Constella Intelligence

Harnessing Generative AI for Building the Human Firewall Against AI-Driven Identity Scams

In response to the growing concerns surrounding AI-driven identity scams, Constella is not only taking steps to understand and reproduce these harmful tools but is also leveraging the potential of our trained Language Models (LLMs) and Generative AI to prepare our users against potential scams.

One of our strategic initiatives is to simulate customized scams using the specific exposed data of our users in a safe and secure environment. The aim is to alert and educate users about how their information could potentially be used in scams and provide them with an experiential learning opportunity to respond appropriately. This will help users understand the potential risks they face, the form that these attacks may take, and the possible tactics scammers could employ.

Training Users through Personalized Simulations

As an Identity Theft protection company, we possess a unique advantage in our battle against AI-driven identity scams: a spectrum of exposed attributes, including Personally Identifiable Information (PII), related parties, and online activity that we collect to alert exposed users. Rather than letting this information lie dormant, we leverage it to construct a vulnerability profile – a Surface of Attack – by compiling users exposed data, we gain insights that enable us to create a detailed profile – a digital identity mosaic that delves into their lives, both personal and professional. This comprehensive understanding goes beyond the mere surface level, allowing us to craft an intricate picture of their attributes, behaviors, job roles, hobbies, and even relationships. With this intricate web of information, we can gain the power to anticipate the strategies malicious actors might employ. Generating AI-driven narratives that simulate scams based on this gathered information enables us to provide users with a virtual battleground where they can master the art of defense.

Building Human Defenses

Imagine a scenario where a user is presented with a simulated scam tailored to their unique attributes. This simulated scam mirrors real-world tactics that attackers might employ. The user is then guided through the intricacies of identifying red flags, evaluating risks, and making informed decisions. It’s not merely theoretical education; it’s a hands-on experience that cultivates practical skills. Users learn to discern fraudulent schemes from genuine interactions, ultimately arming themselves with the ability to outsmart even the most sophisticated AI-generated threats.

The beauty of this approach lies in its dynamic nature. Just as the threat landscape is in constant flux, our strategy evolves in tandem. The Surface of Attack adapts, incorporating new exposed information that become attack vectors. This adaptability ensures that users are continuously trained making the “Human Firewall” an ever-vigilant shield against the onslaught of AI-driven scams.

In this age of unprecedented digital connectivity, arming ourselves against AI-driven identity scams requires a multi-faceted approach. Constella’s fusion of user data analysis, AI-generated simulations, and personalized training is poised to rewrite the rules of engagement. Through this holistic strategy, we don’t just fend off threats – we empower our users to become sentinels of their own digital realms.

Conclusion: The Unyielding Power of the Informed User

In a digital landscape fraught with ever-evolving threats, relying solely on automated defenses or conventional protective mechanisms is no longer sufficient. The stark reality is that the most technologically advanced defense systems can still be compromised if the end user remains uninformed or unprepared.

At Constella, we firmly believe that the most robust line of defense is the user themselves. By providing them with the tools, experiences, and knowledge to recognize and combat AI-driven scams, we’re empowering individuals to stand as sentinels of their digital domains. It’s akin to equipping a city not just with walls and watchtowers, but with vigilant, well-trained guards at every possible point of entry.

Every simulation we create, every potential scam we expose, and every experiential lesson we offer is a step towards molding our users into the ultimate deterrent against cyber threats. It’s not just about identifying the dangers out there; it’s about understanding one’s own vulnerabilities and turning them into strengths.

In our journey towards a safer digital future, technology will undoubtedly play an instrumental role. However, the human element – informed, alert, and proactive – remains irreplaceable. At the heart of Constella’s strategy lies this belief: that in the battle against AI-driven identity scams, a well-prepared human mind is, and will always be, the most formidable asset we possess.




Julio Casal

CIO & Founder

The Stealthy Threat: Unveiling the Dangers of Cookie Capture

In the vast realm of cyber threats, where hackers and cybercriminals are constantly honing their skills, one danger that often flies under the radar is cookie capture. Cookies, those innocuous-looking bits of data stored on your computer, play a crucial role in modern web browsing. However, they have also become a prime target for cyber attackers looking to gain unauthorized access to sensitive information. In this blog post, we will delve into the dangers posed by cookie capture in the realm of cyber security and explore how you can safeguard yourself against this stealthy threat.

