Your first reaction to the Morgan Stanley data breach discovered in late 2014 was likely, “Thank God it wasn’t us.” But Nat Kausik and his Bitglass crew’s first reactions were, “Let’s find out what happens after the data theft.” And they did.
Earlier this month, cloud access security broker Bitglass released the findings of a clandestine data tracking experiment that has all the makings of a blockbuster crime drama:
The Setting: The seedy, mysterious, electronic black market of the Dark Web.
The Innocent Bait: An Excel spreadsheet of 1,568 fake employee credentials (because 1,500 would be too obvious), including names, social security numbers, credit card numbers, addresses and phone numbers.
The Bait Clones: Bitglass saved The Bait with different file names to test which garnered the highest click rate. (As they said, it was undoubtedly the world’s first A/B test for stolen credit card numbers on the Dark Web.)
The Hero: A digital watermark on the file that identifies who clicks and downloads The Bait, from what device and when the transaction occurred. Our Hero (using a shoe phone?) notifies Bitglass every time The Bait is accessed.
Build to Climax: The Bait is placed on the Dark Web using the same tactic hackers use to bait real people: phishing. (Irony noted by half the audience). Action starts slow. In the first few days, The Bait is accessed only 200 times, but it’s already been touched by would-be thieves in five countries on three continents. Then suddenly, there’s a feeding frenzy. A world map lights up. By Day 12, The Bait has received 1,081 clicks in 22 countries on five continents and has been downloaded 47 times. Our Hero is exhausted. Cut to Bitglass headquarters in Campbell, California, where bleary-eyed employees are poring over data. One jumps up. He’s uncovered a high rate of activity among two similar viewers, indicating the possibility of two cyber crime syndicates, one operating in Nigeria and the other in Russia. And (wait for it) he has their IP addresses.
The curtain closes as we all pull out our devices and Google “Bitglass watermarking.”