When large data breaches occur, the mainstream media tends to cover the event and the stories are viewed by much of the public. While it is good that more people are informed about these breaches, it also opens an opportunity for additional attacks.
On September 7th, Equifax announced a data breach by hackers who had accessed the company’s web portal used to file disputes.
The data breach compromised the information of roughly 143 million U.S. consumers – primarily names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed (Equifax).
The assessment thus far is that the threat actors had been in the network, collecting information from May 13th to July 30th, when the web portal was taken offline. Those threat actors had 78 days to collect unauthorized information. A problem we often see when a company oversees their own cybersecurity – too many tools to monitor, probably not enough training, and things slip through the cracks.
5thColumn expects to see an uptick in Phishing attacks purporting to be representatives of Experian. Opportunistic attackers will use this breach to extract additional information from potential victims of the data breach. For example, attackers may send out an email offering free credit fraud protection and ask for your social security number:
So, what can you do?
- Be wary of unsolicited email requesting personal information. Equifax will not be reaching out to potentially affected consumers directly via email.
- Freeze your credit, now. Freezing your credit at all three reporting agencies will prevent any credit inquiries without your authorization. This is much, much easier than dealing with a stolen identity. You can use the automated systems to freeze your credit by calling each reporting agency directly:
- Keep up to date from the Equifax web site: https://www.equifaxsecurity2017.com/
Despite the fact that it looks like a phishing URL, yes, that really is the correct URL.
- Configure your incoming MTA to respect SFP records. This can help prevent spoofing.
- As an aside, you should configure SFP records on your own domains.
- Use an MTA with a concept of reputation to block known bad senders.
- Mark newly registered domains (or no reputation domains) in the email subject so that users know to be extra wary.
Be vigilant, and interrogate any incoming emails for authenticity. Remember, Equifax is not going to send out unsolicited emails directly to you.
For more information on what to do if you suspect a breach, please see our guide to effective incident response.
Written by Keith Schawel, Director of Security Engineering for 5thColumn.