Understanding Cookies

Cookies are small pieces of data that websites store on your computer to remember information about your interactions. They can store user preferences, login credentials, and even items in your shopping cart. These files are meant to enhance your browsing experience by saving you from having to re-enter information every time you visit a site.

The Dangers of Cookie Capture

  1. Session Hijacking: One of the most significant dangers associated with cookie capture is session hijacking, also known as session replay or session theft. If a hacker manages to intercept your cookie data, they can impersonate you and gain access to your online accounts without needing your login credentials. This can lead to unauthorized access to your email, social media, or even financial accounts.
  1. Cross-Site Scripting (XSS): Cyber attackers can exploit vulnerabilities in websites to inject malicious scripts that capture cookies from unsuspecting visitors. This can allow the attacker to steal user cookies and potentially gain unauthorized access to the victim’s accounts.
  1. Eavesdropping: If you’re using a public Wi-Fi network without proper encryption, attackers can intercept your data traffic and capture cookies as they are transmitted between your device and the websites you’re visiting. This is especially dangerous when browsing sensitive websites such as online banking platforms.
  1. Personalized Attacks: With access to your cookies, attackers can gather personal information about your browsing habits, interests, and online behavior. This data can be used to launch more convincing and personalized phishing attacks.

Mitigation and Prevention

  1. HTTPS Encryption: Always ensure you’re browsing websites that use HTTPS, especially when entering sensitive information. HTTPS encrypts the data transmitted between your device and the website, making it significantly harder for attackers to intercept and capture cookies.
  1. Public Wi-Fi Caution: Avoid using public Wi-Fi networks for sensitive activities, as they are more susceptible to eavesdropping. If necessary, consider using a Virtual Private Network (VPN) to encrypt your internet connection.
  1. Regular Logouts: After using online services, make sure to log out, especially if you’re on a shared or public computer. Logging out invalidates the session cookie, reducing the risk of session hijacking.
  1. Cookie Settings: Review and adjust your browser’s cookie settings to minimize the amount of information stored and shared. Consider blocking third-party cookies, which are often used for tracking.
  1. Security Updates and Antivirus Software: Keep your browsers and operating systems up to date to ensure you’re protected against known vulnerabilities that attackers could exploit. Furthermore, consider running reputable antivirus software, which can be instrumental in detecting known malware and malicious files that can capture your sensitive data, including your session cookies, from your computer without your knowledge.
  1. Subscribe to Identity Monitoring: Unfortunately, despite out best efforts, sometimes our sensitive data can be exposed, even when we take every reasonable step to prevent it. Our data may be exposed unintentionally by a third party, or our personal devices may become infected with malware that captures our credentials and session cookies. Since these exposures often happen without our knowledge, a reputable identity monitoring service can alert you to an exposure as soon as it happens, allowing you to work to resolve the issue as quickly as possible.


In an increasingly interconnected world, the threats to our digital security are constantly evolving. Cookie capture might not be as well-known as some other cyber threats, but its potential for harm is significant. By understanding the risks and implementing preventive measures, you can better protect your online identity, data, and sensitive information from falling into the wrong hands. Stay vigilant, stay informed, and stay secure.



Keon Ramezani

Sr. Sales Engineer

The Achilles Heel of Large Language Models: FraudGPT, WormGPT and Constella’s Proactive Response to AI-Powered Cyber Threats

The Achilles Heel of Large Language Models: FraudGPT, WormGPT and Constella’s Proactive Response to AI-Powered Cyber Threats

The capabilities of large language models (LLMs) have come into sharp focus recently, with applications ranging from generating complex and creative texts to mimicking human-like conversation. However, this power isn’t without its shortcomings. The Achilles heel of these advanced AI models appears to be their potential misuse for scam creation, underlining the necessity of robust cybersecurity measures.

