In-Depth

2015 Security Review: Top Hacks, Breaches and Cyber Scams

The stakes were high in security this year with attacks designed not only to steal credit-card numbers but also to shame, spy on or extort their victims.

• By Chris Paoli
• December 07, 2015

Many in the cyber security community coined 2014 as the "year of the breach." This year could be seen as "year of the breach 2.0," with attackers going after bigger prey, including major U.S. government agencies.

Breaches still hogged much of the spotlight, but instead of it being dominated by incidents hitting large consumer retailers, it was the public sector, tech giants and those trusted with our online security that had the roughest year.

Here are some of the security incidents that made the biggest splash in 2015.

CVS and T-Mobile Attacks Linked to Outside Vendors
While large retailer network breaches didn't dominate the tech news cycle quite like high-profile cases from last year, they still were a large target for hackers looking to punish those who did not learn from the sins of the past. Two of the bigger retailer incidents to occur this year included the compromise of user data from CVS and T-Mobile.

On July 17, visitors to Web sites of CVS Photo, the pharmacy chain's online site for photo development, and Walmart Canada were greeted with a message saying that the sites had been infiltrated and that personal information, including credit-card numbers, addresses and customer names, had been compromised.

A preliminary investigation found that while the stores themselves were not responsible for the breach, PNI Digital Media, a Vancouver-based vendor that offered photo hosting and customer payment collection services, had been the entryway to the customer data.

However, despite the role PNI Digital Media played in the breach, CVS and Walmart Canada will ultimately be on the hook when a settlement is reached with the still-unknown number of victims, proving that the use of third-party vendors does not excuse organizations from security incidents and concerns.

"You are only as strong as your weakest link and this applies equally to business associates that represent your brand," noted Brad Taylor, CEO of cloud security solutions firm Proficio Inc. "Exploiting weaknesses in the security of a partner and pivoting the attack to steal corporate data is a proven strategy in a hacker's playbook."

It's a lesson that major mobile carrier T-Mobile is left with after personal data for up to 15 million of its customers was stolen in September from a hacked database belonging to Experian Information Solutions Inc. -- the credit reporting agency T-Mobile used. Despite the mobile carrier having a limited role in the breach, its image and customer trust in the carrier has been harmed. And the free credit tracking service offered to customers who might have been affected isn't so free for the company. T-Mobile CEO John J. Legere had some scathing words for Experian, posting a message online saying he was "incredibly angry" about the breach and T-Mobile would be reviewing its partnership with the credit service firm.

Security Firms Get Knocked Around
Nothing hurts a consumer's confidence more than having security vendors trusted to keep his data secure fail him.

In October, Russian security firm Kaspersky Lab, maker of a popular line of antivirus software, announced that its network had been breached by what it believed to be agents working for a nation state. According to CEO Eugene Kaspersky, the breach was pulled off using a series of advanced and zero-day attacks for the purpose of collecting information on the company's latest tech and services.

Thankfully, there are a couple of silver linings to this case. First, Kaspersky Lab said that the attacks were spotted before any lasting harm could be done, and that customer information stayed secure during the duration of the incursion.

Second, and more important, attacking a security firm that specializes in discovering new attack tools makes its job much easier. "Attacking us was hardly the smart move: They've now lost a very expensive technologically advanced framework they'd been developing for years," wrote Kaspersky, in a posting alerting the public to the hack. "Besides, they tried to spy on our technologies...which are accessible under licensing agreements (at least some of them)!"

Further good news is that the new attack vectors used have already been included in the company's monitoring software.

What doesn't have quite the same happy ending is the July security incident that saw attackers gain access to customer information stored by LastPass, providers of password-management services. According to the firm, individuals were able to access user e-mails, encrypted files containing master passwords and password reminder phrases.

This could have been catastrophic for those using the service, and presented an opportunity to the attackers to gain a wealth of access to personal and financial information spread across the Web. At the time, CEO Joe Siegrist said that he was confident that the company's cryptographic features, which included advanced hashing features, would have protected most users. However, those using simple passwords as their master were still at risk. Due to the breach, users were forced to reset their passwords and Siegrist said the company was stepping up security measures to further protect users in the future.

And in the murkier waters of cyber security is the July incident that saw Hacking Team, an Italian firm specializing in spyware software that actively markets to security and law enforcement agencies, including the FBI and the Pentagon, experience a breach and a loss of 400GB of private data.

Included in the data leak was a list of the government agencies that allegedly used Hacking Team services, with client countries including Bahrain, Mexico, United States, Czech Republic, Egypt, Saudi Arabia and Iraqi Kurdistan, just to name a few. And the services provided? Means to gain backdoor access to targeted systems, OSes and devices through discovered vulnerabilities.

While it's unclear who pulled off the breach, the security community combed through the massive data dump to publicly bring to light the actions of Hacking Team. Days later, the company was forced to shut down its systems and alerted its clients to stop using its tools.

One negative consequence of the leak was this: Two nasty zero-day Flash exploits the group had been sitting on were out in the open, and within days active attacks using the information were popping up. At the end of the day, despite billing itself as a cyber security firm, those exploits perfectly encapsulated which side of the aisle Hacking Team was on, according to Branden Spikes, CEO of browser security firm Spikes Security. "The only ethical way to profit from the discovery of an exploit is to disclose it to the software author [in this case, Adobe Systems Inc.] for a big bounty. Any other sort of trade, stockpile or ransom of zero-days serves to exacerbate the problem for the victims of these exploits, as other hackers in other parts of the world have likely discovered these and are using them already."

