Signal is an Open Source Intelligence tool which is used across a number of sectors to help executive and security teams form efficient and effective responses to emerging and evolving threats to assets and people - both staff and customers.

Some of the ways this manifests is in things like quickly identifying data breaches, allowing users to better protect their customers from threats like credential stuffing. Or through social media monitoring to identify sentiment which could affect a businesses reputation or evolve into a physical threat against an executive.

In short, Signal provides relevant, actionable, and real-time information and tools to monitor multiple online data sources with a simple, easy-to-use interface. We empower security professionals around the world to quickly identify emerging threats, receive real-time alerts, and monitor developing situations in order to save time and resources, protect staff and customers, and manage operational risk.

Why use Signal in the Healthcare and Pharmaceutical Sector 

Management and security professionals in the healthcare industry have particular needs when it comes to protecting assets, staff, and patients. Some common threats include fake drugs for sale online, sensitive data leaks, and illegal impersonation of healthcare professionals.

To prevent the afore mentioned risks and others from evolving into tangible threats healthcare professionals in charge of security need to remain vigilant. Having Signal OSINT software in their toolbox allows them to monitor the dark web for leaked data, scan social media for negative sentiment and monitor other sources to detect threats early.

Private medical data leaks 

One of the most worrying things may healthcare institutes have to worry about is hackers targeting sensitive patient data. It is estimated that 24% of dark web vendors offer access to the healthcare vertical market. Over recent years there a has been a resurgence in ransomware and phishing attacks targeting hospitals, medical practices, and nursing homes.

The reason these institutes are so attacked is that digital medical data sets are incredibly rich PPI sources. These records are worth a lot on the black markets of the dark web. Having someones personal medical history allows fraudulent claims and identity theft. It’s important to remember that hackers are trying to generate a positive cash flow from their attacks.

It’s not just medical records then that hackers can get out of a medical institutes system. Often there are non-sensitive login pairs as well as payment and credit card details. Which makes this a gold mine  for hackers.

Fake drugs for sale online pharmaceuticals online

The WHO estimates that 50% of the drugs for sale on the internet are fake. Due to the high price of some medications there is ample opportunity for false online vendors to take advantage of the customers need. Often the fake drugs are portrayed as the real thing,  but at a massively discounted rate. 

Pharmaceutical IT security needs to locate and identify these dangerous sites so that they can be shut down in an effort to protect consumers from potentially harmful fake drugs. It’s also important to identify fake online vendors who might be impersonating a companies brands. This could cause both dangers to customers, but also creates a reputational risk for pharmaceutical companies. 

Stopping the Spread of Misinformation 

In light of the rapid spread of information following the pandemic outbreak of COVID-19, it has never been more clear that organisations need reliable accurate sources of information. Examples of unqualified individuals selling miracle cures, or spreading misinformation for some other reason can quickly spread through the internet. Trustworthy healthcare institutes and sources need to identify and combat this misinformation fast.

How Signal is currently being used to help healthcare professionals

An individual impersonating a doctor was discovered online

The individual was selling fake drugs to customers using their persona as a healthcare professional to give out medical advice and push the sales of fake drugs. By using Signal this threat was discovered and action is taken to prevent further damages.

fake prescription drugs found online

Several examples have been discovered by Signal customers of  their drugs online from unofficial vendors. Upon closer inspection, these drugs were not theirs but fake replicas. Signal was used to closely monitor dark web forums where these drugs were for sale as well as fake sites on the surface web where they were more openly available to customers. Using customised searches the fake prescription drugs were quickly located and the threat to  customers and the companies reputations removed.

Discovered sensitive leaked patient information.

After a system hack, a healthcare institute using Signal was able to identify some of their patient’s records for sale on the dark web. Whilst the data can’t be retrieved, with this knowledge preventative measure can be and were put in place to minimise the risk of these data sets being fraudulently used. 

Threats against staff are uncovered from dissatisfied patients

By using Signal’s sentiment analysis tool, Spotlight, users can determine the emotions behind posts to determine whether or not posts deserve further analysis or attention. This helps users cut through the noise. 

Dangerous misinformation caught being spread about COVID-19 

Using Signal a dangerous piece of misinformation about COVID-19 was identified. It was particularly harmful as it was being portrayed as an internal hospital memo however, upon inspection the information whilst believable was entirely incorrect. By identifying the misinformation that was being spread healthcare professionals were able to counter with verified and accurate information. 

Summary

Signal is an open source intelligence platform that enables efficient monitoring of content in blogs and posts on the surface, deep, and dark web. This allows users to detect and identify potential threats to their business, customers, and assets and then establish effective preventative measures to protect against those threats.

There are some 500 million tweets and over 4 million new blogs posted every single day. Each of these sparks another conversation which could house potential threats against an organisation. And we haven’t yet mentioned Facebook, Instagram, Reddit, Flickr, Medium or any of the other dozens of social sites and forums where people post online. And if you thought that was a lot of noise you have to remember the dark web too, where many cybercriminals go to engage in nefarious activities with the protection of a Tor browsers anonymity. 

The point here is that the internet is full of noise. Monitoring all of that and then cutting through the noise to detect relevant potential threats requires the right tools. 