Emerging AI-driven threats, such as WormGPT and FraudGPT, have leveraged the capabilities of LLMs to aid in phishing and malware creation, posing new challenges to cybersecurity efforts. While these models usher in a new age of technological marvels, their potential exploitation by threat actors highlights the criticality of countering the threats they pose and protecting users from their misuse.

New Threat Landscape

Recent reports from cybersecurity forums and platforms, including the Security Boulevard, have detailed the use of models like WormGPT and FraudGPT. These LLMs are utilized to generate phishing emails and potentially malicious code, indicating a worrying trend towards the weaponization of AI for harmful purposes. The WormGPT model, purportedly based on the GPT-J architecture by EleutherAI, is believed to be trained on a wide array of data sources, with a focus on malware-related data.

Another threat, FraudGPT, is described as a tool capable of creating “undetectable malware” and uncovering websites vulnerable to credit card fraud. However, experts believe that the actual capabilities of these models may not be as high as advertised, and they may indeed be used more as tools to deceive less tech-savvy individuals.

Constella’s Response

In response to this concerning development, Constella is taking proactive steps to safeguard its user base. We are currently testing various LLMs, aiming to reproduce these potentially harmful tools in a controlled and secure environment. This approach enables us to gain deep insights into the mechanics of these AI models and understand how they may be employed for malicious purposes.

By replicating the potential threats, Constella aims to improve our security systems’ responsiveness and effectiveness. This initiative aligns with our commitment to staying one step ahead of cybercriminals, continually innovating, and reinforcing our users’ security.

The Way Forward

Understanding the dynamics of these new AI threats allows Constella to devise advanced protective strategies and reinforce our existing cybersecurity infrastructure. As a part of our continuous effort to ensure the safety of our users, we are investing in research and development to advance our AI-powered security measures.

While the current threat level from AI-powered tools like WormGPT and FraudGPT may not be as severe as some believe, it’s critical to anticipate and prepare for the potential advancements in this field. As such, Constella is committed to developing cutting-edge solutions to combat the evolving threats in the cyber landscape, upholding our promise to offer secure and reliable services to our users.

In conclusion, the potential misuse of LLMs for scam creation underscores the need for vigilance in the face of evolving cybersecurity threats. As AI continues to play a dual role as a cybersecurity tool and potential cyber threat, Constella remains committed to protecting our users, staying vigilant and prepared for whatever the future may hold.


Julio Casal

CIO & Founder

Identity Theft Botnet Infostealer Exposures Vs. Breach Exposures: A Comparative Analysis

Identity Theft Botnet Infostealer Exposures Vs. Breach Exposures: A Comparative Analysis

In the realm of identity theft, a deep understanding of the types of threats and their unique implications is critical. Among these threats, two types of exposures frequently rise to prominence because of their capacity to cause substantial harm – Botnet Infostealer exposures and Identity data compromised following a Breach.

While both pose a considerable risk, there are key differences between them. This article delves into a comparative analysis based on four main distinguishing aspects: the target of the exposure, the inclusion of cookie theft, the scope of compromised credentials, and the distinction between risk and incident in device control.

1. Risk of Exposure: Essential Services Vs. Specific Platforms

Firstly, the nature of services compromised during an exposure significantly influences the risk and potential consequences.

In the case of Botnet Infostealer exposures, the targets often include essential services. These encompass institutions like Banks, payment platforms such as PayPal, and important authentication services like Google and Microsoft. The compromise of these services can lead to severe outcomes as they handle highly sensitive data and provide critical functions. For example, an attacker gaining access to a Google account could control a user’s email, cloud storage, location history, and linked devices.

On the contrary, Breach exposures usually pertain to services of lesser criticality. In recent years, we have not witnessed major leaks involving banking or payment systems such as Wells Fargo or PayPal being trafficked in the Dark Web. The same holds true for credentials from industry giants such as Google, Apple, or Facebook. Despite their immense user base and potential for misuse, substantial breaches involving these services have, thankfully, remained absent from darknet trading circles.

