How and why cybercriminals fabricate fake data leaks

Data breaches are a significant and escalating challenge for companies worldwide, especially due to the increasing prevalence of ransomware and the growing sophistication of cyber-attacks. However, this challenge is further complicated by the emergence of fake data leaks. Threat actors are not only committing leaks and breaches, but also profiting from the creation of fake ones. The implications of such manufactured leaks are far-reaching. They can substantially damage the reputation of the organisations involved. Even if the leaked information is eventually proven to be false, the initial dissemination of misinformation can cause adverse publicity. Yuliya Novikova, Head of Digital Footprint Intelligence at Kaspersky, sheds light on the nature of false leaks and provides advice on how businesses can effectively mitigate the associated risks.

What motivates cybercriminals to fabricate data leaks?

The blogs of cybercriminal groups such as LockBit, Conti, Clop and others are consistently in the media spotlight. In a way, these "bloggers" can rival celebrities or Instagram stars in terms of their publicity. Their blogs are hosted on the dark web and other shady sites, and some threat actors also have their own Twitter pages. This is where malicious actors post information about hacked companies and try to blackmail them by demanding ransom and setting a countdown for the release of sensitive data - such as private business correspondence, login credentials for corporate accounts, employee or customer information, etc. In addition, criminals may make data available for sale, as other threat actors may be interested in purchasing such information for further attacks on companies.

Lesser known cybercriminals also want to gain a piece of such reputation, which prompts them to create fake leaks. Such leaks not only generate publicity and an alarming backlash from the targeted business, but also serve as a fertile way of deceiving "colleagues" on the black market - and selling other cybercriminals something that is not actually a leak. Novice cybercriminals are much more likely to be fooled by this ploy.

Regardless of whether or not the hack actually occurred, a reported leak can damage the reputation of the targeted business. However, the damage can be significantly minimized if the company is prepared to handle an incident involving a fake data leak (and, of course, if it is prepared to handle a real data leak as well). It is possible to detect a fake post before the media starts reporting the incident, allowing the company to proactively mitigate the emerging crisis.

Analysis and aggregation: manipulating databases to pass as newly discovered leaks

A "fake" data leak can take the form of an "analyzed" database, which involves extracting information from open sources without sensitive data. Web analytics, also known as web scraping, refers to the extraction of text, images, links, tables or other information from websites. With the help of analytics, threat actors can collect information for malicious purposes, including fake leaks.

In 2021, a well-known business networking platform faced a similar situation. An alleged set of its users' data appeared to be put up for sale on the dark web. However, subsequent investigation results revealed that it was in fact a data aggregation from publicly accessible user profiles and other sites, rather than a data breach. This triggered a wave of publications in the media as well as in the dark web community.

Whenever offers emerge on the dark web claiming to provide databases leaked from popular social networks such as LinkedIn, Facebook or Twitter, it is very likely to be fake leaks containing information that is already publicly available on the internet. Such databases can circulate on the dark web for years, occasionally triggering new publications and causing companies to be concerned about alleged new leaks.

According to Kaspersky Digital Footprint Intelligence, from 2019 to mid-2021 there was an average of 17 posts per month about social media leaks on the dark web, and starting in the summer of 2021, when the aforementioned case with a business networking platform occurred, the number of posts increased to an average of 65 per month. Many of these posts, based on our findings, may be reposts of the same database. However, it is important to note that these activities are not related to a compromised company or an actual attack and do not contain sensitive private information such as passwords, management information or information that is not part of the public user profile (date of registration or last visit, IP address, etc.). However, we can observe that even such activities can affect the media landscape and the company's image.

Old is gold: republishing outdated databases

Old leaks, even if they are genuine, can also serve as a basis for creating fake leaks. When old data leaks are presented as new, the illusion is created that cybercriminals have widespread access to sensitive information and are actively participating in cyberattacks. This tactic can help them build a reputation among potential buyers or other criminals in dark markets.

Similar cases happen all the time within the shadow community, where even very old or unverified leaks are exposed. Many years of data are constantly being re-uploaded onto forums on the dark web, sometimes offered for free and sometimes for a fee, disguised as a 'new' database. This not only poses reputational risks, but also jeopardises the security of customers. The database, which contains customer information, can be used for malicious purposes, although some details, such as passwords, may be out of date. For example, names, email addresses and mobile phone numbers are very likely to still be used and can be used by cybercriminals for spam emails as well as phishing activities.

Mitigating false leaks: a guide for businesses

When faced with a fake leak, the natural reaction of businesses is often panic due to increased media and social media attention. However, early detection and response to fake leaks is vital: the first steps that those in the middle of a storm should take are to avoid contact with attackers and thoroughly investigate reported data leaks. This can be done by verifying the source, cross-checking internal data and assessing the reliability of the information. In other words, a company needs to collect data to confirm the attack and verify it.

Generally, data leaks for large enterprises, including fake leaks, are not a matter of "if they will happen" but "when". Transparency and preparation are essential to address such significant challenges. It is helpful to prepare a communications plan in advance for interactions with customers, journalists and government agencies. In addition, proactive monitoring of the dark web on a consistent basis will allow you to identify new posts for both fake and real leaks, as well as identify spikes in malicious activity. Since monitoring the dark web requires automation and internal teams may not have the resources or time, external experts are often responsible for it.

In addition, developing comprehensive incident response plans with defined teams, communication channels and protocols helps ensure that such incidents are dealt with in a timely manner should they occur.

In an era where data leaks are an ongoing threat to businesses, rapid and proactive action is essential. By detecting and responding to these incidents early, conducting thorough investigations, working with cyber experts and collaborating with law enforcement, companies can mitigate risks, protect their reputation and preserve customer trust.