Spamming group, River City Media, led by well known spammers Alvin Slocombe and Matt Ferrisi, has had its database leaked. Yesterday, details were released of a massive, illegal spam operation. The situation presents a tangible threat to online privacy and security as it involves a database of 1.4 billion email accounts combined with names, user IP addresses, and even physical addresses. Chances are that you, or at least someone you know, is affected.
The Guru reached out to the cybersecurity industry to get thoughts on the breach.
Robert Capps, VP of business development at NuData Security:
“It’s critically important that we ensure that we continue our efforts to inform the public about their safety, and the fact that 1.4 billion records are compromised in this breach bear this out. As disheartening as this is, we saw the Yahoo! breach last year. At this point we shouldn’t be shocked. We can all assume that personal records are being shared on the dark web – sometimes years after the breach occurs.
“Any breaches of personal information are of extreme significance and concern. With just a name and email address there are out sized risks from targeted phishing. Stolen consumer data can be combined with other personally identifiable information (PII) from other hacks and breaches to amass even more detailed profiles on users that are traded and sold for high value to hackers. These ‘bundles’ contain much more complete and increasingly dangerous information around specific individuals, meaning there are more opportunities for fraud to take place. For example, with enough data collected from separate breaches a fraudster can gain access to financial and geographical information with the intent to fill out a loan application or apply for a new credit card.
“User behaviour analytics can provide victims of this and other breaches with an extra layer of protection even after the hack has occurred. We need to put a stop to these fraudsters in a completely passive and non–intrusive way to us, the consumers. This is accomplished by learning over time how a legitimate user truly behaves in contrast to a potential fraudster using our legitimate information ripped from all these breaches. Without even interrupting a user’s experience, fraud can be predicted and prevented from occurring. The only way we are going to stop these breaches is to devalue the data the fraudsters are going after, and we do this by truly being able to identify the identity of the user behind the device even when valid stolen credentials are used. “
Paul Calatayud, CTO, FireMon:
“In the recent River City Media Ggroup data leak, over 1.4 billion records may have been exposed. Not much information is being said as to the cause, but given that this was found by Chris Vickery, who often scans the internet for vulnerable Mongo DB assets and makes reference to lack of use of passwords, one can conclude that this data leak is a result of a misconfigured Mongo DB. Open source continues to be a critical source of innovation to many organizations. In this case, being used for motivations not so noble, the lesson to be learned here is that Mongo DB continues to be an easy exploit. Ensuring that your critical systems are secure and functioning under the policies that you intend is important. Applying intelligent security management to validate your builds – both system and firewalls – to ensure Mongo DB ports are not exposed will prevent these types of data leaks in the future.”
Steve Gates, Chief Research Intelligence Analyst, NSFOCUS:
“Slowloris, released in 2009, is a nothing more than a script designed to slowly consume all available connections on a server. When all connections are consumed, the server cannot process any new connections; causing a denial of service condition. Known as a “Layer 7” denial of service attack, the most effective way to defeat Slowloris is to protect servers with anti-DDoS technology, that can easily detect and block a Slowloris attack. What is interesting here is that Slowloris was being used to help distribute as many spam emails as possible; before a victim server crashed or dropped all existing connections. Once again, this is a demonstration of the originality and persistence of spammers – that never ceases to amaze.”
Chris Doman, Security Researcher at AlienVault:
“This is an extremely rare window into the operations of mass-spam campaigns. RCM’s apparent admission that they ran denial of service attacks against Gmail servers to trick them into accepting spam is very serious. They are talking about risking the stability of some of the internet’s core mail servers for profit. It’s bizarre these admissions are coming from chat logs that RCM themselves accidentally leaked.
Whilst the scale of data potentially lost by RCM here is massive, it’s important to note this data isn’t reported to include credentials or abused by anyone other than RCM yet.”
Matt Walmsley, EMEA director of Vectra Networks:
“Although it’s difficult to take pity on spammers, River City Media’s misfortune is a cautionary tale to business. Unsecured servers and databases are an open invitation to attackers who can use them to gain direct access to the company’s most sensitive information and important assets. Worryingly, five per cent of IPMI manageable servers are ‘secured’ by commonly-used default passwords, 30 per cent have easily guessable passwords and only 72 per cent authenticate access. What’s more, the UK is ranked 6th globally for exposed IPMI hosts, making it a tantalising target for hackers. As a baseline, businesses must password protect their confidential data, do away with default passwords and change those passwords regularly. The enforcement of password protection policies is essential.”
Ondrej Kubovič, Security Evangelist at ESET:
“The Slowloris technique was used by the attackers to spam millions of victims and is not all that uncommon in the wild, as we have seen similar attacks on our honeypots. Note, however, that this is the technique used by the spammers to send out huge amounts of spam emails, and not the cause of the leak.
Any leak of this size is a losing situation. Mainly for the victims, whose sensitive data is publicly available and can thus be misused for various malicious acts. Just by brief overview of the types of data leaked, physical addresses and names can be used for identity theft. In effect, the leak has shown that the spam operators were technically incapable to store and backup the bulk of stolen data “securely”.”