Finding the Truth when the Adversary Lies
As the frequency of data breaches continues to climb, it is important for organizations to be aware that some “breaches” are not actually real, and that diligence should be undertaken to determine whether a breach has actually occurred. Traditionally, “hacktivists” have used database dumps as a tool to make a forceful statement on the Internet. Large database dumps can garner significant attention and sometimes change a company’s behavior. Stolen databases, for sale in the underground, frequently fetch a high value. Significant releases also give the author status and fame.
Stealing copies of databases is clearly an effective and lucrative operation. Recently, however, there has been a trend in which attackers simply state that they hacked a website, and then present a fake database dump as “proof.” Journalists may then hastily report the claim without verification. Even if incident response processes confirm that the leak is fake and the truth is revealed, some amount of damage has likely already been done, and the incorrect reports involving the company can remain on the Internet indefinitely. Motivations for doing this are varied, but most often involve scamming or attempts at gaining notoriety.
It is possible to shorten this painful process to nothing more than a minor inconvenience. With some fast and simple fact-checking techniques, a third-party individual can efficiently assess the probability that a leak is valid, resulting in an efficient and more appropriate response, while reducing unwarranted damage to reputation caused by media frenzy and public concern.
It is important to note that these techniques only demonstrate a leak is fake, not that a compromise has or hasn’t occurred. Although attackers can use the techniques contained in this paper to produce higher quality fake leaks (example: fact checking techniques will not help if an attacker uses a “combolist”1 and an account checker to produce a list of valid accounts and then claim they actually hacked the company), awareness provided by this document will provide a greater overall benefit to the public than to the attackers alone.
Additionally, fake leaks can be released after genuine online breaches occur. The following techniques outlined for consideration in this document should be treated as situational investigative tools and should be carefully applied in a broad manner. Only the victim company can provide a full and accurate analysis.