing, hacktivist go-tos, would come into play.
Digital Shadows will continue to monitor this situation and provide updates as needed.