By itself, the database of 3.8b phone numbers leaked from social-media platform Clubhouse didn’t have much value on the underground market. In fact, they were eventually released in a hacker forum for free.
The combined batch of data likely to fuel a flurry of account takeover & smishing attacks, experts warn.
Highest Bidder
An enterprising threat player has reportedly combined those phone numbers with 533m Facebook profiles leaked last April, & is selling that enhanced range of personal identifiable information (PII) to the highest bidder on the underground market.
According to Cyber News, the combined Clubhouse-Facebook database includes names, phone numbers & other data, & is listed on an underground forum for $100k for all 3.8b entries, with smaller amounts of data available for less. Reportedly, the seller is still looking for buyers.
Likely to Fuel ATO Attacks
These credentials could quickly be used for basic account takeover (ATO) attacks, according to Brian Uffelman, who is a security analyst for PerimeterX.
“These stolen credentials are then used for credential-stuffing & ATO attacks, which can steal value, whether that is in the form of gift cards, credit-card numbers, loyalty points or making false purchases,” Uffleman outlined.
“ATO attacks are a major threat to any business & all of this just creates more fuel to feed the ATO attack fire.”
Login Attempts
He added that it’s much easier for cyber-criminals to use stolen credentials than to do the work of trying to find holes in an organisation’s cyber-security defences. In fact, Uffleman pointed out PerimeterX research showed out of all login attempts measured in the 2nd-half of 2020, up to 85% were ATO attempts.
“Organisations need to be aware of signs that they’ve been attacked,” Uffleman warned. “These can include surges in help-desk calls, spikes in password resets and inhuman user behaviours, such as 1,000s of login attempts on an account in a short time period & then take the appropriate action to block these attacks.”
Users need to be aware of signs of breach, too, he added.
“Consumers need to ensure they are using varied & robust passwords across different websites & applications & lock down their credit reports as well.”
Smishing Attacks
Smishing, or socially engineered phishing attempts conducted through SMS text messages, is a likely way cyber-criminals will try to turn this database into profit, Jake Williams, from Breach Quest explained.
“With this information, threat actors can send SMS phishes while spoofing the sender’s number of a known friend,” Williams stated.
“A threat actor could go even further by using an SMS phishing pretext tailored to the victim based on their recent Facebook posts. Users are advised to be extremely careful in acting on unexpected SMS messages, even from senders they believe they know.”
Clubhouse Users
Williams added that Clubhouse users need to be on the lookout for suspicious texts, particularly those asking to transfer funds or confirm requests with a phone call, which are both common smishing tactics.
Even if petty thieves don’t see the value in the information, John Bambenek from Netenrich outlined that he suspects intelligence agencies will take notice.
“Breaches like these often get sold at a discount because the ones who stole the data don’t know what to do with it. In some cases, intelligence agencies will buy them if they have targets of interest on those platforms,” Bambenek warned.
“Likely the biggest use will go into the secondary consumer data market for those who want to build profiles for specific ad targeting.”
Profiles of Targets
Beyond immediate consequences of the enhanced data falling into the wrong hands, Archie Agarwal from Threat Modeler pointed out that as these leaks continue, it will enable threat players to create incredibly detailed profiles of targets.
“Aside from using data like this for more targeted scamming, there is a much larger concern,” Agarwal explained. “
As we share more & more personal information across an ever-growing list of social-media platforms, combining data gleaned from this type of scraping, together with leaked breach information & using big-data analytics to mine it, could potentially reveal previously hidden information & behaviours on users.”
Accepted Risks
While the infosec community is alarmed by the prospect of all that data floating around, Roger Grimes from KnowBe4 doesn’t expect the seller of the combined Clubhouse-Facebook data to get much financial gain out of the deal.
“My bet is the seller doesn’t get anywhere close to their $100k asking price. It’s not a scarce resource,” Grimes surmised.
Socially Engineered
He also noted that while he agrees the data could fuel future smishing & other socially engineered attacks, he doesn’t suspect much pushback from users.
“I think most people simply see this as a cost of using free internet services, Clubhouse or any other service,” he concluded.