What is Sentiment Analysis?

Sentiment analysis, in short, is analysing the language in online posts and comments to determine the underlying emotion behind what has or is being posted by an individual or group.

Determining online sentiment doesn't just allow you to understand better how your brand is performing and how people feel about your business. It can also be used to manage crises and spot potential threats to assets or staff.

Without sentiment analysis, data can be misleading. Sentiment gives data extra context which allows it to be better understood enabling a more effective and accurate response to the potential rtisks. 

It also allows you to differentiate between when a negative comment is simply that, a negative comment, or when it needs more serious attention because, for example, it’s evolving into a physical threat.

Where and How do we Measure Sentiment?

Any text that gets highlighted by Signal OSINT software can be run through our sentiment analysis tool, Spotlight. This allows users to reduce the amount of noise and focus on the threats.

Sentiment can be expressed anywhere online, this might be through social media, in the comments of a blog or even in a dark web forum. Signal allows you to gather data from a huge array of open intelligence sources including (but not limited to) social media and dark web forums.

How can Sentiment Analysis Be Used for your Business?

Emerging Threats

Sentiment analysis can be an incredibly useful tool for those that wish to identify potential risks which might evolve into tangible reputational or physical threats against, employees, executives, brand or assets.

Managing Reputation

Your brand’s health and reputation are important. Having a tool that allows you to analyse the overall sentiment towards your brand and associated keywords gives organisations a bigger and better overall picture of their brand which can be a game-changer for launches of major events or analysing the success of a large marketing campaign.

Evolving Crises

When it comes to dealing with current and evolving crises having up to date and detailed situational awareness, gained through an OSINT tool such as Signal can make a huge difference. However, as we have mentioned before, there is a huge amount of noise out there. So, how do you determine which comments, which posts are relevant and need monitoring?

The answer is to use Signal to create specific filters and then run identified posts through our sentiment analysis tool “Spotlight”. This allows users to both quickly identify emerging threats and to then stay on top of these risks as they are evolving in real time.

Moving Your Marketing Forward

Social sentiment is a powerful tool for understanding the relationship between your brand, your customers, and your competitors. If you measure it regularly and act on what you learn, your team can create targeted marketing strategies to keep up with the ever-changing demands and opinions of your customers.

How do you determine when Negative Sentiment Becomes a Threat?

One of the key methods used by our software and our analysis team to tell whether or not a comment is a threat that needs more attention is the repetition of negative sentiment online by an individual or group.

For example:

• Does a particular author of a comment or post have a long history of bad-mouthing an organisation or expressing negative sentiment?

• Have they repeated the same negativity on multiple sources?

Even if they aren’t directly threatening any physical or tangible action against the organisation, if there’s enough online commentary from a single individual or group then this could escalate and it may be smart to further monitor.

You can then set up a search using our filters to target this individual or group so that you don’t miss if this negative sentiment becomes a physical or reputational threat. 

Secondly, using Spotlight, users can identify posts expressing dangerous emotions such as anger, or disappointment. Both if repeated enough should be addressed. Posts expressing anger are likely to indicate a physical threat and should be monitored for that, whilst the posts expressing disappointment may hold reputational risks. 

Summary

Sentiment analysis tools like Signal’s Spotlight can help security teams form a broader and more detailed overview of the situation to better understand the potential and emerging threats. It allows them to target their online searches and cut through the noise to identify key threats. All of this essentially means a more efficient and more effective security team.

You also might like:

Critical Security Intelligence for the Financial Services Sector

Corona Virus has for many been a rude awakening. Companies have been left scrabbling in an attempt to put in place contingency plans and deal with the spread of misinformation, all whilst facing tumbling share prices.

COVID-19 is the most recent global incident, it’s not the first and it won’t be the last, however, it has thrown into harsh light the realities and weaknesses that surround many organisations international structure. Our increasing levels of globalization throw local isolationist policies out the window and if a company wishes to maintain economic growth changes in the way that they manage their response to global incidents is needed. 

In the wake of a global incident, corporations need fact-based reliable information from official sources and they need it fast. The smart adoption of technology can help facilitate the means for companies to protect their teams and assets as well as mitigate potential damages to the business.

Dealing with Misinformation: Disruption is the new normal.

The rapid spread of news and information online has sparked a recent increase in global headlines highlighting critical outbreaks. International concerns can cause loud and distracting noise when trying to identify specific data.

On top of this, panic has followed in the wake of COVID-19, stocks have plummeted to levels that haven’t been seen since 2008, people are rushing to stores to stock up on necessities. This panic has been spread and amplified by both a lack of preparation for a global crisis of this nature, as well as an amount of misinformation spread rapidly through both social media and even through more trustworthy news sources. 

To tackle this, the first thing any organisation needs is accurate, relevant and trustworthy information. You don’t want to be relying on secondary, potentially egregious sources, not only because it will take longer to uncover news forcing, but you also won’t know how reliable that information is. Sad as it may be to admit, many media outlets aim to sell news, and facts aren’t necessarily lucrative, spectacle sells. 

