Why do hackers display breached information like emails and private information out in the open? What effect does this behavior have on society?
Here, we call upon multiple cybersecurity industry leaders to discern some of the many motives that incentivize hackers.
“Some men just want to watch the world burn”
Allan N. Buxton, the Lead Forensic Examiner of Secure Forensics, tells The Sociable that “doxxing,” or the deliberate reveal of personal information usually gained by illegal access to online accounts, is a means of convincing targets of the hacker’s authenticity in fulfilling the threat.
“Sometimes, the threat of making gained information public is worth more than the disclosure,” he says.
Money is not always the motivating factor for hackers, but it is certainly up there, and so we shall start there.
1) Money: How Much Hackers Can Make
Breached records can go for pennies to hundreds of dollars depending on the nature of the content up for sale. So, how much money do these cybercriminals make after they get hold of data? How precious is the data in monetary terms?
According to Symantec’s 2019 Internet Security Threat Report, attacks on enterprises are up 12%. A new business will fall victim to an attack every 14 seconds this year. The attacks have already generated upward of $25 million in revenue for criminals.
The Sociable spoke to an array of experts to see what price cybercriminals put on different types of information. The following is a composite list:
- Personal Information (including identification number, address, birthdate) – $20 to $450
- Social Security Numbers – $1 each
- Medical Records – $20 to $50 each
- Credit Card Numbers – $2 – $5
Social security numbers were one of the most frequently exposed types of sensitive data last year and fetch a surprisingly low sum, according to Adam Stahl, Digital Marketing Specialist at Kelser Corporation.
He also says medical records are one of the most valuable types of information on the black market, making healthcare organizations such a target for hackers. For instance, UConn Health experienced a breach this spring, exposing the data of 326,000 patients.
“Say a small portion of that – 10 % – were complete medical records. That data would sell for $652,000 – $1.8 million,” he says.
Motives and prices vary as cybercriminals pursue that valuable information that we inadvertently put out there. As Buxton says, “As far as worth goes, it depends on what information is for sale.”
2) Extortion and Blackmail
Most displays of breached information like emails and private info out in the open is usually part of an extortion scheme.
In 2018, two major Canadian banks, Simplii Financial and Bank of Montreal (BMO), were blackmailed after a data breach. The perpetrators threatened to release the data publicly unless the banks agreed to pay them a million-dollar ransom.
“Many hackers like to leave a ‘calling card’ – their own little signature for each attack”
Citing the recent Radiohead’s archives breach, Stahl, says that when companies are in this situation, they usually have fewer options. Hackers gained access to English rock band Radiohead files and threatened to post them unless the band paid $150,000. In this case, the band posted the music themselves.
Targeted pornography sites and infidelity sites like AshleyMadison.com have had their users targeted individually for money to prevent public disclosure of their membership. Members were hit for money in excess of $1,000 apiece to keep their information confidential, and some of them paid.
3) Taunting and Shaming
Hackers also use samples from the information they’ve breached to taunt victims and try to shame them into paying ransom.
This happened in May, when the City of Baltimore suffered a ransomware attack and a Twitter account, reportedly belonging to the hacker, was tagging the city’s mayor in tweets releasing confidential information, seemingly attempting to goad the city into paying.
This June, Daniel Kelley, 22, from Llanelli, South Wales, who was caught for taking part in £77million hack on mobile network TalkTalk, was found to be motivated by ‘spite or revenge’ for being turned down from a college computer course.
In the AshleyMadison.com data breach, cybercriminals disclosed raw data including names, addresses, phone numbers, and sexual fantasies of registered users, which included domain names such as University of Texas, Sony, Boeing, and Bank of America. Also, government workers with sensitive White House, law enforcement, and congress jobs had to admit using the site after being exposed.
Yes, they extorted money as well, but more than that, the resulting embarrassment caused suicides, heartbreaks, and divorces.
4) Experimenting and Fun
Hacking information is a process that requires constant practice. In a cybercriminal’s world, every data breach would count as exercise.
