Data thieves pilfer 3.6 million South Carolinians’ SSNs

(See video) State revenue department officials in Columbus, South Carolina today disclosed a major data breach in which an estimated 3.6 million South Carolinians’ Social Security numbers and 387,000 credit and debit card numbers were stolen.

Gannett’s CBS television affiliate WLTX broke the story, acting on a tip received earlier this week, and state officials have now confirmed that the South Carolina Department of Revenue’s website was hacked by someone in a foreign country.

WLTX reporter Nathan Stewart reports that the first breach occurred on August 27, 2012, though no information was taken at that time. Then on October 10, the SC Division of Information Technology informed the Dept. of Revenue of a potential cyber attack. On October 16, investigators uncovered two attempts to probe the system from September. In mid-September, two other intrusions occurred, and the hacker got data for the first time.

Officials noted that none of the Social Security numbers were encrypted, while the vast majority of the credit card numbers – all save 16,000, were encrypted. South Carolina has a population of about 4.7 million, according to the 2012 U.S. Census, meaning three out of four people’s Social Security numbers were compromised.

Local agencies targeted

Internet hacking of government networks is nothing new. There have been 603 publicly disclosed cases of breaches of government and military networks since 2005, in which at least 141 million records were stolen, according to The Privacy Rights Clearinghouse Chronology of Databreaches.

Most of the cases involved state and local agencies. By contrast, big federal agencies, led by the Department of Defense, have been continually beefing up their network security for the past decade

Thus far in 2012, there have been 76 government and military network databreaches, in which 9.8 million records were taken. Cybersecurity and law enforcement experts say the publicly disclosed cases represent only a fraction of the actual number of successful hacks of corporate and government networks.

From late September through mid-October, damaging hacks were reported by the city of Burlington, Washington,; the Centers for Medicare & Medicaid Services (CMS) in Baltimore, Maryland; the Town Council of Chapel Hill, North Carolina; the Robeson County Board of Elections in Lumberton, North Carolina; the Brightline Interactive, Army Chief of Public Affairs office in Alexandria, Virginia; and the city of Tulsa, Oklahoma; and the Town of Willimantic, Connecticut

Hidden tracks

Meanwhile, cybercriminals’expertise at hiding their tracks while cracking into company and government networks has advanced considerably over the past decade.

Data thieves today commonly alter the fonts, web addresses and strings of alphanumeric characters in their attack code to throw investigators off the scent.

Baumgartner

“There is a lot of spoofing and head fakes going on to make it seem like an attack is originating from a different region,” says Kurt Baumgartner, senior security researcher at Kaspersky Lab.

Generally speaking, the more sophisticated cyber attacks that are being conducted daily for criminal gain appear to originate in Russia, while “noisier” attacks tend to originate from other nations in Asia and Eastern Europe, tech security experts say.

The cutting-edge Russian attacks tend to be stealthy, while noisy attacks tend to be persistent and resilient. “Noisy attacks are much more prevalent and less stealthy on all sorts of operational levels,” Baumgartner says. “And they tend to be prolonged; the attackers will keep returning to their target, sometimes for years.”

There are two main ways criminals leverage the intrinsic anonymity of the Internet tocrack into company and government databases. The first hinges on human gullibility, the other on moderate hacking skills:

  •  Spear phishing. From society’s pervasive use of web commerce and social networks has arisen social engineering: the ability for a data thief to extensively profile a targeted victim and subsequently fool that person into clicking on an infected attachment or web link. The infection turns control of the victim’s PC over to the attacker. If the victim uses his or her computer for work, the intruder now has a foothold to probe an organization’s network, map the location of key databases and pilfer data, typically over the course of months or even years.
  •  SQL injection attacks. SQL hacks involve querying the databases underlying a web page until a database hiccups and accepts an injection of malicious code. Up until early 2008, SQL hacks were done manually, one web site at a time. In the spring of 2008, a bright hacker came up with a way to quickly locate thousands of weakly-protected databases and automatically inject them with malicious code. That technique is now widely used to crack into weakly protected databases underlying company and government web sites all across the Internet.

Most often data thieves are in the hunt for information they can quickly sell to the highest bidder in a cyber underground that revolves around an online marketplace as rich and efficient as eBay. Buyers of stolen data include crime rings that use the information to hijack funds from online financial accounts. Others specialize in using stolen identities to set up series of online accounts through which to launder illicit online cash transfers.

Why ransom data?

Recently, stolen identity data has come under rising demand from tax fraudsters. One popular caper uses stolen names, addresses and Social Security numbers to generate faked tax returns. Refunds get directed to a debit card account — set up with a stolen identity – that the thief controls. A debit card isthen used to make cash withdrawals at an ATM.

Last July, the Treasury Inspector General for Tax Administration issued a reportshowing that the IRS failed to prevent 1.5 million potentially fraudulent tax returns from being processed last year, resulting in refunds to identity thieves of more than $5.2 billion. The Inspector General estimated that the IRS could issue $21 billion in fraudulent tax refunds as a result of identity theft over the next five years.

Cobb

“We’re seeing a considerable variety in the ways in which cyber thieves are turning stolen data into money,” says Stephen Cobb, security analyst at antivirus firm ESET. “It’s based on the type of data stolen, the type of operations the data thief is running and also on market conditions.”

Recent chatter in the cyberunderground suggest that money launderers may be having some difficulty hiring mules, who sometimes carry out the risky finalstep of extracting cash from the last of series of counterfeited online accounts.

“There may not be enough takers (for stolen data) in the black market,” Cobb says.

Security experts say attempting to get the victimized company or agency to pay a ransom for the return of stolen data is rare.

“The selling of data back to someone is a higher risk strategy, because it’s a one-off attempt to cash in that’s much easier to trace,” Cobb says.

Another reason a data thief might try to sell stolen data back to the victim would be if the data is of a highly sensitive nature, such that certain parties would be highly motivated to pay a ransom, Baumgartner observes. Alternatively, the thief could simply be bluffing, he says.

For instance, the thief could be in possession of encrypted data that’s of low value in the underground market. “They could be trying to get someone to pay out when they don’t really have the goods,” he says.

Two things are certain: Information Technology is complex and data thieves are endlessly inventive at cashing in.

“Some data owners don’t fully understand the format of their stored data and can be fooled into thinking an attacker has data when they do not,” Baumgartner says.

In the same vein, criminals may have cracked into a web server, but gained only cursory access to the underlying databases. Under that scenario, the attacker “may be trying to convince the targeted victim that he has access to all this valuable data, when he does not.”

–By Byron Acohido