Posts

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

Fortnite is one of the most popular battle royale games on the market. People of all ages play the game to work their way towards the center of the map. However, there is one thing about Fortnite, and other games, that many gamers are not aware of: the massive amounts of gaming data that is collected and stolen.

Every week the Identity Theft Resource Center (ITRC) looks at the most interesting data compromises from the previous week, as well as what happens behind the scenes when someone attacks a company and steals personal or business information in our Weekly Breach Breakdown podcast. This week, we are taking a look at Fortnite in an episode titled “Let the Games Begin!”

The Financial Dominance of the Gaming Industry

What industry made more money in 2019? Video games or movies? The answer will probably surprise most people. Video games generate more revenue each year than movies and music combined. Despite Marvel’s Avengers: Endgame setting a new global box office record in 2019 at $2.7 billion in ticket sales, the film industry’s $42 billion pales in comparison to the more than $150 billion in video game revenue in 2019. The top video game of 2019, Call of Duty: Modern Warfare, racked up $1 billion in sales in the last two months of 2019 alone. Call of Duty is still the number one video game in terms of sales nearly a year later.

Data Risk

One of the reasons the game remains so popular is the same reason why video games represent a significant data risk: someone can play Call of Duty online for free and make in-game purchases. When someone goes to the movies, they don’t give away personal information to buy their ticket. However, when someone wants to play video games online, they have to share lots of data.

The Impacts on Fortnite

Nearly 2.7 billion people play video games, and at least 500 million of them play games online; 350 million just play Fortnite. While the online battle game is free to play, Fortnite makers gross $2.4 billion a year in in-game purchases. It’s what attracts data thieves; the combination of player gaming data and people willing to spend lots of money.

Research published by Night Lion Security calculates more than two billion online video game player profiles have been breached in 2020 based on the number sold, or for sale, in underground online forums. It adds up to roughly $1 billion in illicit gaming data sales each year. Of those, Fornite player account information is the most valuable at approximately $600 million per year.

Why? It’s not just personal information being stolen. Instead, its profile gaming data, including game achievements and player personas known as “skins.” With the right skin, a user can become an elite level player without having to play Fortnite or defeat hundreds of players to get to the top of the heap.

Night Lion notes that one highly prized skin commands as much as $2,500 on the black market. Between reselling elite and average player accounts, data thieves who specialize in Fortnite skins earn an average of $25,000 per week, nearly $1.3 million per year.

How Do Data Thieves Do It?

Cybercriminals use automated tools that compare login and password information from past data breaches to active Fornite accounts, at a rate of almost 500 accounts per second. To cover their tracks, the data thieves use masking tools that go for as little as $15 on the dark web.

What You Need to Do

The best security tools in the world cannot help protect gaming data if players use the same logins and passwords on more than one game account.

  • If you or a family member plays a popular video game, including Fortnite, make sure the game credentials are unique for each game
  • Also, create a unique passphrase and set up two-factor authentication to prevent misuse of your player profile and personal information

If you do not, it could be game over.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor on the website via live-chat, or by calling toll-free at 888.400.5530. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest articles below

Another week has gone by, and there are new data compromises for the Identity Theft Resource Center (ITRC) to educate businesses and consumers on. Since 2005, the ITRC has tracked publicly-notified U.S. data breaches and has tracked over 10,000 breaches since then; more recently, using 25 different information fields and 63 different identity attributes that are updated daily. On last week’s Weekly Breach Breakdown, we talked about the market price for consumer data in the dark corners of the internet where identities are bought and sold. This week, we are looking at the average cost of a data breach exposed to the public. We will also talk about the latest data breaches that reflect the trends in the new research. 

The 15th IBM Report on the average cost of a data breach was recently released, conducted by the Ponemon Institute. Reflecting some of the same trends the ITRC has reported, the IBM study shows that the global average cost of a data breach has dropped to $3.8 million – with the average being defined as a breach of 100,000 records or less. That is a drop of nearly a half-million dollars.

However, when you focus on the U.S. alone, the average cost of a data breach has gone up almost the same amount to an average of roughly $8.6 million. That continues the long-term trend of costs steadily increasing beyond the rate of inflation since 2005.