Using an open-source intelligence (OSINT) software like Signal you can create a custom real-time stream from official sources such as the World Health Organisation, or the CDC to get reliable information and updates fast. Easily sift through unwanted information to detect only the most valuable in an outbreak.

Better situational awareness for a more efficient response

Increased situational awareness allows companies to proactively respond to crises. It allows them to get accurate information first, and create actionable and effective strategies based on reliable data to efficiently counter emerging threats.

As well as having multiple sources, companies can use OSINT tools to identify trustworthy and “official” statements and sources and tailor their live stream searches around those. This is often where the news breaks first and will give an unbiased account of the facts.

Examples of responses to COVID-19 can be seen from several large companies including Facebook and Amazon. In areas where there are outbreaks, such as Seattle, they have closed down offices and asked employees to work from home. They have also both cancelled  conferences which would have drawn thousands of people together with potentially disastrous results - instead they are looking at creating a virtual experience instead. This is just one example, of how companies, armed with accurate information can then use available technology to facilitate preventative measures mitigating the threat of the outbreak.

How OSINT software can help

Improve employee safety

Knowing how to respond and then implementing an effective response without causing further panic or further spreading misinformation allows organisations to effectively protect their staff in and outside of the office. 

For example, knowing how COVID-19 is spread as well as understanding the the severity and location of the outbreaks means you can form effective localised preventative measures without causing undue widespread panic or unnecessarily harming your business.

Better executive protection

Executives travel, and travel entails risk especially with an evolving international crisis of this nature. In this scenario, for example, it would be sensible to protect these executives by taking simple precautions such as delaying trips to areas with severe outbreaks such as China or Italy.

In line with current government recommendations all employees should be practicing social distancing and where possible managing meetings with video conferencing technology. Adapting in the face of an emerging threat such as COVID-19 allows companies to reduce the risks that they face and better protect their staff from exposure. 

Supply chain management

Those businesses that are built on the foundations of large and complex international supply chains have to question their structure and practices. What is the backup plan? How do you mitigate the threat to a potentially compromised supply chain? And perhaps, more importantly, how do you protect those staff and assets that are involved? 

First, you need actionable and accurate information in real time allowing you to fully understand potential risks and issues and only then can you form an effective plan of action.

Summary : The Importance of Accurate Real Time Data

Coronavirus is the only the latest example of a disruptive global crisis and it won’t be the last.

Due to the rise of unofficial media sources which can easily disseminate news through the internet, especially social media platforms, there is a lot of potentially unreliable information being consumed. Fact-checking can be immensely time-consuming and many people don’t bother, which is how false information propagates. As an organisation though this misinformation can be as harmful or even more harmful than the reality. Getting ahead of and tackling false news becomes an important task.

In terms of dealing with a global crisis such as COVID-19, think about spreading fact-checked sources through internal communications to allay fears spread through potentially incorrect or misleading media. This will also show employees that you are on top of the situation encouraging trust in the organisation and your official response.

To truly and effectively mitigate the threat of global incidents, how companies utilise technology to adapt to the scenario will make a huge difference. Ask yourself: Does your business offer flexible working practices? How can your business support workers if they need to self-isolate? Do you need your executives to attend events in physical locations or can business be done virtually? And as a final consideration - a side effect of these changes - how might these adaptations become more normalised to improve employee efficiency as well as supporting a healthier work life balance?

Resources 

• https://www.who.int/

• https://www.cdc.gov/
  
  

The dark web is a layer of the internet that is only accessible through an encrypted browsing software such as a Tor browser. This software makes the user anonymous. It is this anonymity which is so beneficial to criminals who are able to trade illegal items and services.

Cybercriminals are known to buy and sell stolen data, for example, which can be used to commit identity theft and fraud. Many of the overtly criminal websites require membership logins that you can only gain if you are active as an online criminal making it challenging for companies and security forces to access and monitor these websites.  

However, with the right tools, like Signal threat intelligence software, monitoring and filtering through these websites is entirely possible without ever needing to download a Tor browser yourself. 

What is dark web scanning?

A dark web scan monitors open-source information available on the dark web, using both human and artificial intelligence to scan things like criminal chat rooms, blogs, forums, private networks and other sites. In doing this it helps organizations detect potential security threats. 

Examples of activities that have been identified from dark web content using Signal Threat Intelligence software include;

• Online markets selling stolen and fake goods;

• Hackers selling non-sensitive data for use in credential stuffing attempts;

• Impersonation of individuals or organizations;

• Details in regard to hacking or incitement to hack;

• Reputational risk via fake news or impersonation;

• Illegal activities such as drugs and drug paraphernalia;

• Information regarding a previously undetected sensitive data breach.

What happens during dark web monitoring?

There are some 55,000 dark websites, however, many of these are inactive and even fewer of them are actually used for overtly criminal activity. During dark web scanning our security software monitors and detects any data that is relevant to the particular search queries that have been set up. This allows you to create a customised highly relevant stream of data and information around key points of interest for your company.

The information can also be run through a sentiment filter to create an even further refined stream of data, we explore this in further detail below.

Why is dark web monitoring with Signal Corp important for businesses?

1. Detecting data breaches

Our software has been used to identify stolen credentials and other personal information that is circulating on dark web networks and other channels.

