Data theft (1/3): how do malicious individuals steal your data?
Identity data theft on the internet has never been as high as it is today and it is constantly increasing. The CNIL counted for 2019 a 195% increase in cases of reporting by companies of illegitimate access to personal data compared to 2018. This stolen data is profitable for malicious individuals and the many commercial companies that exploit it. This is why XSL Labs wanted to find solutions to ensure data security.
In this series of articles, we wanted to give the reader a complete overview of data theft around the world, so that they can take the right measure of this widespread and costly phenomenon. In this first article, we will focus on the most common methods used by malicious individuals to gain access to your personal data and on the way they use it. We will then present the global figures of data theft and explore the specific case of companies and finally the case of public services and the medical sector.
Data theft techniques
The main techniques used by malicious individuals to achieve their goals are clickjacking and phishing.
Clickjacking consists of pushing the Internet user to divulge confidential information or to take control of his computer by getting him to click on certain pages where “traps” are placed, hidden links that will take the user to places he has not chosen. Some of these “traps” are hidden in games where the player has to click on certain buttons to score points, without knowing that these buttons secretly activate his webcam.
Phishing is well known. Malicious individuals usurp the identity of an organization or a third party that the user trusts, such as a bank, an insurance company, the Public Finance Department, or benefit funds, and will attempt, under the pretext of a problem that is often urgent to resolve and puts the user in difficulty, to lead him to a website identical to that of the institution in order to ask him to enter his data, which is then retrieved from the malicious individuals’ databases.
Brute force attacks are also a common practice, using specialized software that can test a very large number of passwords very quickly. If the password is too simple, the malicious individuals get into the user’s protected accounts and can accomplish their misdeeds.
Finally, another frequently used practice is credential stuffing. It consists in testing a service login page with a large number of “username and password” pairs that the malicious individuals have obtained through previous data breaches. This way, they exploit qualified lists that they buy on the dark web and that contain hundreds of millions of emails or identifiers associated with a password. This hacking strategy was developed after attackers realized that users almost always use their email address as their login and very often use a single password for all their accounts.
How do malicious individuals take advantage of your data?
These login credentials are then exploited in different ways by malicious individuals depending on the services they have allowed access to.
In the case where they have allowed access to financial information such as credit card numbers and security codes, they can be used for the purpose of making illegal transactions.
Identity information such as names, addresses, dates of birth, and social security numbers can be used to steal identities on the Internet or to sell this data to unscrupulous business developers.
They can also steal health information which is very lucrative too. Insurance documents and medical diplomas are stolen and then resold to third parties, or used by the malicious individual himself to claim reimbursements for expensive medical services. Fake prescriptions and health care cards were also sold on the dark web. Moreover, the consultation of stolen health insurance information, in particular in order to make false claims at the victim’s expense, is sold at very affordable prices on the underground Internet, so it is very easy for anyone who wishes to profit from this stolen data to obtain it at low cost.
Many other means exist and they are impossible to list exhaustively: they demonstrate the ingenuity of malicious individuals to find ways to make profits from personal data.
In a future article, we will discuss the immense cost of data theft to the global economy.