Data leaks pose a significant and escalating challenge for companies globally, particularly due to the increasing prevalence of ransomware and the growing sophistication of cyberattacks.
However, this challenge is further complicated by the emergence of fake data leaks. Threat actors not only perpetrate actual leaks and breaches, but also capitalise on the creation of fakes. The repercussions of such fabricated leaks are far-reaching. They can substantially harm the reputation of the organisations involved. Even if the leaked data are eventually proven to be false, the initial spread of misinformation can provoke unfavorable publicity.
What motivates cybercriminals to fabricate data leaks?
Blogs of cybercriminal groups, such as LockBit, Conti, Clop, and others, are a constant focus of media attention.
In a way, these ‘bloggers’ can rival celebrities or Instagram stars in terms of their publicity. Their blogs are hosted on the dark web and other shadow websites, while some threat actors also have their own Twitter pages.
It is where malicious actors publish information about hacking victim companies and attempt to blackmail them, demanding ransom and setting a countdown for the release of sensitive data – such as private business correspondence, login credentials for corporate accounts, information about employees or clients, and the like.
Additionally, criminals may put up data for sale, as other threat actors might be interested in purchasing such information for further attacks on companies.
Lesser-known cybercriminals also want to grab a piece of such fame, which pushes them to create fake leaks. Such leaks not only generate hype and provoke a worried reaction from the targeted business, but also serve as a fruitful way to deceive ‘colleagues’ on the black market – and sell other cybercriminals something that is not actually a leak. Novice cybercriminals are much more likely to fall for this trick.
Regardless of whether the hack actually occurred, a reported leak can potentially harm the reputation of the targeted business. However, the damage can be significantly minimised if the company is prepared to handle an incident involving a fake data leak (and, of course, if they are prepared for a real data leak as well). It is possible to identify a fake post before the media starts reporting the incident, enabling the company to proactively mitigate the emerging crisis.
Parse and amass: manipulating databases to pass as newly discovered leaks
A ‘fake’ data leak can take the form of a ‘parsed’ database, which involves extracting information from open sources without sensitive data. Internet parsing, also known as web scraping, refers to the extraction of text, images, links, tables, or other information from websites. With the help of parsing, threat actors can gather information for malicious purposes, including fake leaks.
In 2021, a well-known business networking platform encountered a similar case. An alleged set of its users’ data was reportedly put up for sale on the dark web. However, subsequent investigation results revealed that it was actually an aggregation of data sourced from publicly accessible user profiles and other websites, and not a data breach. This sparked a wave of publications in the media, as well as within the dark web community.
Whenever dark net offers arise claiming to provide leaked databases from popular social networks like LinkedIn, Facebook or Twitter, it is highly likely that these are fake leaks containing information already available publicly online. Such databases can circulate in the dark web for years, occasionally triggering new publications and causing companies to be alarmed by allegedly fresh leaks.
According to Kaspersky Digital Footprint Intelligence, between 2019 and mid-2021 there were an average of 17 posts a month about social media leaks in the dark web, while starting from the summer of 2021, when the aforementioned case with a business networking platform occurred, the number of posts increased to 65 per month on average. Many of these messages, based on our findings, may be reposts of the same database.
However, it is important to note that these activities are unrelated to a company being compromised or to a real attack, and do not contain any sensitive private information, such as passwords, administrative information, or information that is not part of the public user profile (registration or last visit date, IP address, etc.). Nevertheless, as we can observe, even such activities can influence the media landscape and company image.
Old is gold: reposting outdated databases
Old leaks, even if they are genuine, can also serve as a basis for creating fake leaks. When old data leaks are presented as new, it creates the illusion that cybercriminals have widespread access to sensitive information and are actively engaged in cyberattacks. This tactic can help them build a reputation among potential buyers or other criminals within underground markets.
Similar cases constantly occur within the shadow community, where even very old or unverified leaks are exposed. Data that are several years old are continuously reuploaded on dark web forums, sometimes offered for free and other times for a fee, masquerading as a ‘new’ database. This not only poses reputational risks but also jeopardizes customer security.
The database, which contains customer information, can be exploited for malicious purposes, even though certain details such as passwords may be outdated. For instance, names, email addresses, and mobile numbers are highly likely to still be in use and can be exploited by cybercriminals for email and voice spam, as well as phishing activities.
Mitigating fake leaks: guidance for businesses
When faced with a fake leak, the natural response of businesses is often panic due to increasing attention from the media and social networks.
However, promptly identifying and responding to fake leaks is crucial: the first steps those who are in the middle of a storm should take are to avoid contacting attackers and thoroughly investigate reported data leaks. This can be done by verifying the source, cross-referencing internal data, and assessing information credibility. In other words, a company needs to collect evidence to confirm the attack and compromise.
In general, data leaks for large businesses, including fake leaks, are not a matter of ‘if’ but ‘when’. Transparency and preparation are key when dealing with such significant challenges. It is useful to prepare a communication plan in advance for interacting with clients, journalists, and government agencies.
Additionally, proactive monitoring of the dark web on a constant basis will allow for the detection of new posts about both fake and real leaks, as well as tracking spikes in malicious activity. Since dark web monitoring requires automation, and internal teams may not have the resources or time, external experts are often responsible for this.
Furthermore, developing comprehensive incident response plans with designated teams, communication channels and protocols helps to promptly address such cases if they occur.
In an era where data leaks pose a constant threat to businesses, swift and proactive action is essential. By promptly identifying and responding to these incidents, conducting thorough investigations, engaging with cybersecurity experts, and collaborating with law enforcement, companies can mitigate risks, protect their reputation, and safeguard customer trust.
Follow us on