To identify relevant data you are able to set up specific search queries within the software. These constantly monitor the open, dark and deep web and then filter these searches using our AI technology to determine what is and isn’t relevant. We then add a human touch to the remaining data to further filter using human intelligence to identify what is highly relevant.

The scan infiltrates private sites - many of which require membership within the cybercriminal community to enter. 

When it comes to detecting data beaches it can quickly identify chat around data that is circulating online which has been gained by illegal hacking attempts. If data is detected from a particular company, whilst there is no way to retrieve that data organisations can take precautionary measures to mitigate the damage and threat of the data breach as well as determining how the data was gained and ensuring that breach is secured against further data beach attempts.

2. Detecting Physical Threats against People and Assets

The big draw for criminals to the dark web is that all users need to use an encrypted browser to access the dark web which entirely anonymises their presence. This means, very simply, that criminals can and do talk about their activity, either to brag or as part of their preparations.

Using software like Signal you can constantly monitor the dark web and when a criminal talks about or potentially threatens one of your staff or assets you can know instantly. Whilst they are anonymised and you won’t know who is planning something, you will know that there is a very real potential threat that you can now guard against.

3. Predicting potential terrorist actions

In the same vein as detecting potential physical threats against a company online, the dark web is also a place where terrorists go to communicate and organise. By monitoring the dark web then you can pick up on their conversation and use the data gathered to potentially predict and deter terrorist attacks aimed at the company.

How do you determine when chat becomes a serious threat? 

One of the potential issues some of our customers face is the sheer amount of noise which might surround their brand. Invariably not all of this noise is good. Which is why we have a sentiment analysis tool to help filter out what chat, what noise online we need to pay attention to.

On top of this, this can then closely monitor individuals who have been detected to hold negative sentiments towards a customer and it can determine if that was a once-off comment, or if this negative sentiment might actually evolve into a more palpable threat.

A Financial Services Use Case

Since its conception Signal is proud to have developed a strong use case across the financial sector. Proving to be an invaluable tool for a number of financial services organisations including several multinational and Fortune 1000 companies. 

Signal open source threat intelligence platform now forms an integral part of their security teams’ toolbox, assisting across concerns, from detecting and managing physical threats to assets, reputation or VIPs, to aiding cybersecurity teams with efficient methods for open and dark web monitoring.

Physical Security

Using Signal, insurance providers, financial companies, and banking organisations can not only gain an overview of emerging threats in real-time but also target key areas and assets that they want to closely monitor creating a hyper-relevant stream of actionable real-time data.

For example, banking organisations use Signal to monitor geo-located information online, focusing their web monitoring on key locations of particular interest such as ATMs, head offices, or VIP locations. They can additionally run the focused data that surfaces through our sentiment analysis software. This allows them to help cut through the noise and quickly identify online chatter expressing negative sentiment so that they can more efficiently distinguish threats. 

A secondary use of Signal for the financial services sector is monitoring their competitors’ security threats which may also be affecting them - even if they don’t know it yet. This allows their security teams to predict potential threats even before they emerge.

How Signal has been used in the Banking Sector to Detect and Deter Threats

In 2019, one of Signals clients was able to prevent a particularly worrying case of attempted fraud. An employee at that bank was being harassed online in an attempt to instigate said employee to provide confidential information of customers to hackers for use in fraudulent activity.

Thankfully, Signal was able to spot this before matters progressed, preventing potentially hundreds of thousands of dollars worth of damages.

Signal has also been used to pinpoint worrying sentiment against some of our customer’s executive teams.

Cyber Security Threats

Signal is also used by customers for cybersecurity intelligence to determine risks such as:

• Fraudulent statement packs; 

• Fake bank statements;

• Phishing websites (using our in-built image recognition);

• Credit card and account credentials for sale on the dark web.

Security teams use Signal to monitor both open and dark web conversations. This enables them to keep abreast of new and developing global trends and methods used in cyber fraud which is effecting their industry as a whole. Using this data they can actively develop strategies to prevent and tackle new and rising methods of cybercrime. 

Signal also allows these teams to monitor for data breaches by alerting security teams as soon as chat is identified around potential data breaches which could affect the organisation itself, or their customers.

Ways Signal Helps Financial Services

Signal allows our customers to analyse emerging global trends, detect threats in real-time and then form appropriate security strategies to counter these potential threats as or even before they fully reveal themselves.

For the financial services having this targeted and focused stream of accurate and relevant data is vital to ensuring the safety and security of their customers, assets, and employees.

How are data breaches of non-sensitive data used by cybercriminals?

When it comes to cyberattacks having detailed situational awareness and the ability to quickly sift through open-source data and information on the surface, deep, and dark web allows businesses and financial institutions to quickly determine potential risks and take necessary precautionary actions fast. This can help mitigate threats posed by cybercriminals, reducing the security spending and costs surrounding the fallout after criminals successfully commit fraud through the use of leaked data.

In this article, we explore a growing concern for a number of businesses which poses increased year on year risk, with increasingly costly repercussions - credential stuffing. We answer the following questions and more: what is credential stuffing? Why does it pose a severe security risk? And how can dark web monitoring and social media monitoring be used to mitigate the threat of data breaches?

