"India at the centre of a major global data breach" | The Probe Exclusive

Representational Image | Photo courtesy: Storyblocks

A recent study by NordVPN of Lithuania's Nord Security found that data of over 50 lakh people were stolen globally and sold in bot markets for 490 Indian rupees. The study put India at the heart of the data breach as a whopping 6 lakh Indian data was found to be stolen by hackers and sold in bot markets.

The study found that hackers had stolen webcam snaps, screenshots, up-to-date logins, cookies and digital fingerprints of users. The research found 26.6 million stolen logins. Amongst them were around 720,000 Google logins, 654,000 Microsoft logins, 647,000 Facebook logins, 223,000 Netflix logins and several other user data of many major companies were found to be compromised.

After the recent AIIMS ransomware attack, the latest study by NordVPN once again puts the spotlight on digital theft markets that harvests Indian data. The study revealed the stark realities of bot markets that are different from other dark web markets. After the data is sold in bot markets, the hackers guarantee the buyer that the victim's information will be updated as long as their device is infected by the bot.

In this interview, The Probe's Vikas Mavi speaks to Marijus Briedis, Chief Technology Officer of NordVPN, on the study and the implications of the Indian data leak.

Vikas: How long did your team take to complete the study? Who were the critical team members, and what was the methodology used?

Marijus: The study took approximately three months to complete. It took one month for third-party researchers to gather the statistical data and one more month to analyse the data and create a research page.

The data about bot markets was compiled in partnership with independent third-party researchers specialising in cybersecurity incident research. No information that relates to an identified or identifiable individual was collected, reviewed, or otherwise involved when performing the research and preparing the study. Moreover, the researchers did not access the dark web. Data was received on September 29, 2022.

Vikas: Your study has revealed very crucial details. You have said that the data of 50 lakh people that were stolen globally were sold in bot markets for 490 INR. When you say that India is most affected by this threat in the world, can you give us more details regarding the India angle? Who were the victims of this attack? Were they government employees, private individuals, students, or business houses?

Marijus: The victims of the attack were the usual internet users who got their devices infected by bot malware. We have not looked into their personal information as this would mean a violation of their privacy. But generally, hackers do not target any special group by this attack.

India could be so heavily targeted because it has a lot of residents with low cybersecurity awareness. Users like these tend to get their devices infected with malware more easily.

Vikas: As this is a grave issue, have you also kept the Indian cyber authorities in the loop over the findings of your study?

Marijus: We have not informed any agency or Indian government about the issue because there is very little they can do. People need to be educated in order to keep their information private. We decided to start by communicating the issue to a general audience as we believe that educating society is important.

Vikas: Since a maximum number of Indian data were stolen, we would like to know what, according to you, are some of the reasons that make Indians particularly susceptible to such attacks.

Marijus: First of all, the number of internet users in India is very large. So that is why the number of affected users is also pretty huge. Also, India still lacks cyber security awareness. Many people don't know they should not download random files or click on suspicious links, and that is why they are easily tricked by hackers.

Vikas: Please elaborate on the role of these bot markets: the Genesis Market, the Russian Market and 2Easy. Which of these markets were used to sell the data of Indians? Have you been able to identify the key hackers?

Marijus: The data on Indians could be mostly found on the Russian Market and 2easy. We do not know anything about the identities of the criminals who own those markets.

Vikas: Do the 600,000 Indian citizens whose data was compromised know that their data was stolen? Have you informed the victims about such a bot attack?

Marijus: We have no information about the identities of affected people because we have not bought any of the information from the bot markets. Buying information like that is illegal, so we only used statistical data for the research.

Vikas: You have revealed that "after the bot is sold, the victim's information can be updated as long as their device is infected by the bot". Since this is an issue that requires immediate action by law enforcement agencies of the countries involved, we would like to know if you are planning to coordinate with the government agencies to bust the racket.

Marijus: There is not much that government agencies can do regarding this issue. What every person can do, however, is download an antivirus program and clean their device. That would ensure bot malware is gone in case it was there in the first place, and the bot will not be updated further.

Vikas: You have mentioned several companies like Google, Amazon, Facebook, Paypal and others. Have you informed these companies about how such bot attacks compromised their user data?

Marijus: We have not informed any of the companies you mentioned, as we believe informing society and possible victims (Indians) is the most effective thing to do.

Vikas: Were Indian Netflix users' data compromised? If yes, how many people have been victims of the bot attacks?

Marijus: There were at least 223,173 Netflix logins stolen. However, we do not know how many of them are Indian. All of these logins were stolen by bot malware.

Vikas: Who are the buyers of this data?

Marijus: The buyers are mostly cybercriminals who want to use the data for their own sake.

Vikas: How does one find out if their data has been compromised? What precautionary measures do you suggest the users take to ensure that their data and privacy are not hampered?

Marijus: There is no way to know that bot malware has or has not stolen your data without experiencing the consequences (like phishing attempts, identity theft, and the like). The best thing any user can do is install antivirus software and scan their device for malware. It is also essential to clean cookies regularly, change passwords every six months and store them in a password manager, not a browser. This way, even if a user was affected by bot malware in the post, they will protect themselves from the possible consequences of their data being stolen.