If a massive data breach has been in the news recently – such as the 2017 Equifax data breach that impacted more than 143 million Americans – there’s a good chance that another set of hackers are already trying to capitalize on this public data breach to get victims to download malware, click on fraudulent links or respond to scam email requests. In many ways, this is adding insult to injury and could open up those already victimized to even more risk.
Anatomy of a data breach scam
Here’s how the classic scam works: After a major data breach, a group of hackers typically located outside of the U.S. will start setting up malicious websites with URLs that are very similar to those of the company that has been hacked. Then, these hackers will start sending out emails, purportedly from “official” accounts of the company that has already been publicly hacked. In these emails, victims of the original hack will be told to visit another website to protect their personal information or sign up for free credit monitoring reports.
Once the victim has clicked on this fraudulent link, that’s when the real action happens – either the victim enters his or her personal information (including addresses and Social Security Numbers) in order to sign up for the credit report service, or malware is downloaded from this malicious site. Either way, the person who has just been victimized has little or no idea of what has just happened… until it’s too late.
How hackers victimized Equifax twice
The core problem, of course, is that the company that has been hacked in the first place often has little or no idea of how to respond to these data breaches. In many cases, they take steps that might seem logical at first – but that can quickly turn into a nightmare once they realize how sophisticated overseas hackers can really be.
For example, consider the data breach at Equifax. The company was already reeling after finding itself in the middle of an epic data breach that impacted at least 143 million accounts. That account information included a lot of very sensitive information – such as Social Security Numbers and financial data – that could be used in very nefarious ways by hackers. So Equifax did what it thought was best to protect its customers – it set up a completely new domain called EquifaxSecurity2017.com where customers could go to get information about the data breach and find out which steps to take next.
Well, you can imagine what hackers did next. They immediately began registering domain names that looked exactly like the Equifax website. In some cases, they took advantage of simple misspellings – such as using “ks” instead of “x” in the name. The goal of the Equifax scam was simple – to confuse people who had already been hacked to give up their personal information a second time. Equifax, in fact, found that 138 lookalike domain names had been registered, all of them from shady overseas users, most of them from China or Hong Kong.
Once these fake domain names had been set up, the Equifax scam sets the trap for unwitting customers. For example, by typing in SecurityEquifax2017.com instead of EquifaxSecurity2017.com, they would wind up on a completely different site. In fact, this was exactly the mistake Equifax did when they sent out a tweet linked to the fake phishing site SecurityEquifax2017.com. Some of these fake domains were simply placeholder pages, filled with terms like “Credit Freeze”, “ID Theft Protection” and “Protect My Credit.” But a few of these domains were malware-laded websites where any click made by a customer could result in the customer getting hacked once again, this time by a new group of hackers.
Equifax is not the only example of a data breach scam
Unfortunately, the Equifax scam is not an isolated example. It is part of a broader pattern, one that might be characterized as “never let a good data breach go to waste.” It’s the same approach, whether the hacked entity is Target, Home Depot, OPM or any of the other countless victims out there.
Hackers typically follow the same pattern each time – they wait for a data breach to go public, then they go to work, creating fake websites, fake email accounts and fake offers. Then, all that’s needed is to send out phishing emails to customers who might have been hacked. Even if only 10% of people fall for the ruse, they might get the data of over one million people.
For example, consider the case of health insurer Anthem. This giant healthcare company was hacked in a public data breach that impacted 80 million people. Hackers immediately got to work, sending out email scam letters, trying to get people to sign up for things like “free credit monitoring,” “identity theft” or “fraud alert” services by asking people to verify account information. Of course, in order to sign up for these services, you’d have to give up your personal information.
Other hackers were even more sinister. Once they obtained this personal account information, they began submitting fraudulent electronic tax forms “on behalf” of the victims. What they were looking for, of course, was the tax return money that the victim was owed. But instead of the money going to the victim, it would go to the hacker!
#Hackers follow the same pattern – wait for a public #databreach then #phish customers who might have been hacked. Click to Tweet
Once Anthem figured out what was going on, it immediately told customers not to respond to these emails. Anthem also told those affected by the breach that it would only contact them via United States Postal Service mail, and not by email or telephone. And it warned customers to be wary of these phishing scams in the future.
Takeaway lessons from these data breach scams
Perhaps the biggest lesson from these data breach scams is that companies should be more aware of how and why these scams are occurring. They should realize that hackers aren’t going to let a good data breach go to waste – and then act accordingly. In short, companies knowing the modus operandi of hackers should preempt such attempts by warning customers upfront in their intial communications, rather than doing so after the fact.