Monitor your digital footprint to reduce digital risk and fraud

We enable financial institutions to continuously monitor threats caused by human error and malicious actors to protect their data, financial resources, and reputation.

WEBINAR | July 9, 2020 @ 11:00 AM EDT

Autopsy of a ransomware attack Webinar by Flare Systems and In Fidem

The number and impact of ransomware attacks are constantly increasing. Between 2018 and 2019, the number of attacks has increased by nearly 60% and the cost of attacks could exceed US$20 billion by 2021. For reference, the impact of ransomware attacks was only US$5 billion just three years ago.

WHAT WE DO

Digital Risk

Identify digital assets made publicly available due to human error or malicious actors ​to minimize business risks and prevent breaches.

Threat Intelligence

Receive prioritized intelligence from illicit networks to get greater insight into threat credibility and mitigation effectiveness.

Fraud prevention

Identify and block high-risk transactions based on identity theft data originating from your peers and from the criminal underground to improve fraud prevention.

Leaked Credentials

Monitor third-party breaches for employee and client credentials to prevent unauthorized access to your ressources and protect your assets.

Darknet

Continuously and automatically monitor illicit networks on the darknet and clear web for faster reaction times, higher productivity and better understanding.

WHY FLARE SYSTEMS

Confidence

Be confident that you know what is happening at all time

Coverage

Understand the most likely and
most damaging threats

Easy To Use

No training required thanks to our user-friendly interface

THEY SUPPORT US

TESTIMONIALS

Firework enables us to react quickly when threats are publicized, protecting our brand and our financial resources.

Principal Director,
Security & Innovation

Major canadian financial institution

OUR ARTICLES

Dorking Preventing Leaks

Dorking: Preventing Leaks From Hurting Your Firm

While readily available, malware is far from being the only tool that malicious actors use to steal data and illegally access computer networks. Malicious actors indeed threaten firms’ security using far more mundane and everyday techniques.

Case in point: taking advantage of Google, the world’s most popular search engine, to find confidential information and vulnerabilities in your firms’ systems. In this blog post, we explain how malicious actors conduct reconnaissance on your systems without ever touching them. We also cover what their main reconnaissance targets are and why reproducing the same reconnaissance on your own systems is both a complement to your security solutions and a precious safeguard against exploitation.

What is Google Dorking

Google’s goal is to index the world’s information. While doing so, its indexing robots collect vast amounts of confidential data that were never meant to be opened and public in the first place. With the right search operators, anyone can target that confidential data specifically and find information that was meant to remain private.

Examples of operators

intitle:XXX searches for content in the title of a webpage
filetype:XXX searches for specific file type

A search for intitle:password AND filetype:xlsx would find for example all Excel spreadsheet that have the word password in their title.

This technique, known as “Google dorking” or “Google hacking” is not new. In fact, malicious actors used to be able to search the first several digits of a credit card and find dozens of results for leaked credit card numbers. With the right keywords – also known as “dorks”, a malicious actor can find insecure sensitive information with ease.

The reason for Google Dorking

The first step of a successful attack against a company is reconnaissance. The MITRE framework calls this step the pre-att&ck and it consists of gathering information on a target actively and passively.

Active reconnaissance refers to actions that security teams are likely to detect such as probing a network. This gives the target an early warning sign that an attack may be coming.

Passive reconnaissance refers to actions that security teams cannot detect. Google dorking is only known to Google who does not detect the dorks nor warn the companies that are targeted using this technique.

Google dorking therefore provides a method for malicious actors to conduct reconnaissance without warning their target they are coming. This increases their odds of success and limits the ability of companies to prepare for an attack.

What do Google Dorks look like

Export files of databases follow a known specific pattern. In the example below, we found files that contain both the data structure of databases as well as all their data. This type of files is used to export data and make backups and should never be published online. These databases are likely to contain thousands of records of individuals with their sensitive personal information.   

Dorking Preventing Leaks

API keys are passwords that grant access to servers and data to anyone who has a copy of them. With access to these keys, a malicious actor can steal, alter or inject data to cloud-based systems. Each online service has its own API key format that can be searched for. In the example below, we found the API keys that control a Google Drive account. Using these keys, it would be possible to access and modify the content located in that Google Drive account.

Dorking Preventing Leaks

Finally, malicious actors can find administrative panels to website backends using Google Dorks. These panels may not be protected against password guessing and other types of attacks that lead to website takeover.

Malicious actors share and exchange Google Dorks with each other on numerous online forums. The example below presents how actors share dorks including what the dork itself is as well as what it does. In this case, it lists vulnerabilities for a specific WordPress plugin.

