If Target was the most prominent breach victim of 2013 – suffering a network security lapse that compromised data for millions of shoppers – then there’s already a frontrunner for the same dubious distinction in 2014. eBay was hit by a cyberattack sometime in early 2014, with the perpetrators making off with sensitive information on some of the service’s 128 million registered users. The compromised databases may have included many of these individuals’ email and physical addresses, encrypted passwords, dates of birth and phone numbers.
Given the incident’s timing, it’s possible that the Heartbleed vulnerability in the OpenSSL cryptographic library – open but undiscovered at the time – could have been exploited to evade eBay’s defenses. Either way, eBay subsidiary PayPal’s assets, which include extensive data on payment cards and bank accounts, were spared since they were housed on a separate network.
Social engineering takes center stage with eBay breach
Without knowing if any cryptographic weaknesses were in play, the more pressing aspect of the attack becomes the apparent use of social engineering, which has become a fixture of cybercriminal strategy:
- Social engineering, another term for deception, is on the rise as cybercriminals focus on profits in addition to prestige. It may take a variety of forms. A Trend Micro TrendLabs report, “How Social Engineering Works,” highlighted the rising prevalence of tricks such as fake “must-click” social media posts, suspicious emails urging immediate action and too-good-to-be-true offers related to seasonal sporting events or holidays.
- At the same time, employees are not receiving sufficient security awareness training. A 2014 study from Enterprise Management Associates found that more than half of workers do not receive any SAT. The report surveyed 600 individuals at organizations of all sizes. Without SAT, people may be prone to enter credentials in unsafe context or click on malicious links
- It’s not just garden variety cybercriminals that have taken up social engineering. Hackers working on behalf of countries such as Iran have conducted years-long campaigns against U.S. military officials.
In the case of eBay, social engineering did the work more commonly associated with sophisticated network exploits and advanced malware. In a statement about the breach, eBay mentioned that “a small number of employee login credentials were compromised.” As many as 100 such accounts may have been hijacked, although to eBay’s credit its security teams discovered anomalous network activity within roughly 90 days, far below the average of 224 days discovered in a 2014 Mandiant report.
How did the attackers acquire eBay employee credentials? Speaking to Help Net Security, Brian Honan, CEO at BH Consulting, hypothesized that they used spear-phishing to mislead eBay employees. If true, the success of such tactics would seem to indicate that eBay’s security apparatus lacked adequate access controls and two-factor authentication mechanisms, which between them could have stopped cybercriminals from getting through the gates with just a username and a password.
The long term effect of the eBay breach: Even more social engineering
Social engineering is self-perpetuating. A successful attack not only embarrasses the victim and puts customers at risk, but it also provides fuel for future attempts. Phishing typically succeeds because its targets cannot distinguish fraudulent missives from legitimate communication.
There’s definitely a large chunk of everyday emails and social media posts that many users immediately recognize as unworthy of their time. Misspelled words, overly long URLs and get-rich schemes are common, well understood red flags. Cybercriminals may use these tactics because they don’t know enough to go after specific targets and are instead casting as wide a net as possible, in hopes that they’ll snare something.
But social engineering can gather the sensitive data – addresses, birthdays, etc. – that they need to craft more well-informed attacks.
“Look, for example, at the eBay breach,” Dwayne Melancon, CTO of Tripwire, told PC World. “Millions of users’ personal information was disclosed – far more than just email addresses and usernames. Those who possess the eBay data are now armed with dates of birth, locations, and even phone numbers, from which they can craft some of the most convincing phishing sites we’ve ever seen. By mentioning details from your local area, adding details that would appeal to you based on your age, and so forth cybercriminals can greatly increase the odds you will respond to a phishing email.”
Spear-phishing is only going to become more sophisticated in the wake of the eBay and Target attacks. Enterprises have to be on guard with modern network security and two-factor authentication to prevent costly breaches.
What can enterprises do to avoid eBay’s fate?
How eBay has handled this breach is instructive. It did a few things well (such as discovering the network intrusion relatively early) and several others less ideally, most notably the delay in reporting the results to the public. Here are some takeaways for enterprises looking to respond better to such incidents:
- While eBay nicely asked all of its users to reset their passwords, in these circumstances it’s a better idea to force everyone to change his or her login, since many won’t do so of their own volition.
- Two-factor authentication is critical both for internal systems and in consumer-facing products. Services such as Google and WordPress already offer two-factor options to end users, making it difficult for thieves to simply plugin in pilfered credentials and gain access.
- Bulking up authentication security is also vital because many username-password combinations are far too straightforward. Like many breach victims, eBay has touted the encryption protecting the stolen credentials, but this layer of security may not be enough for the scores of weak, recycled passwords in common use. Passwords such as “123456” are distressingly common and can be cracked with minimal effort.
- Networking monitoring and discovery software is critical for catching malicious activity in real time. Workers no longer rely exclusively on in-office PCs, often bringing in personal devices that may contain malware. Modern security solutions can protect company data from such threats.
Enterprises can go even further than that by requiring physical presence at a facility before being granted data access. Similarly, they could make core assets reachable only through private IP networks rather than the public Internet. Still, these measures may be impractical for some organizations, making the above actions more practical in most cases.