In regards to the calculation of the cost, costs include the following:

  • The actions required to detect and respond to a data breach
  • The costs of notifying the people whose information was stolen
  • Lost revenue and the costs of marketing and sales activities required to regain consumer trust lost as a result of the data breach
  • Legal fees, fines and settlement costs
  • Increased customer care support

Lost revenue is the single largest component at 40 percent of all breach-related costs. With all of that said, what is not included are the expenses associated with fixing the problem that caused the breach in the first place, and the changes needed to ensure it does not happen again. While it stands to reason that the bigger the breach, the bigger the costs, they are exceptionally bigger – 100 times bigger – if the number of records compromised is over one million records. If a data breach of 100,000 U.S. records costs $6.8 million, a one million record event could cost close to $900 million.

According to the IBM report, the number one cause for data breaches in 2020 at 19 percent is lost and stolen credentials – logins and passwords – which is also tied with misconfigured cloud environments. In other words, someone forgot to add the password to the cloud account, leaving information exposed on the web for anyone to see. Unpatched software accounts were in third place at a little over 15 percent, while malicious employees accounted for only seven percent of breaches reviewed by the Ponemon Institute. It is also worth noting that some security and human resource experts believe the number of attacks will only go up if pandemic-related layoffs increase.

Other key findings from the 2020 IBM Report regarding the average cost of a data breach include: 

  • 53 percent of the attacks in the 2020 report was financially motivated
  • The most expensive attacks occurred in the healthcare sector 
  • The average length of time between when a malicious attack starts and ends is 315 days – 10 and half months
  • Threat actors want consumer information – especially logins and passwords – more than any other data (80 percent of the time.) However, that is not the only data they want. Nearly a third of breaches in the IBM study were thefts of company intellectual property. 

Looking back at the top breaches this past week, Nintendo, the company that gave us Donkey Kong Mario Brothers, was the victim of a cyberattack where thieves dumped a large amount of data onto the web. While there was no personal information exposed, screenshots and prototypes of games were posted online. The Nintendo data breach reflects the IMB report’s findings that company intellectual property is also a target for cybercriminals. Intellectual property theft can have a significant impact on a company’s business performance.

A recent Garmin ransomware attack shut down customer access to multiple products and services, as well as manufacturing. It took Garmin, which makes GPS devices and fitness trackers, nearly a week to publicly acknowledge the attack, and services are still in the process of being restored. According to Garmin, no consumer information was compromised, and the ransomware involved is not known to steal data. Rather, the ransomware used in the Garmin ransomware attack is known just to hold data hostage.

Finally, there’s Drizly, the popular service for ordering adult beverages for delivery. The company was hacked, and information from an estimated 2.5 million accounts was placed into the dark web’s identity marketplaces. According to Drizly, no payment information or other sensitive customer data was breached. However, the cybercriminals say otherwise and are selling the stolen data for $14 per account. That makes all of the information worth at least $35 million.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Also, keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are the victim of identity theft or believes their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

EDP Ransomware Attack and Twitter Data Breach Put a Price Tag on People’s Personal Information

Ransomware is something no one wants to end up with. It is a type of malicious software that is designed to deny access to data or a computer system until the hacker is paid. Ransomware is just one of many forms of malware, code that is developed by cyberattackers to cause damage to data and systems or gain unauthorized access. While there are many different types of ransomware, the operators behind the Maze ransomware attacks are some of the bad-actors at the core of many of these types of data compromises or phishing emails.

Maze is considered a sophisticated Windows ransomware type with the threat actors using it to ambush many organizations with demands of cryptocurrency payments in exchange for the stolen data. The impact of the Maze group and other similar ransomware exploits has led to a growing problem.

According to healthitsecurity.com, in May, the Maze operators published two plastic surgeons’ stolen data for sale on the dark web after a successful ransomware attack. A little over a month earlier Maze operators hit Chubb, a cybersecurity insurance provider for businesses that fall for data breaches. According to CRN, the Maze group just recently stole 100 GB of files from Xerox.

However, there are actions that consumers and businesses can take to reduce their chances of an attack:

  • Consumers should use reputable antivirus software and a firewall
  • People should consider using a virtual private network (VPN) when accessing public Wi-Fi or untrusted Wi-Fi
  • Consumers and businesses are both encouraged to make sure all systems and software are up-to-date and have the relevant patches
  • People should not provide any personal information in an email, phone call or text message they are not expecting
  • It is important that consumers do not click on any links from emails, text messages or instant messages they are not expecting; instead, they should go directly to the source

The Maze ransomware has impacted many; businesses and consumers should do what they can to protect themselves and their data.

Anyone who has questions or believes they are a victim of a Maze ransomware attack, or any sort of malware attack, can live-chat with an Identity Theft Resource Center expert advisor for tips.

They can also call toll-free at 888.400.5530. Finally, victims can download the free ID Theft Help App for instant access to advisors and resources.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19