By Tim (TK) Keanini
In a recent article claiming “Stolen Twitter Accounts ‘More Valuable’ than Credit Cards” it is important that we understand this in terms of the past, present and future context, because everything on the Internet is evolving.
Cyber criminals today no longer operate alone. They are a part of a complex marketplace where capabilities and data goods are exchanged for crypto currency (Bitcoin, Litecoin, etc) On the Internet, where everything is just data, the valuation of data is an important property of what should be protected. As defenders become more effective at protecting themselves and their businesses, the adversaries in a co-evolutionary manner innovate and find new and novel methods to grow their business of cybercrime. The fundamentals of cost/benefit analysis holds true and through this lens we look at two types of data: Credit Card dumps and Social Media Account Credential.
Monetizing these credit card dumps at scale is a complex process that involves both the information and physical world. Credit card track information in these dumps are written to new plastic and quickly disseminated to people who are called cash mules that use the cards until they are detected and shutdown. As defenders have become timelier in the detection and remediation, this business has become much more expensive to operate given the overhead. These criminals don’t change careers, they just find other ways of doing business.
When thinking like the adversary, what other more strategic data can they steal that has a lower probability of being detected and while not directly monetized like credit cards, can open up more capabilities to other data sets that can be monetized. How about that person’s digital identity on social media? The theft of a person’s identity in social media means that you now have trusted access to hundreds if not thousands of people for a small window of time during which you can instruct them cleverly to download crimeware that will in turn steal more credentials to not only credit card data but any financial system. If this crimeware is installed correctly, you not only have access to credit card data, you have access to any and all credit cards over the lifetime of that installation. Individuals go years without detecting these types of malware installations and it is over this lifetime that not just credit card data, but all data can be accessed.
Like the credit card companies, Twitter is also in a co-evolutionary role with the threat. Twitter’s countermeasure is to have users enable their two factor authentication. This effectively puts stolen twitter credentials vendors out of business, but the problem is that this is still optional to the twitter user and the bias with the community is that they don’t enable it. As with most information security issues, changing human behavior is always the most difficult. As this threat vector grows, I could see Twitter implementing the policy whereby if you have over a certain number of followers, let’s say 500, that two factor authentication is mandatory. As always, things need to get worse before they get better.
Whether defending your personal information or your company’s information, you need to think like the adversary and that adversary is a part of a complex and highly effective supply chain. The data they want to take has value in some part of that supply chain and it may not be obvious because you don’t see it as directly monetized like credit card dumps. This is why we must continuously monitor and adapt to the changing threat environment as they in turn do the same to our defenses.
Over the coming years, these dark markets are going to be more visible because 1) they are interesting and newsworthy and 2) it is where the business of cyber security is being invented and practiced. The business paradox they face is to become more visible and grow their market share or remain dark and exclusive slowing their revenue growth. The adversaries are treating cyber security as a business problem and it is about time that their victims do the same.