Article By Dylan Sachs
We now know that Yahoo’s cybersecurity breach likely exceeded 500 million records and was reportedly the result of criminal activity in which the hackers sold the data for financial gain. It may be one of the largest breaches of all time, but it is unfortunately not that surprising. It’s getting to the point where the world is awash in stolen records. Yahoo joins LinkedIn, Gmail, Twitter and Facebook in the pantheon of leading social networks that have suffered (very public) large-scale data breaches.
Those stolen records, including addresses, encrypted passwords, and personal data will be the fuel that drives cybercrime and identity theft schemes for many months. But the Yahoo breach news will also kick off a new wave of opportunistic cyber exploits.
The next wave of attacks will be email-based, and it will be launched against the general public, leveraging the Yahoo brand, and/or other leading online brands. A BrandProtect analysis discovered a major spike in new domain registrations that incorporated the Yahoo name in the hours after news of the breach broke.
Here are a few top concerns in the aftermath of the Yahoo breach:
- Opportunistic third parties will seek to monetize the Yahoo breach, using the Yahoo brand, as well as a multitude of other brands.
- Cyber criminals are already preparing and registering new domains that appear to be potentially legitimate Yahoo sites — domains like, www-yahoomail (dot) org, yahoomailsecurity (dot) net and yahoosecurityupdate (dot) com. The most threatening domains have active MX records – these domains are configured to be able to launch email attacks that seem to come from a source that the public might mistake for a legitimate Yahoo-sanctioned account.
- Emails will appear to provide Yahoo breach victims with help, but instead will infect systems with malware or ransomware
Cybercriminals may also launch attacks against users of other email, credit card, banking, or social media networks. These attacks will cite the Yahoo breach, and recommend that the user revalidate their current account or update their password. Again, a malware or ransomware infection will be the result.
Pundits are fond of saying “it’s not if you’ll get hacked, but when you’ll get hacked,” but that doesn’t mean that enterprise security teams should roll over and await their fate. There are lots of things that enterprises can do before they get hacked that should reduce their risks from a large number of external threats.
Here are three steps every CISO should take to make sure that they are not on the wrong side of tomorrow’s headlines:
- Monitor for unauthorized use of company’s identity:
There are many ways an enterprise’s identity can be stolen — all of them are bad. A copycat domain can imitate a legitimate domain, or be used to launch phishing attacks targeting executives and employees. Across social and professional networks, scammers create duplicate profiles to masquerade as corporate executives, or create completely fictitious profiles to collect connections to real employees. Enterprise security teams should implement a comprehensive internet risk audit to identify all unauthorized uses of the corporate identity, and then take quick action to have these domains, profiles, sites, user groups, etc. taken down or neutralized.
- Be on alert for a phish:
Headline-grabbing breaches most often begin in the most mundane and common attack of them all — a phish. The bait in the email might be a notification from HR, or a document that requires review. Employees should be instructed to forward suspicious emails to a centralized email address, an “abuse box,” where the email can be evaluated by internal or external experts.
Formal anti-phishing and brand threat monitoring, especially if it incorporates MX-record monitoring, can protect employees, executives, partners and the public. It removes dangerous emails, and that enterprise becomes a harder, less cost-effective target for criminals.
- Educate and empower employees:
“If you see something. Say something.” CISOs should make sure that employees are empowered and rewarded to participate in security best practices. Internal education about the dangers of clicking on links and visiting high-risk online sites should become a part of every enterprises’ standard on-boarding process. Recognize employees who pass the internal phishing test. And reward employees who have a hand in identifying real attacks.
Despite headline grabbing hacks like the Yahoo breach, today’s cyber criminals are just as likely to be going after large financial scores (through whaling, BEC or ransomware attacks) or extortion/influence attacks targeting executives or enterprise reputations. CISOs should take action today to make sure that they are not on the wrong side of tomorrow’s headlines.
Dylan Sachs directs Identity Theft and Anti-Phishing efforts at BrandProtect. He works directly with leading financial institutions, health care providers and Fortune 500 enterprises to help CISOs and security teams deploy better defenses against modern email and identity theft attacks, including socially engineered exploits. Sachs also leads the Incident Response Team, responsible for developing actionable intelligence on and mitigating the incidents that target clients.