What is credential stuffing?

Many businesses assume that non-sensitive customer data has little value to a cyber-criminal.

In fact, in a recent study, it was found that a number of businesses didn’t even password protect cloud-stored customer data. Meaning anyone could have come along and downloaded the entirety of those databases.

What is even more worrying, is that many data breaches go entirely undetected. 

Credential stuffing is a tactic growing in popularity that weaponises non-sensitive stolen credentials (eg. usernames and passwords) against websites and mobile applications. Large volumes of stolen account logins are tested against other website login pages to gain unauthorised access to accounts, in order to commit fraud. 

The most remarkable aspect of credential stuffing is that a given business does not have to be breached itself to suffer from credential stuffing. The vulnerability is simply having a login form and having users.

Whilst the strike rate is low - think a few successes for every thousand attempts - there are billions of stolen credential pairs in the hands of cybercriminals. 

In 2018 there were 2.8 billion credentials stuffing attempts reported in the US alone. And this number is only rising. Which goes to show just how much of a threat credential stuffing has become.

On top of this, a skilled hacker, using a throttled bot with multiple Autonomous Systems Numbers (ASNs) and IP addresses can remain undetected for long periods of time, allowing them to try potentially millions of login combinations without anyone knowing anything untoward is happening. 

What are the cybercriminal’s goals?

“It is a misconception that only financial information like payment card numbers or bank accounts has monetary value to data thieves.” - Source

Obviously, the most valuable data for cybercriminals is going to lead them to bank account and credit card details. These they can use directly to access a persons money. In 2019 though, there was a significant decrease in the amount of sensitive data exposed. Going from a reported 471 million records in 2018, down to 164 million in 2019. It’s worth noting though that the Marriot breach in 2018 did skew the records there with over 300 million sensitive records exposed in that single data breach.

However, there are numerous ways a cybercriminal can benefit from accessing another persons account data through credential stuffing of purportedly non-sensitive data. These strategies will be tailored to the sites they gain access to and can lead to various forms of identity fraud and phishing scams.

Part of the reason this indirect strategy is growing in popularity with cybercriminals is that sensitive data is becoming better and better protected by corporations and financial institutes. However, this somewhat simplistic approach creates a serious vulnerability to any company. 

Credential stuffing is costing businesses millions each year. Not just in the follow-up costs of a cyber attack and the ramifications of fraud, but from increases inIT security spending, potential lost revenue from lost customers, and application downtime. This, according to one study by Akamai is costing companies an estimated $4 million a year.

Who is most at threat?

When it comes to what this looks like in real life you only have to take a cursory glance at the numbers to have cause for concern. In 2019 it was reported that a total of 869,857,509 records were stolen by cybercriminals in the US - and it’s likely that many more stolen records went either undetected or unreported.

The majority of that data, around 750 million records, was non-sensitive data, that will largely find its way to the hands of cybercriminals who will use it for credential stuffing. 

The credential stuffing technique can be used against any company with a login page. 

“Up to 83%  of people - according to 2018 research - use the same password for more than one account.”

Consumers face growing complexity in password requirements, with various length requirements, plus symbols and numbers - this has actually encouraged many users to find a single password that fits the bill and they’ve then reused that password or variations of it across numerous account logins. This is then paired with a growing number of individuals who have access varying levels of technology and might not know how to best protect their data.

What can be done to mitigate the threat of credential stuffing?

People are always talking about having better online security but no one ever talks about what happens after a data breach or after being hacked. 

As the old saying goes, “hope for the best, but plan for the worst.” A growing number of companies are on the receiving end of cyberattacks and it is leading to an increasing number of data breaches. 

Shoring up online and cybersecurity is absolutely vital. However, it may well not be you who is hacked, instead a victim of the credential stuffing technique. One thing to do is to require two-factor authentication. But even this isn’t flawless as the hacker may well have access to that user’s email account as well. 

So, what can businesses do to mitigate the growing threat of credential stuffing? Often hackers responsible for the data breach won’t use all the data themselves. Instead, they’ll turn to the dark web where they can anonymously sell the data instead.

This is where threat intelligence software like Signal comes in. Signal allows for users to monitor the dark web without needing a Tor browser. With threat intelligence software like Signal one can do much more than just monitor the dark web though.

Users can set up alerts for keywords and monitor dozens of channels instantly generating alerts for users based on their search queries. What this means is that as soon as leaked data goes up for sale on the dark web - or as soon as anyone talks about purchasing records gained through illegal or forced access to your database you will know.

You can then take precautionary actions to mitigate the potential threat. For example, warning customers of potentially exposed data so that they can secure any logins with the same password, force resetting customer passwords, and reporting the incident to the authorities.

In one recent example, it was found that an employee of a bank, stole over 3 million sensitive records from their company database. They then went away and bragged about it on social media and on various dark web forums (like 8chan). These set off immediate alerts through the Signal system and action was able to be taken, the data was recovered before it changed hands and the employee faced the legal ramifications of their actions.

Because Signal uses open-source data all evidence and information gathered through its channels are able to be used as actionable intelligence.

