How attackers piece together partial data

Last month, Carefirst confirmed it had suffered a data breach. As details have emerged, the prevailing notion in the aftermath of this breach is that it isn’t as severe as the Anthem or Premera breaches that preceded it. The thinking is that the victims of this breach dodged a bullet, since the attackers only accessed personal information – such as member names and email addresses, not more sensitive information like medical information, social security numbers, and passwords. However, PhishMe’s CTO and co founder, Aaron Higbee warns attackers may still be able to use this partial information in a variety of ways, and a partial breach should not be dismissed as trivial.

Aaron said “The first, most obvious way attackers will use this information is to send phishing attacks. There may be a sense of relief that victims at least avoided the risk of identity theft, but even partial information about Carefirst’s members can help enterprising criminals.

“For Carefirst’s attackers (who had been present on the network since June 2014), the key to profiting from this attack is to sell this information. Names and email addresses by themselves are valuable to spammers (one can imagine spam hawking cheap prescription drugs being sent a list of healthcare users), but names and email addresses also hold value. Fresh email addresses are also valuable to people who are building out botnets. Most importantly, there is an entire cottage industry of people who go to great lengths to upgrade partial data to make it more valuable. On the Dark Web, one can easily find postings buying and selling this kind of partial information.”

PhishMe pulled the following, showing a forum post looking to purchase any kind of databases containing private user information:


Aaron continues, “How could attackers use this information? Take, for example, a list containing phone numbers and debit card numbers, but no PINs. A debit card number without a PIN isn’t useful, but an attacker could easily orchestrate a phone scam by posing as the victim’s bank, gain legitimacy by correctly stating the victim’s card number, and ask the victim to verify his/her identity by providing the PIN. Look no further than the recent IRS breach to see how attackers may gain the coveted, sensitive information needed to steal identities by piecing together partial bits of information.” 

Attackers were able to access full tax returns through the IRS’ Get Transcript application, which required attackers to answer personal questions, making it likely that the attackers had some prior knowledge about their targets. The IRS stated as much, saying, ‘These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process, including several personal verification questions that typically are only known by the taxpayer.’

Aaron concludes, “I’m not trying to draw any connection between the IRS breach and Carefirst. We don’t know how the IRS attackers gathered their intel, it was likely from a number of sources. We also don’t know where Carefirst data has gone either, it’s just important to note that these “less severe” breaches still have consequences.”