Data Manipulation: A rising trend in cyberattacks, and how to address it.

News headlines featuring data-related attacks most commonly refer to either the deletion or theft of data. As cyberattacks grow in sophistication, our incident response and risk management teams are seeing cases of data manipulation rather than outright destruction or theft.

While the deletion or theft of data presents attackers a window of earning potential through either the sale or exploitation of the data, attacks that manipulate the data can potentially turn into long-term earning endeavors. You’ll understand why with the examples below.

Data manipulation attacks can reap long-term financial benefits and also can be used as a vehicle to sway or tarnish public opinion. For example, in 2016 Russian hackers breached and released data from the World Anti-Doping Agency, revealing many famous athletes’ medical data. The data was doctored prior to its release and targeted towards athletes participating in the 2016 games.

Furthermore, data manipulation attacks take a great deal of time to recover from­–potentially more time than a normal theft or deletion attack. The reason for this is how difficult it is to determine the extent of the attack, and exactly how the data was manipulated. For example, if an attacker changes a customer’s subscription status or a similar under-the-radar modification, the victim would have to sift through all of their customer data to review, check, and double-check that every piece of information is accurate before resuming business as usual. 

Types of Data Manipulation Attacks

Malicious actors use their phishing and social engineering savvy to obtain access to systems. From there they make small, meticulous changes to keep users in the dark. Some of the most common data manipulation attacks we see involve:

  • Wire transfer fraud: An attacker compromises a customer’s email server and intercepts and changes an email containing information about a wire transfer, which may allow a VERY large transfer to go to the wrong recipient.
  • Banking/Financial accounts: Similar to wire transfer fraud, malicious actors are changing payment recipients or account owners to alter payment destinations and amounts.
  • Credit card micro payments: Malicious actors are charging unsuspecting accounts a small amount disguised as something unnoticeable. For example, an e-commerce vendor was attacked with millions of card numbers being compromised. The attacker then charged all those numbers with a small ($0.25 USD) fee with the label “Service Charge”.  Over the course of several months, the total payout added up quickly and went under the radar for many affected users.
  • Changing links on public websites: Overriding and changing links on a public website is perhaps the most concerning method. Users can visit a “tried and true” website only to find that the link they just clicked directed them to a malicious site. The actions taken by the attackers at this point could be acquisition of user login credentials, download of malware, or a takeover from ransomware. This kind of attack can also result in a malicious party acting as a “man in the middle”, allowing them to intercept communications between a user and a normally-protected web service.

How to stop these attacks

First, let’s talk about the fundamentals. As with any cybersecurity threat, implementing a few of the basic technical safeguards can significantly reduce the risk of a successful attack. We outlined some specific tools and ways to achieve this below. Having said that, at minimum, your organization needs to implement full encryption on all end points, multi-factor login authentication, and digital certificates.

Apart from these basic measures, non-technical steps are often the most important. For example, it is essential to have a policy specifying that critical and sensitive data is only sent through secure and vetted channels.

A necessary area of clarification within the policy is to detail what constitutes as classified, critical and/or sensitive data. Drawing clear lines in the sand at the start will alleviate any confusion when it comes to application of the policy.

The vetted channels and mechanisms should also be very easy to use and not require a lot of manual work on the end-user’s side. From there, education is your best friend. Invest some time in educating your team about the policy and the dangers your organization is susceptible to if the policy is not strictly enforced. If people don’t know what they should do (and when they should do it), they simply won’t.

Advice on protecting the integrity of the data:

  • Encryption: Use a secure mechanism to send sensitive and/or critical data. Pretty Good Privacy (PGP), or an alternative like GPG, is a good choice. Simply using an archiving tool (like Winzip or 7-zip) and strong encryption (AES-256) with a pre-shared key that is only sent in a secure email channel) would work.
  • Authentication: Use Digital Certificates to authenticate both ends of a communication stream or transaction. Doing so allow you to ensure that both the recipient and sender are who they say they are, and that the channel is encrypted. This is also useful for automated distribution of data. For example, you will want transactions between two programs running in different locations to be transmitted in a completely secure, encrypted environment.
  • Manual verification: Do not send important and/or critical information through channels that can be intercepted. When a request for information comes in, you must contact the requestor manually to confirm that the request is valid, that the requestor is authorized to receive it, and that the sender is authorized to send it. Ultimately, multiple checks should be built in to procedural documentation to reduce the risk.

How are security vendors addressing data manipulation attacks?

This kind of attack is not necessarily new, rather it is now a thing we have mechanisms to NOTICE. With the advancements in behavioral, anomaly-based, and host-based detection and prevention mechanisms, we can recognize when critical communications or transactions take place and whether or not they follow normal patterns and behavior. If anything skews from the expected, we are alerted and can react accordingly.

These days there is less “low hanging fruit” for attackers – network traffic is encrypted, more systems and services are updated automatically to the newest and less vulnerable version, and intrusion prevention and protection mechanisms are more robust. As a result, attackers must carefully decide what they will spend a more difficult time attacking. They are going after “juicier” targets, including business-to-business transactions and international money transfers.

The bottom line

As we mentioned, the tools are more effective at recognizing and signaling irregular activity. However, just as we can understand that, so can the attackers. While the tools continue to be refined and calibrated to continue its successful monitoring, we cannot stress the importance of internal training enough. Educating your staff to anticipate, spot, and report questionable activity will, without a doubt, help your organization stave off some form of attack at some point.