Faux phishing scheme shows how hacks unfold

Many CIOs have implemented software that dupes employees into clicking on links and attachments that simulate phishing scams, an increasingly common educational tool to warn workers about the dangers of suspicious email messages. Security software maker Bitglass has reversed the shenanigans by leaking faked Google Apps credentials on the Dark Web, a hacker’s playground for trafficking in stolen data. Then it tracked the activity, watching the many ways in which hackers wreaked havoc with supposed stolen online identities.

The results, including more than 1,400 visits to the credentials and a corresponding bank website, were startling and serves as yet another wake-up call for organizations, whose employees are perennially the weakest link to enterprise security. It should also tell CIOs that enterprising criminals are easily enticed by corporate information housed in the darkest corners of the Web.

For the experiment, dubbed Project Cumulus, Bitglass forged “Dennis,” a fictitious online persona working for a fake retail bank, along with a functional bank Web portal. It created a Google Drive account loaded with emails, files with credit card information and proprietary work documents, and rounded out the Dennis persona with Facebook and LinkedIn profiles. Then it ceded Dennis’ data to sites on the Dark Web that host stolen information, and advertised it as reaped from a phishing campaign, says Rich Campagna, vice president of products and marketing at Bitglass, whose software monitors cloud software corporate employees access.

Fake persona attracts flurry of hacking activity

Bitglass used its monitoring software to “watermark” or track activity on Dennis’ Google Drive files, including logins and downloads. “We could see everything these users were doing, where they’re coming from and whose downloading what,” Campagna says.

Within the first 24 hours, Bitglass logged five attempted bank logins and three attempted Google Drive logins. Files containing real credit-card information were downloaded from Dennis’ account within 48 hours of the initial leak. Over a 30-day period, his account was viewed hundreds of times and many hackers used the Drive credentials to access the victim’s other online accounts. Some 12 percent of hackers downloaded Google Drive download files, with several cracking the encrypted files. The hackers hailed from more than 30 countries around the world, including Russia, U.S. and China.

Bitglass’ successful trolling for unsuspecting hackers didn’t reap many surprises, given the efficacy with which it made data available on the Dark Web. What stood out to Campagna was that 94 percent of hackers who accessed the Google Drive account uncovered the victim’s other online accounts, and used the data to log into the bank’s Web portal — a shockingly high percentage.

Hackers are getting more discreet

Campagna also found the Project Cumulus hackers proved better at covering their tracks, in sharp contrast to a similar Dark Web scam Bitglass ran last year. In that scam, which included 1,568 fake names, Social Security numbers and credit card numbers stored in an Excel spreadsheet, hackers were easy to track because few used Tor, the preferred Web browser for surfing the Dark Web anonymously. “Almost nobody covered their tracks, so we knew exactly where they were coming from, right down to their individual IP addresses,” Campagna says.

But with Cumulus, 68 percent all logins came from IP addresses anonymized via Tor, masking their IP addresses. Campagna says that Bitglass researchers noticed a large number of downloads via Tor over the past eight months. This, coupled with the high rate of Tor usage in the bank experiment, suggests hackers are becoming more security conscious, realizing that they need to mask IPs when possible to avoid getting caught, he says.

More broadly, Bitglass’ new results suggest CIOs and CISOs must be vigilant about protecting corporate assets. Campagna recommends organizations exercise good cybersecurity hygiene, including strong identity management policies, such as regular password refreshes and multi-factor authentication. Data leakage prevention policies and systems that alert IT departments about anonymous behaviors are also essential. “Oftentimes these strong identity policies kind of went out the window when they moved to the cloud, but we need to return to that,” says Campagna.