Soft Targets: The Path of Least Resistance to Valuable Data

By Brian Christian July 6, 2022

---

Cybercriminals often take the path of least resistance to get their hands on valuable data. You might not make a huge payoff by dropping ransomware on a Fortune 500 company, but soft targets offer profitable payoff with a lot less effort and risk. In soft-target attacks, user data is the goal. Soft targets are those that hold a wealth of individuals’ data but might lack enterprise-class security. Recent targets have included hospitality organizations, municipal governments and agencies, schools, and small and medium-sized businesses.

Attacks on soft targets are often automated, making it fast and easy to go after stored programmatic data like shopping rewards accounts, property tax records, or student rolls associated with electronic device IDs. Targets might also be individual celebrities, high-net-worth people, business owners, or just everyday people. Data associated with someone’s movements, electronic devices, frequented locations, and associates can be parlayed into profit.

How? So what if someone knows all the Netflix shows I watch? A cyber crook might not care about your choice of shows, but the data associated with that account delivers a wealth of information—login info, address, phone numbers, email addresses, payment choices, schedule, and financial details. Now add in the fact that as of 2020, an audit of the dark web revealed more than 15 billion stolen credentials from 100,000 data breaches available to cybercrime actors. Approximately 5 billion are said to be unique, with no repeated credential pairs. It doesn’t take a lot to piece together enough data to take the next step.

“The next step” depends on the cyber criminal’s goals. These are a few examples of how this data is used—and some of them are pretty scary:

• Back door to a bigger target: The pandemic sent many employees home to work—without enterprise-class security on their home routers or Wi-Fi networks. Cybercriminals used unsecured devices to penetrate these networks and reach into “parent” corporate networks.
• Financial fraud: With stolen login details, it’s easy to conduct account takeovers (ATOs) or set up fake accounts to drain funds, intercept messages, redirect product shipments, or steal money.
• Fraud as a service: Cybercriminals can simply sell stolen data or package it in their own fraud-, malware-, ransomware, or attack-as-a-service offerings.
• Digital payment fraud: With user data, cybercriminals can easily take advantage of alternative digital payment methods like payment apps, digital wallets, and peer-to-peer services.
• Deepfake synthetic identity fraud: Synthetic identities are made up of leaked personal data combined with data from internet and social media profiles. Now, AI technology enables criminals to impersonate people through facial recognition and voice prints—generating new synthetic profiles to apply for loans, claim social benefits, and commit other forms of fraud.
• Targeting children and underage users: With clean financial slates, children and underage students are increasingly targeted. Stolen identities from breached schools or accounts with a child’s social security number are used to take out loans, open credit card accounts, and even apply for benefits. No one will know until years pass and it’s discovered that the child has mountains of debt in their name.
• Extortion: Simply browsing Instagram hashtags tells you who has money, where they live, and other valuable details about a person. These give criminals levers for sextortion or threats against a person’s family, reputation, or business.
• Cyber creeps: Online gaming data has opened new doors for truly awful people to target children and teens. Unsuspecting children can be lured by fake games that download malware and coaxed into revealing personal details. Social media data gives groomers information for manipulating kids and teens. Many apps are linked to device location settings, making it easy to know where the child is in real life. Criminals also steal photos of children posted on social media sites to “digitally kidnap” the child. Photos are used to present the child as their own on other sites, or worse, shared on sexual abuse sites.

The point is, personal data is a huge target and there is no way of knowing exactly how it will be used. With every digital interaction, data is created and stored somewhere. If your business—or even you as an individual—are responsible for securing it, then you need to be aware of it and be able to effectively defend it. Get a handle on where data is proliferating and how it’s being used.

Let us show you how data surveillance works.