Related: Black Hat Brags about Bank Hack Signal Could have Spotted

Detect and remedy data breaches fast with Signal

Get in contact to learn more, or request a demo using the options below: info@signalpublicsafety.com

Resources and Further Research

• akamai.com/uk/en/multimedia/documents/state-of-the-internet/soti-2018-credential-stuffing-attacks-report (pdf)

• idtheftcenter.org/2019-data-breaches/ (pdf)

It’s no secret social media is now a key source of intelligence for corporate security professionals. But with so many social media monitoring tools to choose from; departments can easily end up choosing software that hasn’t been developed with their needs in mind, i.e. social media monitoring software built for marketing purposes.

This poor choice often impacts efficiency, results, and ultimately hurts the bottom line and, in some cases, employees.

Here are 5 tell-tale signs that’ll help you work out if the social media monitoring tool your corporate security department uses, needs an overhaul.

1.     Sometimes they’re the “last to know”

News travels fast these days. Some call it “the speed of internet”. What this means is, everyone and anyone with an internet connection can learn about and/or spread the breaking news happening at your corporation.

This increases the chance that a staff member might find out things before your corporate security department does. Especially when it’s happening in a retail store or near the event your CEO is speaking at.

Corporate security departments using operationally focused social media monitoring tools give themselves a better chance of being in the “first to know” camp.

2.     Reports are missing known threats

Lack of awareness can linger long past the date something occurred (especially for potential threats that are yet to fully develop).

When regular reports are missing developed or developing threats, that are already known to senior executives (whose lives and lively hoods depend on it), it may result in a loss of confidence from the executive team. Even when the corporate security department think they are being as effective as possible.

The wrong tooling might provide you with what looks like the most relevant and timely information, but you’re often missing the complete picture.

The right tooling, developed specifically for protecting executives, assets and supply chains, provides more advanced and targeted search capabilities (e.g. Boolean search) than typical marketing related tools. For those such tools, the focus is generally on social engagement and brand and reputation management rather than detecting potential and developing cybersecurity and physical threats.

3.     Incident response times are slow

Further to point 1, if your team is unaware of a threat, or simply hear about it too late, this can have a butterfly effect impacting the overall incident response time. This can potentially put the safety of staff and executives at risk, impacting “Duty of Care” responsibilities and even impacting revenue or costs.

Having the right monitoring tool often means you can plan ahead (building out a calendar of events to monitor), giving you a better chance of being the “first to know” and therefore speeding up incident response times.

4.     Small incidents often escalate

You guessed it! Catching threats early can keep small incidents… well, small.

This will save you and your team from having to deal with larger and more troublesome incidents in the future. So, how does Social Media come into this?

Sometimes the earliest signals come from the most unusual sources. Social Media, if used with the right monitoring software, can act as an early warning system for you and your team. It can even supply this early intelligence directly to your phone via SMS or email so you are always on top of new incident’s.

5.     Your team is too reactive

If you’re the Head of Corporate Security and you can’t understand why your team never seems to be prepared for events such as executive travel and retail store/office openings, it could be a sign they need to move to operationally focused social media monitoring software where they can plan ahead and schedule monitoring at certain locations over certain dates, times or seasons.

This not only instils a more active team culture allowing you to get ahead of potential issues, but it also reduces stress and allows your team to be in a better frame of mind when things really matter.

Conclusion

It wasn’t that long ago that there was very little in the way of social media monitoring software tailored for corporate security professionals. Early adopters persevered, as a stop gap, with tools designed for marketers.

These days’ things are a little different:

• The role of corporate security in any large corporation is becoming more important;

• Social media is an open source of intelligence when it comes to protecting executives, digital, physical assets and supply chains;

• Access to social media is now in the hands of the majority (wherever they are);

• Threats can be indirectly identified via social media posts made by the public and media.

And, most importantly, tools have been created specifically for corporate security professionals to make use of this free intelligence source.

Are you already making the most of these new tools or is it time to make the shift?

One of America’s biggest banks took four months to realise it had been hacked.

Signal could have helped the bank find and respond sooner to reduce their reputational damage.

In late July the $370bn bank Capital One announced a hack of one million social security numbers and 80,000 credit card-linked bank account numbers which is estimated to  cost over $100m to remedy.

Their announcement came 120 days after the actual hack occurred - the vigilant monitoring that Signal provides could have alerted Capital One to the problem quickly. Instead, it took months before a ‘white hat’ noticed conversation about the breach.   

The number of people affected was staggeringly high – in the words of Capital One itself, “The event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”

Here’s what happened:

On July 19, 2019, it was determined there had been unauthorised access by an outside individual who obtained personal information relating to Capital One credit card customers.

Capital One says it immediately fixed the configuration vulnerability that the individual had exploited and promptly began working with federal law enforcement.

The FBI arrested Paige Thompson, 33, a software engineer who formerly worked for Amazon Web Services… which Capital One is known to use.

Charges against Ms Thompson state she boasted about the hack on GitHub, Slack, and Twitter, allowing Capitol One the opportunity to quickly alert their cyber teams of a potential breach – if they were utilizing an OSINT tool like Signal.

Capital One claims it is unlikely the information stolen was used for fraud or disseminated by the individual, adding it believes no credit card account numbers or log-in credentials were compromised and that over 99 percent of Social Security numbers were not compromised.

