4

I know that criminals can readily find on the black market large dumps of password databases from hacked sites. These may contain the username, password, and email address for millions of users.

But what about IP addresses? Is it easy to find similar data sets that also contain, for each user, the last IP address that user used to log into the site? Or, to put it another way, is it easy for criminals to get their hands on a large database that lists, for many IP addresses, an email address for someone who might have recently used that IP address? By recent, I mean "in the past few years".

Suppose a criminal wants a large database that, for millions of users, has their email address and an IP address that user has recently used. (This would allow the criminal to do a lookup by IP address and retrieve an email address for a user who has used that IP address.) Is this readily available for sale on the criminal underground market? Or is this tough/expensive for criminals to come by?

Context: I'm trying to assess the plausibility of a hypothesis about how some people might be getting phished by a specific attack campaign. For these purposes, it would help to know whether it's easy for criminals to get their hands on large data sets that tell them not only usernames and passwords but also IP address information, or whether this information is not readily available to most garden-variety criminals. In other words, this is effectively a question about the economics of cybercrime: what is the cost to a criminal of obtaining a database of (emailaddr,ip_addr) records, compared to the cost of obtaining a database of (username,password,emailaddr) records?

I do know about NAT and dynamic IP address assignment and their implications for this situation.

D.W.
  • 98,420
  • 30
  • 267
  • 572
  • 2
    What's the point on knowing the user's IP address? Especially since you can't easily spoof it. Usually fraud detection algorithms take into account the general location of the IP (country, region) and that info can be obtained elsewhere, so you don't actually need the user's IP address to fool those algorithms. – André Borie Jul 11 '16 at 22:04
  • 2
    @AndréBorie, I'm evaluating an alleged attack that supposedly works along the following lines: when the criminal sees that a user visits some web site, find their IP address, look it up in the database, get their email address and full name, and now craft a targeted phishing email to them based on their web browsing activity and the knowledge you got from that database. That's only plausible if criminals can obtain information that helps them link ip_addr<->email_addr; my question is basically asking about whether that information is readily available on the black market. – D.W. Jul 11 '16 at 22:08
  • ... And that's different from spear phishing how? – Robert Mennell Jul 11 '16 at 22:09
  • @D.W. dynamic IPs and users switching between different devices {phone, home computer, work computer, etc) make that impractical. And if you have access to a site's DB you'd usually go after the email/password hashes right away, as they are more lucrative. I doubt anyone would pay money for an IP->email database considering how unreliable that is. – André Borie Jul 11 '16 at 22:10
  • 2
    @RobertMennell, It's not different. It is a special type of spear phishing -- but that's not what I'm asking. I'm not sure I understand what point your comment is trying to get at. I'm asking what information is readily available in the black market, for a reasonable price, as that will help me assess whether this proposed attack is indeed plausible or not. Can I do anything to make my question clearer? – D.W. Jul 11 '16 at 22:10
  • @AndréBorie, I know about dynamic IP addresses and switching between devices, as I wrote at the bottom of my question. I do understand their implications and I have already taken that into account. That's not what I'm asking. Should I remove the bottom part of my question? I feel like it's causing people to be distracted from my real question. What do you think? – D.W. Jul 11 '16 at 22:12
  • @D.W. I think your question is clear. What I'm trying to say in my comments is that considering how impractical it is to compile such a database, there won't be anyone wasting his time doing that. – André Borie Jul 11 '16 at 22:15
  • 3
    @AndréBorie, if such a database is not readily available on the black market because it is impractical to compile, then that's an answer to my question. Do you know that to be true, or have you found it to be true in your experience? If so, I encourage you to write an answer! (But that's not how I read your comments. I read your comments as debating whether or not it would be profitable to make use of such a database, if it did exist -- which is a different matter from what I'm asking.) – D.W. Jul 11 '16 at 22:18
  • @D.W. that's the issue - I have no sources for this other than my personal experience and opinion, so I'd like to leave it as a comment. Maybe someone else will suggest a practical use case for such a database that will make it seem worthwile to make one, but so far I can't think of any. – André Borie Jul 11 '16 at 22:20
  • IP address could be useful even if they are dynamic. Anything revealing location on the net is useful. Two IPs on the same broadband are basically the same useful information. For example, it may help concealing breach. – Aria Jul 11 '16 at 22:59
  • 3
    Some of the password database leaks include the IP of the user. – schroeder Jul 12 '16 at 06:57

3 Answers3

1

Is it feasible to find a list of user IPs used by an account? The answer to that is a "It depends on the user" answer.

