NormShield Blog

What is the biggest threat of stolen accounts?

NormShield Threat Vulnerability Orchestration

Biggest threat; There are more than 4 billion hacked emails/passwords available on the internet and underground forums. So, how attackers use hacked emails & passwords for malicious purposes? NormShield searches the internet from many sources for whether there is leaked e-mail of your employees or not. In the simplest form, email list of employees can be used for phishing attack or

to brute-force to login forms. The phishing email will typically direct the user to visit a website where they are asked to update personal information, such as a password, credit card number, social security number, or bank account credentials, that the legitimate organization already has. This type of attack can reveal information about employees which have little awareness. The disclosed information may be personal information or may be information which has high importance for the company. These types of attacks are widely used today.

Most of the internet users use same passwords for their different web application accounts. So, leaked e-mails and passwords are very dangerous, if these credentials are used for different accounts too. Attackers can try to enter your system using this information. Even if leakage source is independent from the company, attackers can use leaked passwords in order to log in applications of the company with using employee’s corporation e-mail. Employees who don’t want to deal with different passwords for each application may use the same passwords for many applications including company’s applications. Leaked emails and passwords are dangerous independently of leaking source.

Biggest Threat

If a simple forum where a user member of it is hacked, attackers can go further to steal user’s credit card information with trying to log in another sites (e.g famous online shopping sites) using leaked email and passwords. If leaked emails and passwords are leaked from one of the well-known social medias, attackers can share some post which can make damaging disturbances to the company’s reputation. In 2011, Twitter account of a well-known news channel was hacked, and attackers shared six different tweet for #ObamaIsDead. Of course news was not true. But this incident caused a large amount of damage to the American stock market in a short time.

Attackers can also communicate with other attackers who uses hacked account and can gather some valuable information so easily. In the occurrence of hacking incidents, initially, attackers sell this information in exchange for money in underground forums or use it for malicious purposes.

One other handicap about this danger is hacking incidents has been announced long after the incident happened. Users may not be aware of leakage of their sensitive information, even if their emails and passwords are leaked on the internet. In the event of an attack, companies must inform their customers. But the sharing of these announcements may take a while after the information is shared on the internet. Until this time, the information could be used so many times for malicious activity.

For example, Yahoo announced its hacking incident known as September Disclosure occurred in 2014 that causes 500 million user accounts to be hacked. After that, the company has also announced another attack, known as “Disclosed Wednesday” occurred in 2013, that causes more than 1 billion accounts to be compromised. The stolen data include names, email addresses, telephone numbers, birthdays, hashed passwords, and some “encrypted or unencrypted security questions and answers. Yahoo says they believe that no payment card or bank account information was stolen. The interesting thing is that the announcement is published in September 2016.  The New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000.

One of the worst parts of the incident is that they cause to leak different kind of personal information such as security questions, birthday, telephone numbers etc. Because, these information are used to verify the user. Attackers can call a victim by introducing themselves as a bank employee or can call banks by introducing themselves as a real user. The more an attacker knows about an user, the more he’s capable of.

It is understood that leaked data is not limited only emails and passwords. Different types of data can be leaked according to services which are produced by target site. The type of leaked data is very important. In Yahoo case, many valuable information are leaked and sold in Dark Web. As attackers use leaked information for malicious purposes, they can also sell these information in exchange for money. Every leaked information has a price in Dark Web. Some examples are given in the table below.

Black market price, $commentCVV$2credit verification value: the three- or four-digit number on the back of a cardcredit card, stale data$2 – $7old data – owners have cancelled most of cards in batchSpam mail list$100Whole listcredit card, market flooded$10 – $12price drops once the market becomes flooded with records from the same account details$5—fullz$3full packages of individuals’ identifying information. usually contain an individual’s name, Social Security number, birth date, account numbers and other data.

Attackers use some useful tools for discovering places where stolen data can be used. These tools are sold in black markets in exchange for money. “Checker” is one of these tools. This tool attempts to log into the websites starting with very well-known ones (such as Facebook, Instagram, Twitter, Google or Icloud etc.) using leaked authentication credentials. Thus, attackers can easily gain access to these systems without hacking the site.

Dropbox was hacked back in 2012 and customer login credentials were compromised. It has been revealed that over 68 million Dropbox usernames and passwords were stolen. This massive security breach happened because a Dropbox employee reused his account password on other websites which are hacked before. The stolen password was used to access a Dropbox employee account containing a project document with user email addresses and passwords. Half of these passwords were encrypted with “bcrypt”, which are extremely difficult to crack, but the rest were encrypted by SHA-1 which is considered deprecated nowadays, and are potentially easier to access through brute force. Also attackers can search leaked Dropbox usernames in the hacked website’s databases to see whether any match exists to login to the website with this information.

Reuse of passwords makes hacking easier for attackers. Reuse of passwords means that sensitive information is given to attackers as a great opportunity. You can read this news for more detailed information about Dropbox incident. Despite the significance of the topic, in a research on password reuse shows that 59 percent of consumers admit that they reuse passwords because it is too hard to remember them all.

How can we be sure that all of our accounts are secure ?

First of all, we should use different passwords for each websites. So, we can reduce the damage that hacking can cause. But for sure, that’s not enough. Normshield’s threat intelligence module search and investigate many resources such as the internet, dark forums, black markets, in order to detect whether your e-mail address,  passwords or other personal data exist on Darkweb.

If you want to check whether your credentials are leaked or not, you can search your email or username in the well-known leakage datasets using NormShield’s search engine. Our Search Engine searches the information related to you in many leakage databases. Some of the checked databases are given in the figure below.

Normshield forces the search engine with additional leakage databases. When an entry  related to you or your organization is found, NormShield informs you immediately, so you can take the necessary precautions before it’s too late.