Compromised At-Risk Record Analysis

Case Study - Law Firm


DATE OF ANALYSIS8/30/2018# of RECORDS1,094


244 Exposed Records Found = 22% Overall Match Rate
MatchClear of Compromise

Vulnerability Type PotentialCount
Account Takeover/Phishing236
Phishing Only5
Account Takeover/Synthetic Identity3

Vulnerability Type

  1. Account Takeover (ATO) - These compromised accounts have the potential to be hijacked. They open an organization’s vulnerability to allow access to sensitive electronic files, records and correspondences and/or gain access to corporate systems and networks.
  2. Phishing - These compromises contained an email which may be sent to an unsuspecting employee as a phishing scheme to install malware or key loggers on their hardware to then harvest passwords or other sensitive information. Alternatively, the phishing emails may be used to trick employees into sending fraudsters sensitive information or funds through checks or wire transfers.
  3. Synthetic Identity Deception - These compromises contain elements of Personally Identifiable Information (PII) with the potential to create a new identity by using a mixture of stolen and fabricated personal information. The new identity is typically used to open new accounts resulting in losses and damages to victims and organizations.


What is Business Email Compromise?
Business Email Compromise (BEC) is described as an exploit in which the attacker gains use of a corporate email account then spoofs the victim's identity to defraud the company or its employees, customers or partners who are responsible for releasing money or system or network access.

How do compromises happen?
The primary cause of compromised credentials is a result of the vast amount of breaches that have occurred over time. The breached records are sold and traded on underground black marketplaces and used to steal from unsuspecting individuals and organizations. This difficult issue of compromised credentials is compounded by individuals use of weak easily cracked passwords in conjunction with the reuse of passwords on multiple personal and professional sites. Fraudsters are very sophisticated in their approach and will use social engineering to gather more personal information to gain access to an individual’s employment history.

Where are compromised credentials used?
Theft from compromised credentials are used worldwide in every industry imaginable. Healthcare, Technology, Financial Institutions, Retail is the short list of a growing group of affected industries. Fraudsters are very sophisticated in their approach and will use the same credentials across multiple industries to maximize their financial gain.

Business Email Compromise Trends:
BEC has expanded tremendously over the past few years as one of Fraudsters most popular and profitable attacks. They prey on the victim’s lack of knowledge or special tools to avoid phishing and ransomware strikes using employee’s emails and sometimes their passwords as the method of delivery. The threat is heightened due to employee’s password reuse colliding into both their personal and professional lives. Fraudsters banking on the User’s bad password hygiene and engage in social engineer tactics to tie the credentials and passwords together to monetizing the vulnerability. According to the FBI the global losses from BEC fraud is reported as $12.5 billion as of mid-year 2018.

The two most popular methods are:


The Benefits of working with Compromised, LLC
Your security professionals can easily manage Alerts by uploading a list of current employee’s email addresses and setting periodic times to re-run their records. Once the email records are processed and matching compromised results are returned, the details may be viewed in our dashboard. To notify employees affected by a compromise, a prepared template email is selected to send manually or automatically send the email through our dashboard. The automatic email distribution and delivery feature are tracked for your records. It is the responsibility of the employee to follow through and update any credentials using the compromised credentials and passwords.

Risk Analysis Conclusion:
According to sample multiple industry research an average of 10% to 23% of email domains from large fortune 500 firms will match one or more compromised credentials. That is a compelling amount when considering that just one successful phishing or ransomware attack could produce catastrophic financial losses through wire fraud, reputational damage and in some industries such as healthcare it could cost lives. Proactive prevention is the name of the game. Let Compromised Alert product help initiate compromised credential risk intelligence into your organization’s fraud tool arsenal.

Examples of law firm BEC exploits:

Fraudsters find Law firms a tempting treasure trove to target confidential and sensitive material information from Mergers and Acquisitions to patents and punitive lawsuits. The aggressive nature of cyber attackers with the reality that the countermeasures and responses to these invasions are difficult to detect and to remediate. The law firms with limited budgets and expertise are an even greater target.

In May 2016 a fraudster released a ransomware virus in an email attachment opened by an employee of a Rhode Island law firm resulting in the firm’s computer network outage for three months. Employees within the firm were rendered “essentially unproductive,” according to a lawsuit filed against their insurance provider claiming $700,000 in lost billings. The hacker’s extortion demanded the firm pay $25,000 to release documents.

Between April 2014 to late 2015 the Macau-based cyber gang gained access to insider information, networks and servers of two law firms. The attack lead to the group acquiring a total of $4 million in shares based on the stolen insider information from five publicly-traded companies.

In 2017, the SEC won a judgment for nearly $9 million against the cyber gang, charging them for breaching the two prominent New York-based law firms. The IP stolen represents a growing risk to law firms and the need for greater client information cybersecurity protection.