It took less than one day for the Jomoco Coconut Water Company to be overtaken by hackers. Hour by hour, Jomoco employees watched as they lost control of their emails, social media accounts and credit cards.
The little company was swiftly decimated by strangers lurking on the internet, and that was the plan.
The idea to create a fictional business was hatched a year and a half earlier at CSID, an identity protection and fraud detection firm. CIO Adam Tyler started talking about how easy it would be to exploit a small business online. He leads analyst teams that seek out communities on the dark web where identity information is bought, sold and traded.
“If you were running an email hosting server, a basic web server, or even just running a business through your Gmail account, he had a number of hypotheses on how you could go about exploiting that company,” says Joel Lang, development director at CSID. So, the team decided to build a case study. Their experiment was accepted as part of the speaker agenda at South by Southwest 2015, a major technology conference held annually in Austin, Texas.
Three CSID team members got to work creating what looked like a legitimate business. They built a backstory around a company that sells exotic coconut water. They combined the first two letters of each of their names – Joel, Morgan and Cody – to come up with the business name Jomoco. Then, they set up a website and an email server.
“We created a handful of fake personas for employees at Jomoco. We created their email addresses, social media accounts, gaming accounts – things like Xbox Live,” Lang says. “We created some email streams between them so that if someone were to access the email accounts, he’d be able to see actual strings of conversation.”
They also took out pre-paid credit cards, and that’s what they were aiming to have exploited. “We were hoping that the information that we would exchange on these private email threads would be exploited by the bad guys,” he adds.
The prep work took about a month and a half. The main cost was the few hundred dollars spent on pre-paid cards. Jomoco launched in early March, two weeks before the South by Southwest conference.
“The trick here was putting the exposed information in the right place at the right time so it could be picked up by the bad guys,” Lang says. The scenario involved a Jomoco employee who was a prolific gamer. The employee’s Jomoco email and password were exposed during the breach of an Xbox gaming forum. “The password on that Xbox Live forum was the same password she used to access her Jomoco corporate email account. We took that exposed information from the fake data breach and put it on a site that is known to traffic in this kind of information.”
Thanks to one employee’s reuse of a single password across multiple corporate and personal accounts, it took less than one day for every account related to Jomoco to be hijacked. Within a couple of hours, the website went down. The pre-paid AMEX and VISA cards were soon maxed out, then social media profiles were taken over.
[pullout]Thanks to one employee’s reuse of a single password across multiple accounts, it took less than one day for every company service to be hijacked[/pullout]
“When the data breach of the online gaming forum happened and that password was exposed, one of the emails that she mailed off to her boss contained the email server password,” Lang says. “That resulted in the taking over of the website and the email accounts. So as far as password management goes, don’t reuse passwords. Figure out some secure way – some kind of two-factor way – of sending passwords to people, like emailing a username to somebody and texting them the password.”
Jomoco has been retired. CSID analysts were able to reassert control over the various fictional accounts and shut them down.
The CSID case study, “Hacking the Hackers,” sheds light on how damaging one security breach can be. Lang says conference attendees were taken aback by how quickly an exploit can happen once sensitive information has been exposed. “I think what we really learned is no matter the size of the third party data breach, someone is going to get hurt – whether it’s a really small mom and pop business or some big company,” Lang says.