Cyber threats are constantly being renewed as cybercriminals develop increasingly sophisticated techniques to achieve their goals. Aware of these new approaches, El Pescador periodically develops new phishing simulation campaigns with the aim of educating clients on Information Security threats.

One of the most recent is the Data Leak Campaign.

Here’s how data leaks work, the potential motives behind them and their consequences, as well as how El Pescador’s new Data Leak campaign works to prevent them.

Data leakage is the unauthorized transfer of confidential data between a company’s computers or servers and computers “outside” the corporation, wether intentionally or unintentionally. In the case of intentional leaks there are a variety of motivations, ranging from financial gain — whether through blackmail (request for return of stolen data), or through the sale of data to agents interested in that information — to pure and simple exposure of a target with the objective of causing financial and brand damages, as happened with Sony in 2014, which we will discuss later.

To get what they want, criminals need to break into corporate systems. For this they rely on several techniques such as Google Hacking, which allows an attacker to use the search tool to find programming failures company websites.

But attackers also take advantage of the negligence, distraction and lack of knowledge of employees at all levels of organizations regarding Information Security.

Carelessness is considered reprehensible behavior from a security point of view, and is widespread among companies: the use of corporate credentials — i.e. the company’s e-mail address — to create accounts on social networks, a practice that makes this e-mail public. Currently there are many public mailing lists containing millions of corporate email addresses. This information, combined with the unacceptable practice of reusing the same password to access multiple sites, greatly facilitates the work of attackers interested in penetrating a company’s systems.

Recently, the Ponemon Institute — an independent research institute specializing in the area of privacy and information security — has jointly conducted a survey of the costs of data leaks in companies during the year 2016. The IBM / Ponemon 2016 study Cost of Data Breach involved 383 organizations from 16 industries in 12 countries and brought numbers that give an idea of the severity of this type of attack.

In financial terms, the average cost of a single event of this type in 2016 was US $ 4 million, an increase of 29% over 2013. It is estimated that one single leaked record costs on average US $158, a number which may vary according to the industry involved; For example: a record of a leaked patient could mean a loss of around $ 355 for a hospital; the same goes for the transportation industry, stolen records costs just over $120.

But there are losses that are more difficult to quantify, as shown in a case of 2014 that became known as the Sony Pictures Hack. Back them a group of hackers used phishing techniques to steal — and disclose — confidential studio data. The attack, which a Washington Post article classified as “far beyond the typical cyberattack to a corporation”, has generated huge costs for the studio, which had to hire cybersecurity professionals to investigate the cause of the leak and invest the time and resources into restoring its data network. Not to mention the box office losses — caused by the leakage of some films that had not yet been released — and the impact on the brand itself.

As in many cases, the cybercriminals responsible for this attack used phishing techniques to steal system access credentials and get the data. Investigations have shown that studio executives have received fake emails requesting confirmation of their Apple IDs. The emails contained a link pointing to a fake support site where victims submitted their login data. This information was used to gain access to victims’ LinkedIn network accounts, and from there on, it was possible — in some cases — to discover the credentials of professionals on Sony systems.

The new campaign will be the first “active” El Pescador campaign. Unlike the other campaigns, where the client provides participants’ email addresses for El Pescador, in the Data Leak Campaign participants will be selected by the El Pescador team, along with Tempest’s Threat Intelligence team.

The selection is based on a continuous search conducted in the public databases to find out corporate e-mail addresses that are available on the web, whether by leaks or by disclosure of the company or the employee themselves. More than 1 billion e-mails are already cataloged in these databases.

The goal of the campaign is to raise awareness not only of participants but also of how innocent attitudes — such as openly disclosing their corporate email address — can lead to theft of credentials for access to company systems and thereby open doors For the leak of important data.

To learn more about this and other El Pescador campaigns, click here [in portuguese].

And to learn more about phishing, follow our blog [in portuguese].

.   .   .

This post was originally published on the El Pescador blog. Click here to read it in portuguese-BR