Headline grabbing data breaches are such a fixture of our modern business environment that they’ve even spawned a knock-off market: phony data breaches designed to harm a company’s image by making it look as if the firm has lost control of critical data.
That’s the conclusion of a research note from Deloitte, which warns that malicious actors are increasingly using false claims about massive data breaches to bedevil established firms – inflicting real economic and reputation damage.
Affected firms as well as journalists need to hone their response methods to quickly verify the authenticity of online data dumps in order to effectively bat down such claims before they gain traction, according to a research note by Deloitte analyst Allison Nixon.
“Affected companies can find out the truth through their standard incident response process,” Nixon told The Security Ledger. “But third parties, including journalists, aren’t privy to the information they need to figure out if a breach really occurred.”
The issue of counterfeit breaches made headlines in October when an individual posted what were purported to be stolen Dropbox account credentials on the site Pastebin. The message claimed the leaked credentials were part of a larger trove of 7 million accounts that were compromised. That claim was widely reported.
Dropbox, however, maintained that it was not hacked and that the leaked credentials – user names and passwords – were stolen from other online services. In some cases, those credentials worked for Dropbox accounts, also, but the site was not the source of the breach, the company said.
Fake breach claims don’t necessarily mean that the data shared does not belong to the organization in question, Nixon said in her report. Attackers can readily recycled data already disclosed in an earlier breach to bolster a claim of a non-existent follow-on incident.
Recycling breach data is a very common and low effort way to make an inident appear real, Nixon said. But previously disclosed data is also easy to verify using private and public repositories of data. Previous breaches at firms like Adobe and Stratfor spilled millions of credentials online.
The key for affected firms or third parties who are on the receiving end of a data breach claim is to be able to quickly determine whether the data in question and the claim is valid.
|Read more Security Ledger coverage of data breaches here.|
Nixon outlines a range of methods for separating real data breach leaks from phonies. They include automated checks to verify that the user accounts in the breach exist, to analysis of the leaked passwords and credit card numbers to verify that they are valid (or at least plausible). Statistical analysis of the names used will reveal whether the names in the leaks follow a “long tail” pattern with many, common names shared and a long tail of uncommon names. Such techniques can spot fraudulently generated account lists.
On the less quantitative end, Nixon advises companies to use a “smell test” for breaches – considering how plausible it is that a malicious actor would behave in the manner that is being observed. For example: cyber criminals who steal millions of credit card numbers are unlikely to just “dump” them on a public web site, given that fencing those account numbers can be lucrative.
“My hope is that when people read the paper and are then presented with a prospective leak that they’ll approach it in a measured way and not fall prey to fear,” Nixon said.