Earlier this week, Dow Jones announced to customers that unauthorized individuals had accessed internal systems that store customer information, between August of 2012 and July of 2015.
Chief Executive William Lewis explained in a letter to customers, ‘It appears that the focus [of the breach] was to obtain contact information such as names, addresses, email addresses and phone numbers of current and former subscribers in order to send fraudulent solicitations.’
For fraudsters, the ability to add legitimacy to fraudulent solicitations is critical to success. Once they know someone is a customer, imitating corporate communications requesting personal or financial information is trivial.
Sadly, the real victims of these types of attacks aren’t corporations, which have insurance and contingency plans in place, but regular people. In these types of incidents: parents, grandparents, friends, and co-workers are all victimized, under the guise of a brand they know and trust.
Breaches like these are an entirely different animal than the Target, Home Depot, and PF Chang’s incidents. In those cases, the attackers stole massive amounts of personal financial information. The breaches were only discovered because of the uptick in stolen credit card information flooding the black market.
Cyber criminals have learned that dumping massive amounts of credit card information on the black market draws attention. Rather than stealing and selling credit card data in bulk, this group turned to systematic customer scams using the Dow Jones as bait.
The method of attack, whereby brands or branded digital assets are manipulated to defraud customers, has grown significantly over the last several years. Verizon researchers reported that 70% of web-based attacks were aimed at secondary targets, in the 2015 Verizon Data Breach Investigations Report. In other words, 70% of breached websites in 2014 were turned into virtual Venus flytraps.
Cyber criminals have identified a blind spot in most security programs, which allows them to rely on attacks where they focus on secondary targets. Organizations are weakest beyond the firewall, along the enterprise digital footprint, which consists of branded digital assets (i.e. websites, mobile apps, etc.) existing on the open Internet. This area is simply beyond the capabilities of traditional security controls.
Digital footprint security requires the ongoing discovery of branded digital assets, inventorying them, monitoring them for malicious behavior or signs of compromise, and enacting enforcement policy. Organizations lacking this ability, are lagging dangerously behind the adversary.