On the trail of the hackers

But what are the consequences if employee user data falls into the wrong hands and what impact would this have on the company? The Bitglass research team has tried to track down the distribution channels of illegally obtained data with the help of an experiment called "Cumulus".

The experiment: A bank employee as a decoy

To answer these questions, the research team used a decoy: they created the digital identity of a bank employee of a fictitious bank. For this purpose, a functioning banking portal was set up and a Google Drive account was created, in which both personal data such as credit card numbers and documents from everyday work were deposited. The Google credentials of the decoy account were eventually published on the darknet by the research team. However, all files in the Google Drive folder were previously digitally watermarked so that the research team could track all activities of the "data thieves", from login to file download.
In the first 24 hours after posting on the darknet, more than 1400 visitors from over 30 countries had taken a closer look at the apparently stolen user data, and the first file downloads from the Google Drive folder occurred within 48 hours.

1. data thieves act selectively

A targeted approach was clearly evident among the visitors: for example, files that appeared to contain sensitive financial information were opened the fastest. The activity logs that the Bitglass team obtained from the API integration of the Google application also showed that in many cases, immediately after accessing the Drive drive, the file download was also carried out. Different procedures were revealed in the process: While some downloaded all files seemingly at random - including, for example, canteen menus - a proportion of 12% focused exclusively on the most sensitive content, in particular documents containing credit card data and corporate documents with bank customer information.
However, no disclosure or use of the credit card data occurred during the experiment. Nevertheless, there is no certainty that hackers will not continue to use this data in the future.

2. a fatal user error: password convenience

Like many Internet users, the fictitious bank employee used the same password for different web services. A fact that cybercriminals are aware of: After the hackers successfully accessed the Google Drive drive with the leaked credentials, the research team noticed that most of them subsequently tried to apply the same credentials to other websites. In this regard, the hackers were extremely relentless: 36% of the lured cybercriminals rushed to the victim's private bank account, which they could easily access with the credentials. In the process, Bitglass researchers also observed multiple recurring logins by the same criminal users, some within hours, while others continued for weeks after the initial login. Likewise, it was frequently observed that the hackers changed the passwords to lock the user out of their accounts.

3. hackers professionally preserve their anonymity 

In the case of some accesses to the banking portal, it could be determined that the cybercriminals came from the U.S. states of Wisconsin and California, as well as from the countries of Austria, the Netherlands, the Philippines, and Turkey. The clear majority, however (68%), used the Tor browser to access both the banking portal and the Google Drive drive to mask their IP addresses. One Dark Web community hacker even encouraged members to use a cryptocurrency-paid VPN service in conjunction with Tor to minimize the risk of prosecution under the U.S. Computer Fraud and Abuse Act. A clear indication of increasing professionalization and organization among cybercriminals.

Security in the cloud requires a multi-layered approach

As the experiment showed, both corporate and personal data are quite popular commodities for which there are always interested buyers. In order to protect their data effectively and not rely exclusively on the security awareness of their employees, companies should establish control mechanisms at several levels that can prevent the loss of sensitive data.

For public cloud applications like Google Drive, the ability to restrict or prevent access based on context is key to protecting sensitive data. In the banking example, IT could have used a Cloud Access Security Broker (CASB) solution to identify suspicious login attempts, prevent customer data from being downloaded from the cloud, or block sensitive data from being uploaded to the cloud. IT administrators are also immediately alerted to unusual activity - such as that in the bank employee's Google drive - especially when multiple logins come from remote locations, and can take immediate countermeasures. The watermarking technology used in the experiment can also provide insight into suspicious data handling from cloud applications. Combined with machine learning techniques to track user behavior and detect deviations, suspicious accesses can be tracked down immediately - even if they may seem like a "needle in a haystack" to human IT administrators.

Finally, the successful accesses recorded in the experiment could have been prevented if password reuse had been prohibited and advanced authentication methods had been used. An integrated identity management solution with support for single sign-on, multi-factor authentication, and one-time passwords is essential for this. For example, in the case of suspicious logins and activity, this always applies multi-factor authentication. Finally, by applying this multi-layered approach, companies can not only protect their sensitive data, but also continue to offer their employees the convenience of working with cloud applications.

Text: Michael Scheffler, Regional Director CEEU, Bitglass