Dorking Preventing Leaks

Adopting the malicious actors’ point of view

Malicious actors should not be the only ones running Google dorks to conduct reconnaissance on your computer network. Indeed, if you are to prevent attacks, using the same methods and techniques that malicious actors use allows you to know where you are vulnerable and to gain insights into what malicious actors see and know.

Updating and assessing the vulnerabilities of your computer system is an important part of your security teams’ daily activities. Many companies, however, conduct penetration tests regularly to identify systems that are vulnerable and in need of patching. Using Google Dorks fills in a similar role in your security processes. It serves as an insurance when your security systems have not detected a public vulnerability.


Building and updating a list of Google Dorks requires a specific expertise that solution providers such as Flare Systems offer. We constantly update the list of Google Dorks that we run using our customers’ names and key resources. Our infrastructure runs a scan every hour against all the dorks we have implemented and alerts in real-time our customers, providing industry-leading automation. This enables us to detect any information leakage before malicious actors can and to help our customers take down the information. To request your demo of our Firework product that integrates Google Dorks, contact us today at [email protected].

Featured Post

How Loyalty Program Fraud Happens

Loyalty programs have grown tremendously in the last decade. Memberships rose from 2.6 billion to 3.8 billion from 2012 to 2016, and are projected to increase to 5.5 billion by the end of the year. The total value of all loyalty program points was estimated at USD$48 billion in 2017 (Wise Marketer, 2017). This rapid growth has made loyalty programs an attractive target for a new criminal underground, specializing in loyalty program fraud. We explain below how malicious actors use phishing attacks and leaked credentials to target loyalty programs, and explain how domain monitoring and leak detection mitigate many of the risks associated with loyalty programs fraud.

Phishing Attacks

Any attempt at loyalty program fraud begins with the hijacking of members’ accounts. To obtain these credentials, malicious actors often send spam emails that invite members to login to their accounts with a link provided in the message. Instead of going to the real loyalty program website, however, victims are directed to phishing sites that steal their usernames, passwords and security question answers. Members are even asked to submit personal information, such as date of birth, social security number (S.I.N) and driver’s license number.

Darknet markets sell both spam services and phishing site templates to lure members to phishing sites. Seen in the figure below is a listing for a scam page kit. 

These methods are constantly evolving, as malicious actors learn to navigate your security systems. It is important to stay vigilant and to understand new threats as they develop.

Database Thefts

Malicious actors also target loyalty programs directly to steal their members’ personal and financial information. They take advantage of unpatched software or social engineer their way into loyalty program databases to extract data about their members. This technique requires more advanced technical skills and is not as common as phishing attacks. 

A large hotel chained announced in March 2020 that it had once again been hit, with up to 5.2 million guests at risk. Someone used the credentials of two franchise property employees to access […] contact details like names, email and home addresses, and phone numbers, as well as gender, birthday, frequent flier numbers, loyalty account info, and hotel preferences. [The company] indicated that [the intrusion] persisted for several weeks before getting flagged.

Wired (2020)

Leaked Credentials

Finally, malicious actors download from the internet and the darkweb databases that contain usernames and passwords. Since over half of people reuse the same passwords on different websites, the passwords leaked from one service can be tested on another service to see if they are valid. This type of attack is known as credential stuffing.

In March 2020, a U.K. supermarket giant issued a warning of account takeover attacks. Using credentials leaked in data breaches, a potential 600,000 members of its loyalty program were affected. Swift action prevented the attacks from successfully taking over all 12 million of its loyalty program accounts but still left many potential cases of stolen personal information and fraud.

Credential stuffing can be automated through account checker software that can also be purchased on illicit markets. The software uses a list of usernames and passwords and outputs a list of the credentials that have allowed valid logins. Since each login portal is different, customized modules are needed to test the validity of credentials for each specific website. Some software even comes with the ability to route traffic through proxies to make detection even more difficult.

Accounts checker programs are becoming more advanced. In the example below, a malicious actor is selling software that is preconfigured to target 22 different web portals and is able to hide behind proxies.

Impacts of Loyalty Program Fraud

The consequences of these account takeovers are numerous. Beyond simply stealing points, loyalty program fraud can impact you financially and damage your brand and reputation.

An organized and scaled loyalty program fraud can generate substantial financial losses. For example, malicious actors use the loyalty points to obtain free services from a company who must, in turn, refund the points to their customers. Replacing the fraudulently redeemed points effectively doubles the financial losses of companies by forcing them to provide twice the number of free goods and services. If the objective of loyalty programs is to retain customers and maintain brand loyalty, breaking that trust has a direct impact on the success of the program and the business. 

