Sometimes, what looks like a harmless third party breach notification can lead on to other, more targeted attacks, in this article, Tessian’s Head of Security Engineering & Operations explains how.
There is a deluge of breach notifications for defenders to track, monitor, and respond to. When triaging a breach notification for a third party service, the first instinct is to review the exfiltrated data and evaluate for impact to users.
When that data comes back as non-sensitive, defenders will oftentimes stop analysis there and breathe a sigh of relief. Unfortunately, as some recent breaches make clear, evaluating risk and impact isn’t that simple.
Two confirmed identity points
Take Twitter’s July breach as an example. In the notification, Twitter confirmed the exposure of 5.4 million emails as well as associated phone numbers that had been used as 2 factor authentication (the problem with using phones for 2FA is a topic for another time). No passwords were exposed, so it’s simply a minor irritation for the impacted users, right?
Well, not always. Things get more complicated when we consider what an attacker might be able to pivot to with two confirmed identity traces like email and mobile number.
At the low end of the sophistication scale, the phone numbers (which remember have been confirmed as active to the attacker by virtue of use as an auth factor) can be targeted for waves of SMS based phishing attacks. Anecdotally, Tessian has received reports of an increase in these attacks for users who had a number tied to their Twitter accounts.
Moving up in complexity, a SIM swap attack paired with a compromised password can yield access to other accounts using the same email. Credential pair reuse across multiple sites can make a single breach keep yielding dividends to the attacker for months.
Secondary attack vectors
These are well known post breach secondary attack vectors that have had a lot of visibility over the years. Less well known is the gray market for end user data used to enable scams and sales of questionable products and services, popularly known as crapware.
Quite a few people have heard of tech support scams, where an overseas scammer will call an elderly person and pretend to have valuable security services to offer. Less well known is how these scammers get access to phone numbers in the first place.
As we can see here, third party data brokers offer resales of “warm leads” for tech support scams targeting English speaking countries for call centers around the world. It’s easy enough to buy or otherwise acquire breach data for this purpose; though it’s important to note that data brokers don’t always stop with legal means of targeting users.
This particular data broker kindly offers pop-up campaigns, better known as fake blue screens in the browser that force the user to call an 800 number to unlock. So while buying gray market data can be lucrative for brokers, they certainly aren’t limited to it.
How to protect against attacks
So how do we protect against the impact of a secondary attack vector like this? First, end users should be encouraged and enabled to use software authenticators or hard tokens. SMS based attacks are widespread and tough to mitigate.
Secondly, security tooling that identifies a departure from normal email traffic can be more effective than relying on end user reporting. Tessian’s implementation of our product alerts us to unusual trends in email traffic that we in turn use for campaign tracking and prioritizing SecOps team resources. An eye on what’s normal and what isn’t serves as our first line against malicious activity. Stay vigilant and stay secure.
To see how Tessian prevents ATO attacks, and protects against DLP, watch a product overview video or book a demo.
For the latest cybersecurity news and articles, sign up for our newsletter, and follow us on Twitter and LinkedIn