You may recall news reports in early June 2023, regarding the hack of the MOVEit file transfer software by a ransomware extortion group based in Russia, known as “Cl0p” but more commonly referred to as “Clop”. Keeping in mind that the vast majority of ransomware instances are not publicly reported, in order to avoid both embarrassment of the victims and attention for the perpetrators, this one was disclosed for a number of reasons. For one, it was widespread, affecting a diverse group of victims that included the U.S. Department of Energy and other federal agencies, Johns Hopkins University and the Johns Hopkins Health System, the University System of Georgia, CalPERS (the California Public Employees’ Retirement System), the Province of Nova Scotia, Shell Oil, British Airways, the BBC, and the state motor vehicle departments in Oregon and Louisiana. A second reason was that Clop publicized the victims of its exploit on the dark web. Whether or not you had ever previously heard of MOVEit, software that is widely used by companies and organizations around the world to share sensitive data, you may very well have used similar file transfer products such as WeTransfer and Dropbox.
In the MOVEit instance, the hackers exploited a previously unknown vulnerability in the software, gaining access to users’ files before the software could be patched. This is what is referred to as a zero-day exploit, when software engineers have “0” days to patch a vulnerability prior to its exploitation. What made this extortion a bit atypical was the fact that the perpetrators did not follow the usual pattern of locking down victims’ computers until a ransom was paid, but instead threatening to release sensitive data that had been accessed unless their ransom was paid, as always, in the form of Bitcoin or another cryptocurrency. According to the latest information published by Palo Alto Networks, which monitors ransomware payment trends, the average ransom demand rose to $2.2 million in 2021, with the average payment rising to $541,010.
The Value of Your Personal Data
Ransoms are one thing, but the stolen data may be even more profitable when sold on the dark web. Let’s very conservatively presume that a hack discloses the private data of 5 million users. According to Privacy Affairs, an organization that monitors and compiles lists of prices for personal information when sold online, the following are just a few examples of the going prices for everything from social media logins to credit card accounts.
- Credit card details, account balance up to $5,000: $110
- Credit card details, account balance up to $1,000: $70
- Stolen online banking logins, with a minimum balance of $2000 on account: $60
- Stolen online banking logins, with a minimum balance of $100 on account: $40
- Cloned Visa, MasterCard or American Express account with PIN: $20
- USA hacked credit card details with CVV: $15
- 50 Hacked PayPal account logins: $120
- Hacked Gmail account: $60
- Hacked Facebook or Instagram account: $25
- Hacked Twitter account: $20
- US eBay account: $20
- Netflix account, 1-year subscription: $20
- Hacked Spotify account: $10
- 10 million USA email addresses: $120
Clearly, these international thieves are playing a numbers game. Although the hackers in the MOVEit incident exploited a software vulnerability, the majority of breaches occur as the result of human error. Most typically, those errors involve unwarily responding to a phishing scam, carelessly clicking on a link, or using the same (usually weak) password on multiple sites. Many phishing scams appear legitimate because they utilize data from earlier corporate hacks. For example, if an email service provider has been hacked, its subscriber list will have been compromised, leading to subscribers receiving suspicious emails. Because nobody wants their email service to be disrupted, many people will quickly comply with a request to divulge further personal information.
One of my clients recently received an email, indicating that his email account had been compromised, requiring him to click on a link to confirm his username and password. He did so, without a second thought, then had his email account disabled two days later because it was being used to send out massive amounts of spam, effectively turning his computer into a zombie device. When his password was reset and his account access restored, he received another email, no doubt from the same perpetrators who had lost access to his account, asking him to click on a highly suspicious link in order to “cancel the requested deactivation” of his account. Clearly, they were hoping that lightning would strike the same victim twice. Now you can see why a single hacked Gmail account sells for $60 on the dark web!
Take Precautionary Measures
I have said it before, and let me say it again, that we all need to be highly vigilant before clicking on links in an unsolicited email. If that email contains spelling mistakes or grammatical errors, you can be assured that it did not originate from the company whose graphics have been “borrowed” in order to enhance credibility. Hover over any links, and you will see how they go to some highly suspicious URLs. In addition, take the time to set up and utilize multi-factor authentication on every online account that involves either payments or passwords. Then be sure that you always use a secure and unique password for each site. Many of us tend to “recycle” our passwords, a truly lazy habit. In those instances, a hacked password on one account could lead to hacked access to multiple accounts, falling victim to what is referred to as a “stuffing” attack.
If you would like to learn more about the very serious nature of these online threats, I highly recommend a reading of “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth, a cybersecurity journalist for The New York Times and an advisor to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). This is a difficult book to put down (so you may want the audio book version), and it will keep you awake at night.
This post was written by Peter Pelland