The fact remains: one million social insurance numbers and 80,000 credit card-linked bank account numbers were exposed.

The largest category of information accessed was information on consumers and small businesses created when they applied for credit card products across the last 15 years, including:

• Customer status data, credit scores, credit limits, balances, payment history, contact information

• Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

• 140,000 Social Security numbers of credit card customers

• 80,000 linked bank account numbers of our secured credit card customers

• The Social Insurance Numbers of one million Canadian credit card customers were also compromised in this incident.

The configuration vulnerability was reported to Capital One by an external security researcher through a Responsible Disclosure Program on July 17, 2019. Capital One then began their own internal investigation, leading to the July 19, 2019, discovery of the incident.  the hacker had four months to do what she wished with people’s personal information.  Unfortunately, it is common for hacks to take months to be discovered, reported, and patched if the proper monitoring solutions are not in place.

Capital One expects the incident to generate incremental costs of approximately $100-$150 million in 2019. Expected costs are driven by customer notifications, credit monitoring, technology costs, and legal support and notifying customers.

Capital One said in its public statement it has always invested heavily in cybersecurity and will continue to do so.  This breach shows how the convergence of cyber and physical security is continuing to evolve as companies continue to invest in infrastructure and tools to stay at the forefront of cyber threats.  As threat surfaces continue to increase, social media and dark web scanning tools have become even more important to identify threats in real time.

Clearly there’s a lot of money at stake, but the worst part of it all is the hacker boasted about it online and the response could have been a lot quicker.

While it doesn’t appear that the breach was for financial gain, the reputational damage for Capital One has been huge (and continues).

Here’s how signal can help prevent this sort of thing happening:

Signal’s point of difference is scanning the web and dark web for chat around data hacks, breaches and stolen information for sale.

We know that the accused thief bragged about what she was alleged to have done to Capital One, and this is precisely the sort of thing Signal is set up to prevent.

Signal offers:

• Monitoring over 15 data sources, including social media, web/forums, surface web, the dark web and online forums.

• Accurate real-time results centred around the geographical locations you need to monitor

• Advanced filtering of searches

• Excellent visuals so you’re not sifting through raw data to find out who’s talking about hacks at  your organisation

• Situation awareness

• Online operation centre capability and data

 Please feel free to read how Signal could have helped resolve

• A British banker selling stolen data on the dark web (and being exploited until he was driven to steal even more)

• Slow responses to crises emerging in the real world outside a business

• Parsing the dark web and seeing discussions about plans to rip off your bank or business

• Mitigating the Threat of Credential Stuffing through Dark Web Monitoring

 www.getsignal.info

info@signalpublicsafety.com

The image below shows a typical message from a carrier of stolen financial information looking for a buyer.

Hackers will go wherever the money is, from NZ to Europe to the US or – as in this case – Australia.

They also recently attacked New Zealand, where equipment and clothing retailer Kathmandu suffered a data breach at the start of 2019. Intruders took customers’ credit card and personal information.

The ASX-listed Kathmandu said the following in a public statement on March 13:

“Kathmandu has recently become aware that between 8 January 2019 and 12 February 2019, an unidentified third party gained unauthorised access to the Kathmandu website platform. During this period, the third party may have captured customer personal information and payment details entered at check-out.”

It was only March 13th that Kathmandu publicly responded to the breach; intelligence software like Signal could have helped spot people trying to sell the stolen data online.

Doug Hunt of Auckland described on social media how on February 15 $2581.72 was taken from his credit card account. A second fraudulent transaction was noticed by the bank and blocked.

Hunt says he found out about the breach only after his bank, ANZ, phoned him.

Hunt told media he was appalled it took Kathmandu a month to respond.

 Who hackers are and how they operate

Taking credit card numbers is one of many ways hackers make money. Another is to get ATMs to spew cash.

• Jackpotting attacks can empty ATMs in minutes and are performed by prying open a panel to access a USB port on the machine and injecting malicious code, Tech Republic reports. Jackpotting has been a growing security threat in Europe and Mexico.

• Most ATMs can be hacked in under 20 minutes, according to Zero Day. Typically splicing a black box into the cable between the ATM’s computer and cash dispenser is the way it’s done.

• Another way is by plugging a flashdrive into one of the ATM's USB or PS/2 ports then running commands on the operating system to cash out money.

• There’s also malware. North Korean-linked Lazarus Group (aka Hidden Cobra) is believed responsible for malware known as FASTCash which stole $13.5 million from India’s Cosmos Bank between August 10 and August 13, 2018. That group committed thousands of fraudulent ATM transactions across 28 countries and came down to three unauthorized money transfers using the SWIFT international financial network.

 Data breaches can be stopped before they happen

The Ponemon Institute’s 2018 IBM Cost of a Data Breach study reported the average time it takes to identify a data breach is a shocking 196 days.

The time it takes Signal security intelligence to identify a potential breach being arranged on the dark web: minutes. Australian and New Zealand banks, institutions, businesses, hospitals and ASX/NZX-listed companies can all receive early indicators so you can be proactive about security and not caught off guard.

