Why would someone want your old credentials?

Golf is mostly a quiet and focused game. But when you play with someone new and there is a break in the action (pun intended). You get to talk about the general stuff, like the weather, the virus, the US election and the most generic question of them all: “What do you do for a living”.

When I answer “I’m in cybersecurity” people go “Oh, cool” and we move on to what they do, which is often more exciting and easy-to-grasp. But not this time. On a break before the 10th hole, my partner Lauri looked very seriously at me.

"Vladimir, Google is leaking my passwords. Can you help?"

"Riight. Google is indeed an evil corporation profiting from…"

"No, not like that. I’m serious. I can prove it"

"Well, there is a Pulitzer in there for you, if you do.."

"Will you have a look when we are back at the club-house?"

A couple of hours later, Lauri did indeed pull out his laptop from a bag in the dressing room, logged in and hand it over for me to have a look.

I wasn’t too excited, since I was drawn towards a sauna and a cold drink, but dutifully started poking around.

Antivirus – McAfee Endpoint, corporate, up to date, no alerts. Could be MVision and cloud, but still adequate. Processes – no apparent weird apps or adware. Google Chrome – no strange extensions.

"Lauri, you said that you can prove it? Would you please?"

Lauri took the laptop and went to an Estonian online marketplace www.okidoki.ee

"There, you see!"

"And if you go here (Chrome settings, Passwords), there are 20 more"

He went on to Chrome setting and passwords to show me that there have indeed been 20 leaked passwords.

"Ahh, the leaked password checker!"

Lauri has discovered the password checker functionality in Chrome, which has been out for a while but only recently made it to mobile, which probably caught his eye. It’s quite handy and I most definitely advise you to have a look into your saved passwords to see if any have been leaked.

"Well, what should I do about it?"

"You should avoid using that password in the future and change it on all the affected sites. If you have used it somewhere else – change it there as well."

"But I don’t even use most of them and it sounds like a pain to change my password manually on so many websites. What could possibly go wrong?"

Right. What could possibly go wrong, when a creative and malicious cybercriminal gets a hold of your account? What followed was a long lecture by yours truly and here is a short but visual example from it.

Seriously, what?

Throughout our lives, we leave digital traces all over the place. Even the most overly protective people can be found using public records. The worst kind of trace though is your credentials and personal info sitting in some long-forgotten database, which then gets hacked. Or sold for profit.

And a surprising amount of people still use and re-use the same password or password logic, which they have used 10 or even 20 years ago.

So, once criminals get a hold of those, they can do a lot. It could directly cost you money or, potentially worse, you will be used as a mule for money laundering or theft of money from a stolen credit card. The latter could open you up to a criminal investigation.

Here is one of the paths the criminals take to enrich themselves. By the way, becoming a cyber-criminal has been made easy by the huge amount of available info, including books like this, sold on Amazon etc:

Step 1: Get some credentials and credit card numbers

There is a place called Darknet where these things are being sold. A parallel Internet with its own rules (or lack thereof). Here, on a variety of marketplaces drugs, trade secrets and personal data is being bought and sold.

So, it’s a matter of getting some names of real people with real addresses and credit card numbers. Prices range from a few dollars to several hundred, depending on how fresh and rich the victim is. The two, potentially, don’t even need to match as you will see from the below example.

Or, one could just buy a verified Amazon account straight up:

Step 2: Stay invisible

People often buy things on marketplaces and in web-shops just once. Also, they probably turn off all notification from there to avoid the spam. So, when a criminal gets access to such a “forgotten” account, they can do what they want in relative obscurity.

If they try to steal money from the victim’s credit card directly, then they would typically do it in small instalments, as most people never bother to check 10, 20, 30 dollar spending.

If they try to use the person as a “mule” then the likelihood of being detected is even smaller. And even if that happens, then the person would likely not pay attention.

Here is an innocently looking order for something a spouse or other family member could have ordered with your card. Those screenshots are from one of our recent investigations.

In the case we have researched the card itself belonged to a third person, not the one who’s account has been hijacked. E.g. the owner of Amazon account in question was being used to transfer money from someone else’s card to that of a criminal. The reason that person discovered this problem is the bizarre description of the product in question.

Step 3: Get rich

Once the order has been processed and the money cleared there is almost no way to get it back for the victim.

You may ask: "How do those make money? Amazon/marketplace would just refund the order if it never arrives and ban the seller..."

There are several options

• The order might actually arrive. Someone in China or elsewhere would ship some crap to the owner of the hijacked account. Something worth 1 dollar but "sold" for 25.99.
• This could also be a legitimate item, which has been stolen and sold below market price, making the buyer complicit of buying stolen property.
• And last, but not least, there is a chance that card owner wouldn’t even notice.

One case of a 25-dollar profit sounds like too little to bother. But if done against thousands of targets… the numbers stack up. Also, in this case, it was clear that this was a mass hack. Have a look at the picture below and see if something stands out.

Oh, and by the way: in the same way buyer accounts can be hijacked, so can be the seller ones. E.g. someone might be selling something (same logic as above) through your forgotten account and in case there is going to be a problem – you will be the first one to get blamed.

Well, this sucks! What should I do?

Lauri wasn’t thrilled about my lecture and the cruelty of the digital reality. But being aware of the risks gives you and your loved ones, who you absolutely should educate, as well as your colleagues a fighting chance.

Here are some simple tips:

1. Never use the same password on 2 different services and use 2-factor authentication wherever possible.
2. Use a strong password manager, like www.lastpass.com to create and remember your passwords for you. There is a free version.
3. If Option 2 doesn’t work, use Google Chrome or another browser you use to create complicated passwords and remember those for you. Change that password every few months as well.
4. Any website or service, where you enter your address and/or credit card information should have a strong password.
5. Delete accounts on sites and web-shops you use once or rarely. Or at least remove your “payment details”.
6. In your company use privileged account management (PAM) and cloud access security broker (CASB) technologies to regularly monitor account security.
7. Check https://haveibeenpwned.com/ or similar resource to check where your credentials might have been leaked (and changing passwords).
8. Consider hiring security consultants to do a screening of your key managers and their data for sale on Darknet.
9. Talk to your family, friends and colleagues about security hygiene. It’s almost as important as physical hygiene.
10. If possible, turn on notifications for transfers from your credit cards. That way, if there is a transaction which you don’t remember making, you will be able to react immediately by blocking your card.
11. If you are in doubt or think that something is wrong – talk to your friend or security consultants. Better safe than sorry.

And this is the story. Our company runs regular training and account sweeps for customers in both the public and private sector. If you want to have a chat about beefing up your account security and security hygiene or a recent incident - contact us.