Your usernames and passwords are your port-keys to the business applications that are the lifeblood of your organization. Those credentials are also one of the hottest commodities on the Dark Web.
What is the Dark Web?
In simplest terms, the Dark Web is an untraceable, undetectable area of the web that can be accessed only by using special software. Originally created to provide an environment of free speech and anonymity, the nature of the Dark Web has allowed online criminal activity to flourish. And while some usage of the Dark Web is benign and can actually provide a voice for those in oppressed countries, nearly half of all activity on the Dark Web is criminal. From the sale of illicit drugs to far more nefarious activities, the Dark Web can be a dangerous environment. One of the most common crimes taking place is the disclosure and sale of business credentials and personal information. The criminals who obtain these credentials are patient and sophisticated – and are willing to wait, sometimes years, for the opportunity to use the information to harm your business for financial gain.
You Are Vulnerable – and So Is Your Business
Usernames and passwords are the go-to security solution for so many networks, services, and social media sites, but they are the weakest link in your security effort, particularly when taking into consideration the risk of human error. Usernames and passwords are often the only layer of security that stands between your employees and your business network. While best practices demand that we should use different passwords for every service (do you?), the reality is that most of us repeatedly reuse passwords. That is a huge problem. The password that may have just been stolen from your employee during the Capital One breach, for example, may be the same one used to connect to your network, your financial system, or their work email.
In fact, passwords being shared among different services is one of the most common issues we come across. When one service is compromised, every subsequent use of that credential is at risk. We commonly see malicious actors inject themselves into the middle of an email conversation regarding an invoice or other financial transaction and intercept data (e.g. provide the other party with different bank routing info). We’ve seen these cyber criminals create rules to forward, delete, or hide messages so that their activity is undetected. Sometimes it might be used only for gathering information for other nefarious purposes. It all starts with a password that someone used in more than one place and found its way into the hands of the criminal element on the Dark Web.
An example of the cost and damage of the reuse of passwords happened recently at a firm in Columbus whose CEO was one of the 117 million people that had their passwords stolen during the 2016 LinkedIn breach. This CEO’s password was sold on the Dark Web, and the criminal sat on the information until the company was conducting a large financial transaction with another company. The criminal waited for the right moment, inserted himself into the email conversation using the stolen password from three years prior (that had never been changed) and intercepted a payment to the tune of hundreds of thousands of dollars.
Even if you do not share credentials, individual breaches are still cause for concern. Your account at “Joe’s Pizza” may not grant access to anything important, so you are safe, right? Not at all. Credentials to things you might consider unimportant, such as a pizza delivery service, can give second-rate cyber thieves the extra boost they need.
You might think that the worst that could happen is that they order a bunch of pizza under your name, but in reality, the goal can be much more sinister. By compromising your favorite pepperoni and mozzarella hub, they might be able to obtain access to a great deal of information – your address (and past addresses), telephone numbers, email address, maybe even your birthday, if “Joe’s Pizza” happens to have a loyalty program and has collected that data (most restaurants do). They might even pick up the answer to a generic security question or two. This information can potentially give them the advantage they need to leapfrog into something more important, such as the security question on your email password reset or key details for a credit application.
Identifying compromises and taking actions to contain those breaches are critical to your overall personal and professional security posture.
There Are Steps You Can Take to Protect Yourself and Your Business from the Dark Web
There is no single solution that will protect you from every possible attack. It’s all about risk identification and management. Two areas at risk for causing the most damage – credentials that are up for grabs on the Dark Web and human error – can be minimized with the proper tools, training, and support.
At thinkCSC, the team offers Dark Web monitoring to identify exposed credentials and alert their customers before hackers can do harm. thinkCSC’s Dark Web monitoring services are provided through a strategic partnership with ID Agent, provider of Dark Web monitoring and identity theft protection solutions. With Dark Web ID, thinkCSC can now offer 24/7 monitoring of millions of sources, including botnets, criminal chat rooms, peer-to-peer networks, malicious websites, bulletin boards and illegal black-market sites, to alert you of stolen or compromised data. To learn more, please get in touch with OSAE member thinkCSC.