 If you know potential threats, you can set your own search terms

Signal is an extremely user-friendly app and can be utilised by any staff members with minimal training. Simply put in the search terms you feel your institution needs to monitor; Signal’s easy interface then provides alerts when what you’re looking out for appears online.  

• Signal is designed to recognise conversations in which criminals name your bank or business

• Every day, Signal observes and captures data around Dark Web users offering to sell stolen material

• Signal parses through postings and conversations and can spot questionable behaviour which might harm your brand, your interests or even your staff.

 Breaches happen to many different types of online businesses

• LinkedIn lost 6.5 million encrypted passwords in 2012;

• Ashley Madison had 36 million accounts compromised in 2015. In July that year, a group calling itself ‘The Impact Team’ threatened to release users' names and personally identifying information if Ashley Madison would not immediately shut down. The group then leaked 25gb of company data, including user details causing huge embarrassment for the thousands of Saudi executives and US military and government employees who had accounts on Ashley Madison. The company which owns Ashley Madison then faced lawsuits, as users who had in the past asked Ashley Madison to delete their accounts found themselves caught up in the leak and sued the company.

• Dropbox login data for 68 million users has been offered for sale on the dark web. The data set came from a 2012 breach. The trafficker was known in 2016 as TheRealDeal and offered a disturbingly low price: two bitcoins.

Which data is valued most?

Various online computer hacking magazines estimate the value of stolen information like so:

• Passports are estimated to be worth $2,000

• Medical records:  $1,000

• Online payment account credentials typically valued at up to $200

• Credit or debit card information – usually sold for up to $110

• Diplomas: $400

Trend Micro research shows the main types of data stolen are financial and insurance data, which can be twisted to then become a tool for blackmail; healthcare details; payment card information; account logins; and educational information such as transcripts.

However, even supposedly valueless data such as a username and password login to a seemingly unimportant website offers value to cybercriminals through the credential stuffing tactic. This is when cybercriminals use user logins against multiple different login forms due to the fact that many people use the same password for multiple websites.

We have dozens of examples of top share listed companies relying on Signal software to avert risk.

Dayne Lynn, a young Lloyds Bank employee from Scotland, was convicted at the start of 2019 for stealing $AUD140,000 from his customers’ accounts after he was blackmailed by criminals he met on the dark web.

The crimes began when Mr Lynn joined an internet chat forum and made the mistake of revealing he worked at Lloyds Bank in Glasgow. Mr Lynn was working as a member of a team that investigates fraudulent payments and transfers, where he had access to the accounts of many bank customers.

It wasn’t long before a group of criminals on the dark web forum ordered him to steal from accounts and transfer the money to them.

On July 18, 2016, between 7:45 a.m. and 9:30 a.m. Lynn accessed almost 20 customer accounts and took tens of thousands of pounds, overcoming bank transfer restrictions using his Lloyds Bank employee credentials to access the accounts. The bank reversed all of the stolen money, however, the identity of the culprit couldn’t be established for over a year and Mr Lynn and his dark web associates almost got away with the crime.

The theft could have been averted if the bank had used Signal. Signal constantly monitors dark web traffic and simple search terms such as Lloyds Bank, banker or bank accounts might have allowed the bank to stop its staffer before he went down the road of fraud.

Data Breaches Can Be Stopped Before They Happen

The Ponemon Institute’s 2018 IBM Cost of a Data Breach study reported the average time it takes to identify a data breach is a shocking 196 days.

The time it takes Signal security intelligence to identify a potential breach being arranged on the dark web: minutes.

Australian and New Zealand banks, institutions, businesses, hospitals and ASX/NZX-listed companies can all receive early indicators so you can be proactive about security and not caught off guard.

As the Office of the Australian Information Commissioner recently found

• 78 per cent of data breaches involve individuals’ contact information

• a third of the data breaches are financial details and a third health information.

 If You Know Potential Threats, You Can Set Your Own Search Terms

Signal is an extremely user-friendly app and can be used by any staff members with minimal training. Simply put in the search terms you feel your institution needs to monitor; Signal’s easy interface then provides alerts when what you’re looking out for appears online.

• On a daily basis, Signal spots and reports Dark Web users offering to sell documentation and templates from banks and government as well as credit card numbers and logins

• Signal parses through millions of postings and conversations to recognise questionable behaviour.

• Signal is designed to recognise conversations regarding your business (bank, hospital, university) and determine the tone and context of potentially harmful language

• You as the client set up your own monitoring parameters. For example, our Hollywood filmmaking clients ask us to identify those who want to hack, leak and illegally distribute intellectual property and scripts

• Signal does all the heavy lifting, trawling the internet and sending you proactive alerts so that you hear about risks first – not 196 days later.

Data breach study author Larry Ponemon estimated a business is more likely to experience a data breach of 10,000 records than a person is to catch the flu over winter.

The average cost of EACH data breach in 2020 is anticipated to exceed $150 million, with worldwide costs estimated at $2 trillion

Don’t let a failure to watch the web cost your company.

Signal offers free demonstrations of outstandingly effective software. We have dozens of examples of top sharelisted companies relying on Signal software to avert risk. www.GetSignal.info or email info@signalpublicsafety.com