U.S. Government Human Resources Gets Hacked
In what's being called the largest breach of a U.S. government agency, the Office of Personnel Management (OPM) was infiltrated and data on millions of current and former federal employees was taken in two separate incidents.

While the actual intrusions took place between December 2014 and February of this year, they weren't publicly disclosed until June and July. The first breach was estimated to affect 4.2 million individuals, while the second stole personal information (including Social Security numbers) of 21 million people. Both incidents have been linked to China.

What makes the attacks on OPM unique is the vast amount of personal data that was held and stolen, which included past employment, personal relatives, criminal and financial histories, and detailed employee profiles.

In September, OPM revised its initial low estimate for the number of those affected and also added that fingerprint data for 5.6 million people was stolen. While it's unclear how the hackers could leverage the data to their advantage, it shows that even with the advent of biometric-based authentication, that data can be stolen just like traditional passwords.

The OPM incidents prove that, no matter what tools you use to create a better cage, attackers will figure out a way in. "We are told to build better walls and operate in a defensive mode even though both our government and governments of others have cyber weapons that [leave] commercial enterprises with no effective defense," says Philip Lieberman, president of security firm Lieberman Software Corp., about the OPM breach. "Using technologies such as air gaps, segmented networks, encryption, and privileged identity management can reduce the damage and scope of damage caused by these weapons. So there is no real defense, only the concept of acceptable loss."

In the wake of the incident, OPM has recently hired a handful of security advisors to put in place an outlined 15-step cyber-security overhaul, which includes the deployment of security card-based two-factor authentication.

IRS Data Breach
While not as massive as the OPM government breach, the IRS incursion that occurred in February of this year showed that government security systems can be breached to expose the public's data -- not just government employees' information.

However, in this case, no special backdoors or attack tools were used. Hackers used stolen credentials obtained from other sources, including Social Security numbers, addresses and names, to access information on more than 334,000 taxpayers stored in the Internal Revenue Services Get Transcript program. Once in, the hackers had access to users' previous tax return information, which could be used in conjunction with the previously stolen information to open new credit-card and loan accounts.

The agency disabled access to the Get Transcript Web portal after learning about the incident in May and has extended free credit tracking services to those affected. While two months is quite a long time to have a breach go unnoticed, it's not uncommon for attacks using stolen credentials to go ignored for much longer, says Jeff Hill, channel manager at security firm STEALTHbits Technology Inc.

"One of the reasons authentication-based attacks are so effective -- and so popular among hackers -- is that they're very difficult to identify," explains Hill. "Once legitimate credentials are obtained, it's nearly impossible to distinguish between the good guys and the bad guys, especially if the attackers are patient and disciplined. Here we have a case where a successful authentication-based attack was discovered in May, and yet the IRS is still unclear of the extent of the breach's damage months later."

Ashley Madison Data Theft
Morally questionable online dating site Ashley Madison, which specializes in connecting people looking for an affair, had its database of users hacked in July by a group called "The Impact Team."

The hacking group followed up by releasing more than 25GB of stolen data, which included names, addresses, credit-card information and e-mail addresses of users. According to The Impact Team, the hack wasn't done for financial gain, but because of the Ashley Madison business model, which included requiring users who want their information deleted from the company's database to pay $19. In response, Avid Life Media Inc., the parent company of the dating site, put up a $500,000 bounty for any information that could lead to the arrest of members of The Impact Team. As of November of this year, no arrests have been made.

While this wasn't the largest corporate breach of the year, it garnered headlines for months after the data had been leaked due to the names of those who allegedly used the site, including prominent celebrities and politicians. Specialty Web sites also popped up overnight allowing anyone to search e-mail addresses to see if they were included in the client list. And, according to Toronto police, two individuals allegedly committed suicide in August in connection with the leaked data. Online attackers also put the leaked data to use in phishing campaigns and extortion attempts that looked to bribe those on the client list to keep their info from spreading.

Windows 10 Update Scam
Microsoft this summer saw the release of its next OS, featuring some of the strongest security features to date, including App Guard, which blocks untrusted apps, and a biometric-based sign-in process called Windows Hello.

While Microsoft touts Windows 10 as its most secure OS, attackers were at the ready to take advantage of the high-profile release. Microsoft's decision to release the OS free for those with Windows 7 and 8.1 (for a limited time) provided an opportunity for scammers to take advantage of those looking to upgrade.

The Cisco Systems Inc. security team Talos in August alerted those waiting their turn to get the free update that fraudulent e-mails posed as authentic Microsoft messages titled "Windows 10 Free Update" were making the rounds. What added even more credibility to the e-mails was the sent address used was "[email protected]," even though the IP address didn't match any Microsoft server location.

Once users of what appeared to be a highly targeted attack campaign downloaded and ran the attached file, they would find not Windows 10, but the popular ransomware CTB-locker, which barred users from their data. Then the attackers would demand a ransom in bitcoins.

While there's no way to stop attacks formulated to take advantage of large product releases, Talos recommended that the tried-and-true practice of keeping regular backups and keeping a vigilant eye for untrusted e-mails, no matter how convincing they may be, is the strongest defense against e-mail-based ransomware attacks.

"The threat of ransomware will continue to grow until adversaries find a more effective method of monetizing the machines they compromise," said Talos security researchers in a blog post. "As a defense, users are encouraged to back up their data in accordance with best practices. These backups should be stored offline to prevent them from being targeted by attackers. Adversaries are always looking to leverage current events to get users to install their malicious payloads," Talos said.