When inspecting the compromised data within a Botnet Infostealer package, one is struck by the prevalence of crucial services that are central to our financial wellbeing and digital lives. Such a package will typically include a number of credentials pertaining to various banking institutions and payment systems, alongside almost invariably present credentials from major platforms like Google, Facebook, or Apple. These constitute key components of our digital identities, underlining futher the severity of Botnet Infostealer exposures.

2. Inclusion of Cookie Theft: Circumventing Two-Factor Authentication

The second distinguishing feature lies in the method of access. Botnet Infostealers often incorporate cookie theft as part of their operations. Cookies can hold session tokens or other data that authenticate the user’s identity. If these cookies are stolen, an attacker can impersonate the user and bypass two-factor authentication systems. This opens up a potent avenue for unauthorized access to accounts, even those secured with extra precautions.

In contrast, conventional data breaches almost never involve cookie theft. The information exposed in these cases often includes usernames, passwords, and other personal details but does not usually provide a method to bypass two-factor authentication.

3. Volume of Compromised Credentials: Multiple Vs. Single

The number of credentials exposed in an attack is another key factor in assessing the potential impact. Botnet Infostealer exposures are more expansive, often compromising dozens of credentials from the same computer and, likely, the same person. This means that the attacker could gain access to multiple accounts across a range of services, significantly expanding the potential for damage.

In contrast, Breach exposures are more likely to result in the compromise of a single set of credentials for each user. Although this can still have serious implications, particularly if the exposed credentials are used across multiple services, the immediate impact is typically limited to the specific breached service.

4. Infostealer: A Manifested Incident vs. Breach Exposure: A Latent Risk

An Infostealer exposure is an infection that signifies an incident – a system has been actively compromised. In contrast, a breach exposure represents a risk, posing a potential threat of compromise but not inherently indicating an already occurred intrusion.

In a Botnet Infostealer scenario, the malware often provides the attacker with remote control over the compromised computer. This means that the criminal has the ability to not only steal sensitive data but also manipulate the infected device in various ways, potentially launching further attacks, installing more malware, or even using the infected device as a launchpad for attacks on other systems. Importantly, a Botnet Infostealer infection is not just a risk but an actual incident.

Risk, in this context, refers to the probability of a particular adverse event occurring and its potential impact. An incident, however, is the realization of that risk – the adverse event actually happening. Therefore, when a Botnet Infostealer compromises a system, it’s not a mere possibility of adverse impact; the adverse event has already occurred.

In contrast, conventional data breach scenarios do not typically result in the attacker gaining remote control over affected systems. Instead, these exposures often involve unauthorized access to data stored on a system, but without the ability to directly control or manipulate that system. Here, the risk primarily lies in the potential misuse of exposed data rather than active control of the system.

Conclusion: A Comparative Perspective

While both Botnet Infostealer exposures and Breach exposures pose considerable threats, the potential implications of the former are more profound. The compromise of essential services, cookie theft enabling the circumvention of two-factor authentication, exposure of multiple credentials, and the remote control of the device make Botnet Infostealer exposures an alarming cybersecurity concern.

Nonetheless, the comparison does not diminish the significance of breach exposures. Each type of exposure carries its own unique risks and requires a distinct approach to mitigation and prevention. Therefore, recognizing the differences and understanding the unique dynamics of each threat type is crucial for crafting effective cybersecurity strategies.

Julio Casal

CEO & Founder

The Business Impact of Infostealers

In the last several years, consumer identity protection offers have become nearly ubiquitous. Service providers ranging from credit cards and credit monitoring services to insurance companies have started offering some form of identity protection service to their consumers. But let’s not forget that there are identities to be protected behind businesses, small and large, too, that can cause a lot of havoc if left unprotected.

We see time and time again that the human element tends to be the weak link in the security chain, as it is human nature to reuse passwords, fall victim to a well-crafted phishing email or accidentally download a malicious file. Both small businesses that haven’t yet planned for IT security and big businesses that have a very mature IT security practice are equally vulnerable to identity-based attacks, phishing attacks and Infostealer malware infections, as it tends to be a person that must “gatekeep” these attacks that are often not stopped by security software and firewalls. It is extremely important to take an outside-in look at your organization’s vulnerabilities, centered around identity data exposures, to better understand how your business may be at risk and out of reach of traditional security solutions.

