Graff search: How attackers track online footprints

Author: Daniel Farrie

It will probably come as no surprise to hear that the number of organisations falling victim to ransomware attacks is on the rise. Threat actors have perfected their attack strategies and are reaping the financial rewards because of it.

A successful ransomware attack not only impacts profits and security, but the organisation’s reputation as a reliable and safe entity with which to conduct business. It is this fear that organised crime groups and Nation States are actively exploiting, and with great success.

It was recently reported in the news that Graff, the multinational jeweller, was the victim of such a cyber-heist. The ransomware gang behind this, known as Conti, announced the accomplishment on the dark web two weeks before it had made national news headlines. To prove that the gang wasn’t bluffing in their ransom demand, they released 1% of the data they had stolen from Graff to prove their intention.

This included a range of data relating to Graff’s customer base. One document in particular held circa 11k customer names and addresses. The idea that the group have proved their intent by using this tactic is an annoyance, for sure, but of greater concern is the group’s disregard for the safety and security of the leaked individuals and their families. Again, this is not unique to Graff, but a recurring trend by crime groups.

Sadly, Graff’s story is far from unique, with many organisations facing the same fate on a weekly basis. Suffice to say, Conti are not the only gang using this method of ransom supplemented with secondary extortion.

Luckily, in this case representatives of Graff have confirmed that their data had been backed-up and they were able to start rebuilding their systems.

In an interesting turn of events, and since this article was originally penned, Conti, believed to be a Russian gang, removed the Graff data leak from its website and issued an apology to members of Saudi Arabia, UAE and Qatar, with particular acknowledgement to the royal families of those regions. Each state has in recent times developed stronger ties with Russia through various trade deals, which may indicate a reason for the announcement.

While it is unknown if this act was forced upon Conti by a controlling power, it does suggest that the group acts haphazardly with personally identifiable information. Moreover, the group’s own lack of political awareness and judgement has shone through, and they have attempted to address this error by stating that they will review the data and re-release that which targets only US and EU citizens.

Figure 1: Conti announcement

The impact

For some of the individuals listed, this online exposure may not be of direct concern, particularly if they don’t use social media and feel their online footprint is minimal. Nevertheless, skilled criminal groups will be able to take advantage of this information.

It may be possible for instance, to discover the social media profiles of family members or employees of the target, based on geo-location data in close proximity to a physical address sourced from the data leak. Researching those individuals may unearth a trove of information detailing physical security weaknesses, or patterns of life.

Once additional data sources, such as an email addresses, have been identified for a target, it’s highly likely that it will feature within historic data breaches from other unrelated sites and services. Those data breaches may include phone numbers, additional physical addresses, or even previous passwords used by the target. It’s likely that the malicious actor will then crosscheck these passwords against other data breach records to see if the target has re-used the same password with other email addresses. Those additional email addresses may lead the attacker to further sites and services, and so the discovery and collection process goes on until such a point that enough useful information has been collated, enabling a path of attack against the victim, be it cyber-based or physical.

The reward for threat actors

The intentions of threat actors vary, although most will be for financial gain. In many instances, the attackers will only require simple information posted online – rather than the advanced skillset or resources of some adversaries.

A number of celebrities and High Net-Worth Individuals (HNWI’s) have become victims of theft primarily due to their online exposure. An interesting article published by Forbes in 2018 gives us an insight into this threat, and how some attackers are carrying out robberies using information available from online media sources.

In July this year, F1 driver Lando Norris was a victim of robbery when his £40,000 watch was stolen shortly after the Euro 2020 final at Wembley, after posting an image of himself at a football match wearing the watch. While it’s unknown if he was targeted as a result of his Instagram posts beforehand, Lando had frequently posted images of himself wearing his Richard Mille watch on his Instagram profile page.

Figure 2 - Lando's Richard Mille Watch at Wembley

For other individuals the attack may be cyber-based, such as targeting personal email accounts for nuggets of information, which can subsequently be exploited, leaked or sold-on by the threat actor. Hilary Clinton was famously hacked during her presidential candidate campaign , significantly hampering her chances of presidency. It was also reported that David Beckham was blackmailed following the compromise of his email correspondence by a hacker based in Eastern Europe in 2017 .

How can individuals stay safe online?

It is inevitable that more companies will fall victim to ransomware attacks and extortion, consequently increasing the amount of personally identifiable information being leaked online in underground forums and marketplaces.

While it’s not possible for everyone to conduct daily research and analysis of their own online exposure, we do recommend that everyone spends a little time reviewing the security settings of their online accounts.

Many social media and email services offer additional security measures, such as multi-factor authentication. Similarly, it is often possible to turn off geo-location services or make profiles private, reducing the risk of exposure to unwanted third parties. Before posting or commenting online, consider whether the information is restricted and whether it could be exploited by a malicious actor.

Furthermore, there are some fantastic free online resources such as Have I Been Pwned, which can be used to check if your personal email addresses features within public data breaches. If they have, ensure you change your passwords and try not to use the same format across multiple services.