Security Central: A Banner Week for Hackers, Fraudsters – May 6th, 2016

Information security consulting firm Hold Security has uncovered 272.3 million stolen email accounts on the Russian dark web. The stash, which included hundreds of millions of Mail.ru, Google, Yahoo and Microsoft usernames and passwords, is one of the largest stores of stolen credentials uncovered in the last two years, according to a Reuters exclusive.

Hold's researchers located a young hacker who was angling to trade his collection of stolen accounts. Oddly enough, the individual priced his prized collection at 50 rubles (less than US$1), but settled for payment in the form of favorable endorsements on a hacker forum.

While the discovery has been made and email providers alerted, the trouble might only just have started, according to Hold founder and CIO Alex Holden. Large-scale breaches of this kind can be used to design further attacks on the contacts tied to the compromised accounts, a common tactic among those eyeing financial theft as an end game.

Just this week, the Detroit News reported a business email compromise (BEC) hack resulted in a $495,000 loss for Michigan-based Pomeroy Investment Corp. After commandeering an employee's email account, a hacker emailed a co-worker with a request for the funds to be transferred. According to the Detroit police, email communications for transactions have been a standard practice for this company, so the request was granted. Whoops.

Alas, the Pomeroy incident isn’t the most unsettling fraud case this week. That distinction goes to payroll leader ADP, which is facing severe scrutiny after identity thieves stole employee W-2s from more than a dozen of the company's enterprise customers, including U.S. Bank. KrebsOnSecurity reported this week that thieves were able to register employee accounts through an external W-2 portal maintained by ADP. ADP assigns each of its client companies a unique link and company code, which some of its customers published online. Once hackers obtained this information, it was just a matter of gathering employees' basic personal data to allow them to enter the portal.

Exposure of W2 information is said to be limited to individuals who have previously been the victim of a prior breach separate from this week's ADP incident. However, both the ADP and Pomeroy incidents raise concerns about the persisting challenge of human error in data security. Incidents of the Pomeroy variety should prompt organizations to reassess the way in which they coach employees (if they coach them at all) on verification of these kinds of requests – even if the transaction requests come from a "trusted" source.

Unfortunately, today's threat landscape is plagued by a disastrous combination of savvy fraudsters and victim mistakes. As a result, online fraud is at an all time high and growing. A study released this week by Juniper Research puts worldwide online transaction fraud at $25 billion by 2020 (double the jackpot of transaction fraud in 2015). But can we really curb that prediction by doubling down on educating users in data security best practices? I'd say it's worth a shot.

5/6/16: The story has been edited to more accurately reflect the ADP breach. The sensitive customer information was published online by ADP clients, not ADP.