Preventing Loyalty Program Fraud

To reduce the costs of loyalty programs fraud, companies can target the source of stolen credentials. Firms can monitor for phishing-related services and proactively detect logins that use leaked credentials. 

Malicious actors register websites with names that closely resemble those of legitimate loyalty program websites. They may for example register the website company-x.com to phish the customers who believe they are visiting the official companyx.com website. Many products compile this registration data into feeds that your company can subscribe to and find phishing sites. Most website registrars have processes in place for companies to report phishing sites and are willing to take down phishing websites rapidly. With real time detection in place, it is possible to take down phishing sites well before a phishing campaign reaches your customers.

Many products also offer the ability to query if a particular combination of usernames and passwords has been leaked online in real-time. This allows your company to check every login attempt and require additional identification for the accounts that are at risk of compromise. This vastly limits the ability of malicious actors to take advantage of leaked credentials. Flare Systems for example carries an extensive database of 2.5 billion leaked credentials publicly available that companies can use to secure their employees and customer accounts.

When implemented together, these solutions greatly limit the ability of malicious actors to gain access to your customers accounts and ensure that your company is perceived as a difficult target. 

Conclusion

Fraudsters are constantly finding new ways to steal the financial and personal data of customers. By applying these steps, a loyalty program can significantly reduce fraud committed through account takeovers and prevent fraud before it occurs. If you would like to hear more about how Flare Systems’ solutions can help you prevent account takeover and loyalty program fraud, request a demo at [email protected].

Featured Post

What Does The “Free” in Free Food Really Mean?

Hijacked accounts are one of the most common items available for purchase on online illicit markets. On our blog, we’ve discussed in the past the issue of bank credentials being put up for sale. We now want to highlight how fraudsters also target other industries – namely the food delivery industry. This has been a growing concern with the confinement orders and the need to find alternatives to restaurants shutting down and long lines at grocery stores. We provide solutions on how to stay safe and to help improve the security of food delivery applications by using 2 factor authentication as well as reporting any fraudulent charges.

Who the players are in Canada

The food delivery market is a fast-growing industry with sales expected to grow to USD$3 billion in 2023. And this was before the coronovirus. A lot of money is at stake in this industry. Most large food delivery companies such as Just Eat, Skip The Dishes, Uber Eats and Door Dash are active in Canada. Skip The Dishes and Uber Eats are respectively the two most popular companies according to a survey of Canadians.

Revenues from food delivery companies in Canada

Exploiting food delivery applications

Financial fraudsters appear to target food delivery applications in one of four different ways.

In the first method, fraudsters use phishing or credential stuffing (reusing passwords stolen on other websites) to gain access to accounts. They can then sell the credentials to actors who will order food using the account’s credit card on file. In the advertisement below, a fraudster is offering an account at a steep discount compared to the funds available in it.


In the second method, fraudsters open new accounts and associate them with stolen credit cards. These new accounts are then sold to actors just as above. The discussion below between fraudsters suggests that at least one company is a soft target because of how easily it can be taken advantage of.


In the third method, fraudsters sell methods to order free food on food delivery applications. In a leaked Pastebin post, one of these fraudsters reveals an easy technique to earn free food by using coupon codes together.


In the fourth method, fraudsters offer to order the food for their customers. All a buyer needs to do is to supply an order and an address.

How to stay safe as a user

The examples above present advertisements certain specific companies. Many advertisements target other applications suggesting that all food delivery applications are vulnerable to fraudsters.

To protect themselves, users should make sure that they use long and complex passwords. They should also use unique passwords for each website and application. Fraudsters who use leaked credentials are unlikely to crack long and complex passwords, reducing the exposure of victims of leaked information.

Users should also enable 2 factor authentication whenever possible. This will force applications to contact them to confirm orders, a small burden that could save them from authorizing a fraudulent transaction.

Finally, users should notify the applications of all the fraudulent charges on their account and stop using the applications. Applications that lose customers due to fraud will implement more rigorous checks of activity.


With the growing size of the food delivery market and the current pandemic, we expect fraudsters to focus more and more to this industry, increasing the losses due to fraud. Flare Systems offers protection against credential stuffing using leaked credentials. This is a simple solution that applications can easily integrate in their systems. With billions of records leaked every year, this is quickly becoming an essential first step in protection against fraud. Request a demo to see it in action.

Featured Post