The Effort Required

In a simple DB dump(those most common lists you mentioned with email,password) that list was often generated by an insecure page with an injection vulnerability. Often at that point the attacker doesn't have any console, file system, or other access. They merely obtained a copy of the table itself and that table more than likely doesn't store that information since it could be a many to many relationship, and usually exist on a separate intranet server if they do have that regional fraud detection in place at all.

A much more in depth, risky, and difficult attack would then be needed just to LOCATE the data. Then you need to attack to try and get the data. Often it isn't worth the risk unless you're expecting a huge payoff or have found horrible security practices in the first place. If the security is that horrible though it probably wouldn't be a system that even stores that information or has regional fraud detection systems in place.

The Alternative

A much more simple way to do it is to email each user a spear phishing email with something to make them make a request to your server to collect this information. This is a much simpler attack with a smaller payoff, but still a payoff nonetheless. It's easy enough to do on your own with just a simple email/password list and well designed enough phishing server with convincing enough pages/links.

At this point since it's so simple it's kind of a "If we have it we got lucky" situation, or a "DIY" situation. These systems are often complex, and sometimes offloaded entirely making the attacks to find that information hard to near impossible.

Robert Mennell
  • 6,968
  • 1
  • 13
  • 38
1

No. Such a database is not available.

  1. IP addresses mean nothing to most users, so you can't confront them with this fact. A statement like "I know the IP address you had on 2015-11-09" is as scary as "I know how many steps you walked on 2015-11-09": even if that's a fact, the user itself would not know how to prove that statement true.
  2. Even if someone is aware what an IP address is, publishing an IP address is not a security threat in the given format Email-Address + IP Address (it may be a risk when publishing other information, e.g OS and OS patch level)
  3. The information is short-living: many ISPs give new IPs every 24 hours, so an IP address "in the past few years" is quite useless
  4. The information is uncertain: due to NAT, proxies etc. an IP address may be in use by many people
  5. People with legitimate interest in names for IP addresses, such as copyright violations for music, the lawyer can request the name to an IP anyway. No need to rely on a doubtful list.

Conclusion: such a database is not available since it has no value and therefore you can't sell it.

Community
  • 1
Thomas Weller
  • 3,246
  • 3
  • 21
  • 39
  • 1
    @D.W. I say "it has no value and therefore you can't sell it." The items before are just reasons why it has no value – Thomas Weller Jul 12 '16 at 06:52
  • 1
    While the value of knowing an IP address is overstated, #2 is incorrect. Public IPs are harmless (it IS public) but suppose you know I work for company X and ask a question with associated code for a public-facing app referencing IP addresses/hosts on our internal network. I just partially enumerated company X's corporate network and made it public information-- god help us if there is a vulnerability in my code. Now everyone knows something about our infrastructure and has a potential vector to get into it. Without this, they'd have to break in and do scanning, which hopefully trips NIPS/IDS. – Ivan Jul 12 '16 at 15:48
  • @Ivan: the format of the data as defined by the OP was emailaddr, ip_addr, and not ip_addr, host_type, host_os. Given my email and my IP-address 10.10.15.59, I doubt you can do something with it. – Thomas Weller Jul 13 '16 at 06:00
  • 1
    Correct, but I take issue with your assertion that "publishing an IP address is not a security threat." It gives the wrong impression because there are contexts in which publishing private IP information in conjunction with another data point is very much a security threat. Same goes for my SSN-- by itself meaningless, with my favorite color meaningless, but with my name? Now it's PII. For a board about information security, it's just bad form to make such broad oversimplifications. – Ivan Jul 13 '16 at 13:22
  • @Ivan: agreed, I updated the answer and refer to that data format of the OP. Thanks – Thomas Weller Jul 14 '16 at 07:05
0

Yes, such information is available on the black market and is ISP-based. Usually, such data packets contain the ISP-assigned IP and at least MAC address or regional or even national clients of that specific ISP, sometimes along with some other client data.

Considering the average number of ISPs in the average European Union country, I cannot exclude the possibility of such information existing also as complete at a specific date. For example, in many EU countries there are no more than 3 ISPs that cover over 90% of the country (sometimes as high as 98%). Note that such information can be extracted al regional level (city, county) or national ISP level (more expensive).

Note that I can hands down confirm that such information exists in the black market (confirmed from at least 1 ISP in my country, just like a big excel file with all phone numbers and client names form a very big mobile phone service provider exists), although from my point of view it would have limited use compared to an e-mail or phone number database.

Overmind
  • 8,779
  • 3
  • 19
  • 28