In a strategic move aimed at outsmarting cybercriminals, a dedicated team of cybersecurity researchers has devised an elaborate operation centered around the creation and strategic storage of fabricated personal data within the digital cloud. The goal of this operation is to gain valuable insights into hacker behavior and identify the most vulnerable data sources that are likely to be targeted first.
Leading the effort is vpnMentor, a renowned provider of VPN and cybersecurity tools and services. The team at vpnMentor has set up a honeypot for hackers, luring them into a web of deception and carefully monitoring their actions. The honeypot consists of fake personal data that has been stored in the cloud, specifically in 14 Amazon AWS S3 buckets and 1 Google Cloud Storage server, among others.
This hacker honeypot has been openly exposed for a period of 450 days, stretching from April 29, 2021, to July 14, 2022. During this time, the cybersecurity researchers aimed to explore common hacker behaviors and actions, such as how quickly hackers can detect exposed databases, how different settings of stored data impact a data hack, which data types attract more cybercriminals, and which geographical regions are more likely to attract the attention of hackers.
To set up the honeypot, the researchers created a website in the name of a new fraud prevention company. The website included all the details that hackers might want to verify the authenticity of the information, including the owner’s details and newly created emails. In addition, they set up an Azure Blob Storage server and 12 buckets with the company’s name, some of which had prefixes and suffixes from other S3 bucket finder software. The honeypot contained 7GB of fake data, including source codes, database files, invoices, and CSV files of 21,089 fictitious individuals, complete with their names, email addresses, and telephone numbers. The data was further segregated according to countries, with the largest user group being from the United States.
The results of the honeypot experiment were both eye-opening and concerning. On June 3, 2020, the fake fraud detection services website was published, and on June 24, the honeypot was accessed for the first time by a visitor from Croatia. It was discovered that over 99% of the daily requests made were malicious. Furthermore, the researchers found that naming the buckets differently from the company name did not provide any additional security, as cybercriminals were still able to find them. The analysis also revealed that hackers scan for storage server names to identify a match, follow links on websites as a breadcrumb trail to access the servers, and actively look for different bucket names to reach the control servers.
Moreover, the data access patterns suggested that hacker attempts were largely driven by geopolitical factors. CSV files, which contained user information, were accessed the most, indicating that hackers were lured by the personal details provided in those files. Interestingly, CSV files in folders marked under China were accessed the least, while those in folders marked under the US were downloaded the most. This finding is in line with previous reports of China-based hackers breaching corporate and government resources in Western countries.
Among the insights gained from this experiment is the fact that the Google Cloud Storage and Azure Blob Storage servers remained undetected by cybercriminals throughout the duration of the experiment. This could be attributed to the servers not being hotlinked and having the company name, which prevented them from being detected through brute force attacks.
The findings from this honeypot experiment shed light on the behaviors of cybercriminals and their strategies for accessing data. This information can be invaluable for organizations and governments looking to enhance their data security and storage protocols. By understanding how hackers operate and what they look for, IT teams can better protect their sensitive data and prevent unauthorized access.
Overall, this experiment highlights the importance of data security and the need for constant vigilance in the face of evolving cybersecurity threats. It also serves as a reminder that organizations and individuals must stay one step ahead of cybercriminals by implementing robust security measures and staying informed about the latest threats and vulnerabilities in the digital landscape.