How Cybercriminals Turn Your Stolen Emails Into Cash; An Analysis Of Recent Data Breaches

On February 3, we learned of another retail data breach in what has been an extremely active cybersecurity season.  The most recent incident involved a breach of White Lodging, a company that holds franchises on hotels such as Hilton, Marriott, Sheraton and Westin.  Initial reports indicate the breach resulted in the disclosure of debit and credit card information of thousands of guests who made purchases in hotel restaurants and shops.  According to information released by Marriott, there is no indication the computer system responsible for front desk operations was compromised. What is not clear is to what extent additional personally identifiable information (PII) was compromised as a result of this breach. 

Over the past three months we have seen six major security breaches resulting in the release of hundreds of millions of debit and credit card accounts. Those breaches also resulted in the disclosure of as many, if not more, email addresses, telephone numbers, mailing addresses and other pieces of what is often considered lesser bits of information.  Yet, because of the focus on financial fraud as the result of a data breach, there continues to exist a lack of understanding of the value of what is often considered innocuous pieces of information, such as email addresses.  After all, it is easy to understand how a cybercriminal can turn stolen credit and debit card information into money, and the value of those accounts to the legitimate owners is clearly evident.  The question is, what is the value of an email address to a cybercriminal?  How can a cybercriminal convert a batch of stolen emails into money?

There is perhaps no other piece of personally identifiable information that is so integrated in our online persona as our email address. Whether you are registering for a Facebook account, an Amazon account, online banking or any other online service, you are generally required to provide an email address. The individual that has control over the email address, coupled with a weak or easily guessed password, could have control over multiple accounts attached to those email addresses.  When you take a moment and aggregate all of the individual accounts and services tied to your email, it is easy to understand the value of your email account.  Below is a representation of how ubiquitous an individual email account is to the average consumer.

Ref:  krebsonsecurity.com

Perhaps one of the most popular attacks targeting stolen email addresses is the phishing attack. A typical phishing attack comes in the form of a bogus email purporting to be from a financial institution where the recipient has an account. The message will inform the recipient that there has been some sort of change at the bank – perhaps a new security control or a change to the banking system – that requires the victim to reconfirm their account information. Designed to create a sense of urgency on the part of the victim, the email will include a web link where the victim will be prompted to update his or her personal information. Unbeknownst to the victim, the link will lead to a fake website, specifically designed to mirror the legitimate bank website, where their personal information will be captured by the cybercriminal.

Converting stolen emails to cash is purely a numbers game.  Take, for instance, the Target breach; it is estimated that approximately 70 million emails were stolen during the breach (Step 1).   If we assume for a moment that one person was in possession of those emails, we can quickly demonstrate how lucrative it is to steal email addresses. 

Assuming that the cybercriminal utilized all 70 million emails in a phishing attack, perhaps offering them free credit monitoring, approximately 5%, or 3.5 million messages will make it through email filters and be presented to the recipient (Step 2).  Of those 3.5 million emails, approximately 5%, or 175,000 recipients will click on the phishing link provided in the email (Step 3).  Statistics show that approximately 2% of those individuals who clicked on the provided link will enter personal information such as social security numbers or date of birth into the phishing site (Step 4). On average, an individual experiences a loss of  about $361.00 in a phishing scam (Step 5), when the cybercriminal utilizes their stolen information. The potential payout in this scenario results in the cybercriminal netting approximately $1.2 million, with a very low likelihood of detection.

It is important that we remember that when an organization experiences a data breach, the impact on the consumer is far reaching.  While it is critical that victims of a breach monitor their financial accounts for abuses as a result of a breach, it is equally important that they take proactive steps to minimize their exposure for residual losses of personally identifiable information that may have been compromised.  Understanding the ubiquity of key pieces of information you provide to third parties will help you protect yourself in the event your information is part of a data breach.