Johnny Santiago from Social Catfish, a company that helps verify if someone online is who they say they are, told The Sociable that cybercriminals may be practicing and experimenting with their hacking skills, or want fame among the hacking community and peers (especially if they hacked a big organization).
For a hacker with a penchant for penetrating forbidden digital paths, dangerous data breaches can give that adrenaline rush they constantly seek.
As actor Michael Caine says in the 2008 Batman movie, “Some men just want to watch the world burn.”
Robert Siciliano, President and CEO of Safr.Me, says that while hackers are profit-minded, the return to hacking for fun and fame has become popular again due to the fact that there are so many records up for sale and hackers still want to differentiate themselves from others, therefore posting their accomplishments is the equivalent of a “notch in your belt”.
5) Credibility and Bragging Rights
Hackers will publish certain information to provide credibility to their intrusions. Braden Perry, a Cybersecurity Expert, and a former federal enforcement attorney and Chief Compliance Officer of a global financial institution, explains:
“Ordinarily, this information published publicly is a hook for those looking for more sensitive information to confirm and verify that an intrusion took place.
“The hacker will then have a dark web presence through which, interested parties can purchase information confidentially and securely.”
Also, an often overlooked reason for releasing breached information (such as emails) is bragging rights.
Zohar Pinhasi, CEO of MonsterCloud and a cyber-threat specialist and counter-cyberterrorism expert who consults for the FBI, TSA, and various police departments across the country, says, “Many hackers like to leave a ‘calling card’ – their own little signature for each attack.”
Releasing this information publicly also helps them gain credibility and support among their peers, showing proof of their skills.
Buxton adds, “It’s one thing to talk about cracking into a network, but another thing entirely to prove you’ve done it successfully. There’s a pecking order amongst hackers, and the successful ones who can pull it off by discovering their own exploits or creating their own tools to do so are at the top. Displaying the wares you’ve gained is one of the currencies used to gain that credibility.”
Attackers displaying info in the open is the advertisement for buyers to find them, like setting up shop.
According to author and cybersecurity professional Greg Scott, “The problem with the so-called dark web is, well, it’s dark.
“By definition, nobody can find these illicit websites via search engines, and so only people who know where to look, will ever see them. But like rats, illicit websites move around all the time and hide under rocks. So bad guys who want to sell their wares do often advertise samples in public. But good luck finding bad guy advertisers – they stay well hidden.”
“Displaying the wares you’ve gained is one of the currencies used to gain that credibility”
Scott told The Sociable how his being a victim of data breaches led him to author two novels. In his “Bullseye Breach: Anatomy of an Electronic Break-In,” Russian mobsters steal 40 million customer credit card numbers from a fictional retailer, Bullseye Stores. His “Virus Bomb” shows what might happen if a hostile government really does get serious about using the Internet as part of an attack against the US.
“I was frustrated with headline after headline about companies who allowed attackers to steal my personal information because every single one of those data breaches was preventable. And, so I decided to do something about it,” he says.
Not Everyone Sells
In the majority of cases, data breaches end up being leaked or sold online. However, Benjamin Dynkin, CEO of Atlas Cybersecurity, told The Sociable, “While many criminals do try to leak and sell records on the dark web, several high-profile breaches have not been leaked or sold.
Citing two of the highest profile data breach incidents, the Equifax data breach, which happened in 2017, and the attack on the Office of Personal Management (OPM) of June 2015, he says:
“In both of these cases, criminals got access to very sensitive information. In the case of Equifax, financial information, and in the case of OPM, clearance records and personnel files. However, they never leaked or sold these records, likely keeping them for other, nefarious, purposes like blackmail, espionage, etc.”
“Like rats, illicit websites move around all the time and hide under rocks. So bad guys who want to sell their wares do often advertise samples in public. But good luck finding bad guy advertisers – they stay well hidden”
The Equifax fiasco exposed the personal information of roughly half the US population, while OPM released information about a Chinese state security breach of its computer system, which compromised the data of 4 million Americans.
The cost of these records can vary greatly, from a few dollars for a social security number to hundreds of dollars for a medical record or passport. Additionally, many records have a limited time of value, thus criminals try to package large breaches together to be moved quickly.