SpyClould Helps Bring an Identity Thief to Justice

CASE STUDY

SpyCloud Investigations

Industry: TECHNOLOGY

SpyClould Helps Bring an Identity Thief to Justice

After Three Years of Identity Theft and Financial Fraud, An Executive Turns to SpyCloud for Help

SpyCloud’s core mission is to significantly disrupt the cybercriminal economy to eliminate the loss of money, time, and reputation due to online fraud – ultimately making the internet a safer place for individuals and businesses.

Due to the depth of our investigations experience and breadth of our breach asset database, we’re often brought in to assist customers with investigations, and frequently partner with law enforcement to bring criminals to justice.

This is the story of one such investigation, which was recently brought to a satisfying conclusion.

Background on the Case

We were put in touch with an executive who had been the victim of identity theft and financial fraud by an unidentified attacker for close to three years — a leader at a nationally-recognized technology solutions firm. 

Using a combination of stolen credentials and social engineering, the attacker perpetrated a string of crimes, including:

  • Opening numerous bank accounts in the executive’s name, leveraging his Social Security number
  • Opening various credit cards in his name
  • Accessing his utility bills and even shutting his utility services off
  • Accessing his actual bank account and wiring funds
  • Unlocking the credit hold the victim put in place as a stopgap

Based upon the duration and types of activities performed by the attacker, it was clear that not only were we dealing with a tenacious and determined bad actor, but that the attack was highly targeted. 

Targeted attacks, though time-consuming, are highly effective, difficult to stop and can lead to huge losses – as this victim experienced.

The victim had one clue as to the identity of the perpetrator: a check had been issued from his real bank account to an unknown person – possibly the attacker.

Enter: SpyCloud

Investigators at SpyCloud were asked to look into the suspected attacker’s digital footprint to stitch together a profile, reveal possible alternate identities, and potentially attribute other crimes. Investigators often begin with only one piece of information – an email address or phone number, or in this case, a name. At the outset, we reviewed publicly available information tied to the suspect’s name, such as known addresses and phone numbers. We then leveraged OSINT to collect additional PII, and were able to identify four pertinent email addresses that guided our next steps.

Using Maltego, we dove into SpyCloud’s datalake of nearly 100 billion breach assets: decades worth of digital breadcrumbs that can be used to locate and unmask criminals (like the rest of us, criminals use online accounts that are subject to data breaches). 

Pivoting off the email addresses, we found numerous identities under which the suspect was performing illegal activities — email addresses or user IDs that had either been stolen on the internet or created to impersonate other victims. Various other identities tied to an original known email address is a strong indicator that a person is engaging in criminal enterprise. 

Based upon IP addresses, we were able to geolocate the suspect’s residence and drop off points. We identified another criminal at the suspect’s address: his sister, who was also committing financial fraud. We also found many phone numbers attributed to the suspect — both land lines and burner phones. 

Finally, using SpyCloud data, we were able to locate an address for the suspect that was tied to a previous arrest record in a neighboring county.

The Arrest

Everything we learned was provided to the local police department. Along with information the detective compiled, the SpyCloud report was used to help curate the warrant for the suspect’s arrest.

During the arrest, evidence was collected from the suspect’s house showing the victim’s name, utility and cable TV account numbers written on a piece of paper.

The suspect is currently facing multiple felony charges. SpyCloud is proud to have helped put an end to the technology executive’s victimization.

With SpyCloud data acting as a roadmap to unmask and bring criminals to justice, we regularly offer our customers and partners assistance with investigations, and cooperate with law enforcement to take criminals of all types off the streets.

Transform Your Investigations

Whether you begin with a name, email or phone number, SpyCloud Investigations – backed by 50+ Maltego transforms and nearly 100 billion searchable breach assets – makes it faster and more efficient to take down those attempting to harm to individuals and businesses.

Learn More About SpyCloud Investigations

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

Whether you begin with a name, email or phone number, SpyCloud Fraud Investigations – backed by 50+ Maltego transforms and nearly 100 billion searchable breach assets – makes it faster and more efficient to take down those attempting to harm to individuals and businesses.

Download the PDF version of the case study to print or share with others.

Targeted vs. Automated Account Takeover Attacks

WHITEPAPER

Targeted vs. Automated
Account Takeover Attacks

Account takeover (ATO) occurs when criminals use stolen logins to access user accounts without permission–typically credentials that have been exposed in a third-party breach. Using victims’ accounts, criminals can make fraudulent purchases, drain accounts, steal sensitive data, or move laterally within a target organization.

The vast majority of account takeover attempts are automated credential-stuffing attacks. However, SpyCloud customers report that 80 percent of losses come from just 10 percent of ATO attempts, which are highly targeted and challenging to detect.

Read this whitepaper to learn:

  • The differences between targeted and automated account takeover attacks and why targeted attacks can cause so much damage
  • The five phases of an account takeover attack and the tactics, techniques, and procedures cybercriminals throughout the attack timeline
  • How early detection can help you prevent both targeted and automated account takeover

Solution: Account Takeover Prevention

Reset stolen passwords before criminals can use them to defraud your users or access sensitive corporate data.

Learn More

Download the Whitepaper

Targeted vs. Automated Account Takeover Attacks

A few of our happy customers:

Related Resources

Case Study

Top 10 Travel Booking Site

Preventing account takeover begins with monitoring the dark web, but without the ability to match user accounts with a database of exposed credentials, a top 10 travel booking site was vulnerable to attack.

Read More

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

Check Your Exposure

See your real-time breach exposure details powered by SpyCloud data.

How Easy Is It To Bypass Multi-Factor Authentication Solutions?

WEBINAR

How Easy Is It To Bypass Multi-Factor Authentication Solutions?

Enterprises are trying everything they can to prevent cyber criminals from taking over employee and customer accounts to gain access to data and systems. One security control they believe provides protection is multi-factor authentication (MFA). While MFA does provide an additional layer of security, threat actors have figured out how to bypass it using a few clever tactics.

So how easy is it to get around your multi-factor authentication solutions? Watch this on-demand webinar and learn the most common methods that threat actors are using to bypass MFA so you can implement stronger safeguards to protect your employees and customers from account takeover.

In this webinar you will learn about:

  • The most commonly used MFA bypass techniques
  • How each technique exploits the vulnerabilities of MFA

Solution: Account Takeover Prevention

Reset stolen passwords before criminals can use them to defraud your users or access sensitive corporate data.

Learn More

Watch the Webinar:

How Easy Is It To Bypass Multi-Factor Authentication Solutions?

Presenter Info

Jason Lancaster, Head of Investigations

ason began his career performing pen testing, designing and implementing secure network infrastructures. First as a government contractor and then at a Fortune 500 healthcare company. In 2003, he joined TippingPoint where he held several roles including SE Director. TippingPoint was acquired by 3Com in 2005 and later by HP in 2010.

At HP, Jason ran a cross-functional team as Director with the Office of Advanced Technology. In 2013, Jason co-founded HP Field Intelligence, as part of the Security Research organization, delivering actionable threat intelligence to a wide audience.

Jason spent 15 months at a cloud security start-up CloudPassage prior to joining SpyCloud where he leads the Investigations team.

A few of our happy customers:

Related Resources

The SpyCloud Difference

Current, Relevant, Truly Actionable Data

SpyCloud’s account takeover prevention and fraud investigation solutions are backed by the world’s most current and comprehensive repository of recovered stolen credentials and PII. More data, particularly plaintext passwords, means more matches and stronger account protection.

Check Your Exposure

See your real-time breach exposure details powered by SpyCloud data.