What the cyberhackers do with your personal
information
Any of us knows that we have to protect our
personal information, but what will happen if it is attacked? Meridith Levinson
made an investigation about this matter.
When the online shopping store Zappos announced to its
customers that names, email addresses, invoices and delivery address as well as
phone numbers and the last 4 digits of their credit cards could be exposed in a
data leakage in January, it emphasized that “credit card information and
important payment data weren’t affected or accessed.”
It was such a consolation for 24 million customers whose
information could be leaked in this case. They didn’t have to worry about the
finding of secret money in their credit announcement at the end of the month.
It hasn’t been yet.
So why do we have to worry? According to the experts,
most often information security risks happened to customers included the
annoyance (more spasm in inbox) to the dangerous fraudulent emails. In this
case, the senders pretended to be a trustworthy individual or organization so
that you were taken in clicking a link which would download Trojans into your
computers or supply the senders with confidential information like your
passwords, credit card number or even your welfare numbers.
The cyberhackers hacked into the database of Zappos
accessed many information. Other cases, such as some attackes into web servers
did by hackers, only names and email addressed were found. Whether these were
big or small, these vulnerabilities raised a lot of concerns.
Why was data precious?
Personal information was the “money” for the underworld.
It was what the criminals exchange in the literal sense. The hackers who had
that kind of information could sell it to many buyers, including identity
thefts, criminal organizations, spammers and botnet operators, who used data to
make more money.
For example, the spammers could buy a list of new email
addresses for sending their advertisements about Viagra or something like that.
They earned money (supposing 50p per click) from the replies or amounts of
pop-up advertisements/websites. Meanwhile, identity thefts could use email
addresses to build up a fraudulent plan to fool everyone into giving them their
credit cards or bank accounts.
Rod Rasmussen, president and CTO of Internet Identity, an
American Internet security, said cyberhackers exchanged information with each
other to a full picture of an individual. “You can add and combine more
information about everyone for a bigger loss. You get their names, credit card
numbers, PIN, email addresses and phone numbers from many sources to have a
fully information about them”.
What was the monetary value?
A name or an email address is worth 1 cent to £1/file,
depending on the quality and latest of the data, according to the security
experts.
“There are far too much floating data, you have to have
plenty of them in order to get paid in the underworld”, Rasmussen explained
“Even a credit card number is worth $1”.
It seemed a tiny amount of money but if you multiplied it
into millions of files, the resutl would increase incredibly. Take Zappos as an
example: if hackers sold 5 millions out of 24 millions of customers’ email
addresses with 5p per address, they earned £250,000.
The botnet operators could even make more money.
Supposing you owned 1 botnet including 100 thousand computers, you could let
the spammers hire it out with £500 – £1,000/hour. As what Stu Sjouwerman, the
founder and CEO of KnowB, a Internet security training company said, if you hired
or bought 24 millions files from Zappos, then you could send malwares to these
emails, even just 20% of the receivers’ computers were contaminated and your
malwares took the control of their computers, you could have increased your
botnet into 5 millions computers with little attempts.
“Then you can charge $5,000/hour instead of $1,000/hour
for 5 millions botnets which started to send spams”, Sjouwerman said. “These
guys made a really big fortune”. Of course their illegal activities would also
mean the criminal cases, prisons and monetary compensation.
What did the Cyberhackers need?
All the cyberhackers needed to start making money was
your email address. Then, they could “blitz” your emails with plenty of spams.
In order to steal someone’s identity or credit card
fraud, the cyberhackers needed your passwords, credit card or welfare numbers.
If they had everyone’s emails, occasionally they could have your sensitive
information by sending fraudulent emails or distribute malwares through emails.
Some malwares installed keylogging software recording usernames and passwords
whenever you signed in online accounts. If one of them was bank account, the
cyberhackers could easily withdraw it completely without doubt.
In case the cyberhackers had the last 4 digits in credit
or debit cards, they could use it to reset the password in an e-commercial
website, according to Rasmussen. They would start buying by your accounts
afterwards. However, he added, there were big possibilities that “they will
sell these information for those who intended to make another attack to you”.
How long would it happen?
Also according to Rasmussen, the period between the time
cyberhackers had your information and illegitimate amount of money suddenly
appeared in your credit announcement depended on the cyberhackers and the type
of information they got. If it was related with credit card numbers, the
fraudsters would use it right away.
The cyberhackers using emails for fraud acted so quickly.
In order to take many people in downloading malwares into their own computers
or revealling their sensitive information, the cyberhackers would send them a
false announcement about the information leakage and request for resetting
their passwords on one website pretended to be a true website, before the
hacked companies send their official announcements, in accordance with
Sjouverman said.
This is the reason why the fatal action towards
organizations whose customers’ information was leaked was sending announcements
as soon as they knew what happened and who were affected. Rasmussen added that
EU was under consideration about a bill requesting the companies to inform to
the related customers within 24 hours.
And the risk?
If your email was affected in a security vulnerability,
you had to prepare yourself for receiving tons of spams, fraudulent emails or
much more malwares arriving to your mail. Besides, malwares could allow the
cyberhackers to take control your PC to make it become a part of botnet. It
could even permit them to activate webcam or microphone on your PC to track
your activities. Moreover, it could download keylogging software for recording
your passwords.
If they had much more information than names and email
addresses – maybe your phone numbers, addresses and the last 4 digits of your credit
cards – they could set up an effective and persuasive fraudulent plan resulted
in identity thefts and credit card fraud.
How about the ratio?
Rasmussen and Sjouwerman
both agreed that you could receive much more spams if your email address was
exposed in a security vulnerability. And another worry to you is fraudulent
emails.
4 out of 10 would be involved into fraudulent attacks,
based on Sjouwerman’s research. He run a test with one of KnowB4’s clients, in
which KnowB4 made a false email, was believed to be sent from the CEO of the
company, to its 100 employees’ emails found on web. In the mail, KnowB4,
pretended to be the CEO, requested their employees to change their welfare in a
website they set up, the result was 40% of the employees was fallen into the
trap.
Unless your credit card number or bank accout were hurt,
there was no need for you to worry about the credit card fraud – of course with
the condition that you didn’t reveal it to the fraudsters afterwards.
If the cyberhackers got your credit card number, it was
surely that fraudulent amount of money would appear on your next invoice, and
you ought to inform your credit card information and credit report companies as
soon as possible that your information was hurt.
Not
all vulneralbilities would relate with identity theft and credit card fraud –
or fraudulent emails and spams in addtition. Although the hackers had only
everyone’ names and emal address, according to Rasmussen, what made people
worried most was “the feeling of being a victim: someone will publish something
about you without permission”.