Malware and Infostealers can have significant and damaging impacts on small businesses. Small businesses are often more vulnerable to cyberattacks due to limited resources, less sophisticated security measures, and a lack of dedicated IT staff. Here are some ways in which malware and Infostealers can affect small businesses:

  1. Data Breaches: Infostealers are designed to steal sensitive information, such as customer data, financial records, intellectual property, and login credentials. A data breach can expose a company’s sensitive information, leading to legal liabilities, loss of customer trust, and reputational damage.
  1. Financial Loss: Malware can disrupt business operations, leading to downtime and productivity losses. Ransomware attacks, for example, can encrypt essential files and demand a ransom to decrypt them, forcing businesses to pay up or face permanent data loss.
  1. Identity Theft and Fraud: Infostealers can harvest personal information from employees or customers, leading to identity theft and fraudulent activities. This not only affects the individuals involved but can also result in financial losses for the business.
  1. Disruption of Business Operations: Malware can cause system crashes, slow down network performance, and interfere with software and hardware functionality. Small businesses may struggle to recover from such disruptions, impacting their ability to serve customers and conduct day-to-day operations.
  1. Loss of Intellectual Property: Small businesses may rely heavily on proprietary technology or innovative ideas. Malware and infostealers can compromise intellectual property, leading to loss of competitive advantage and potential revenue streams.
  1. Regulatory Compliance Issues: If customer data is compromised, small businesses may face legal consequences and regulatory fines for failing to protect sensitive information adequately.
  1. Damage to Customer Trust: Small businesses often rely on trust and word-of-mouth referrals to grow their customer base. A data breach or security incident can erode customer trust, leading to decreased sales and customer retention.
  1. Cost of Remediation: Recovering from a malware attack can be expensive, requiring investments in cybersecurity solutions, forensic analysis, and potential legal fees.
  1. Business Continuity Challenges: Small businesses may lack the resources to implement comprehensive backup and disaster recovery plans, making it difficult to resume operations after a cyberattack.
  1. Reputational Damage: If a small business becomes known for being vulnerable to cyberattacks, potential customers may be hesitant to engage with them, causing lasting damage to the company’s reputation.

To mitigate the impact of malware and Infostealers, small businesses should invest in robust cybersecurity measures, such as using reputable antivirus software, regularly updating software and operating systems, implementing strong password policies, providing employee training on cybersecurity best practices, and backing up critical data regularly. Additionally, having a response plan in place for potential security incidents can help reduce the damage caused by malware attacks. Even with these security practices in place, rounding off your security posture with a business-centric identity protection solution is the best way to rest assured you’ve protected your employees, intellectual property and business finances from all angles.

Constella Intelligence offers just that—an extensive suite of business protection products, including our Business Monitoring APIs, now also available with botnet protection. Monitor the identity exposures of every member of your organization, checking for sensitive password exposures, PII exposures and even Infostealer malware infections by simply monitoring your company’s email domain. Even when your office IT security posture is strong enough to ward off malware, we find that the leading source of business credential exposure comes from an infected personal device, which doesn’t benefit from corporate security measures. Businesses are also vulnerable when their vendors and other business within their supply chain are compromised. And most importantly, Constella can identify when your customers have become infected with Infostealer malware.

Contact us today to learn more about our Business Monitoring solutions and how to protect your business in ways that traditional IT security cannot.



Keon Ramezani

Sr. Sales Engineer

The Alarming Reality: The Extent of Credentials Stolen by Botnets

In today’s digital age, where our lives are increasingly intertwined with technology, ensuring the security of our online accounts is of utmost importance. However, a growing concern looms over us: the ever-evolving threat posed by botnets. These malicious networks of compromised computers have the ability to infiltrate systems, steal sensitive data, and wreak havoc on individuals, businesses, and even nations. One of the most valuable assets these botnets pursue is our credentials – usernames, passwords, and other personal information that grant access to our online identities. In this blog post, we delve into the alarming reality of how many credentials a botnet can steal and the implications it holds for our digital security.

Botnet infostealers are malicious software programs designed to infect and compromise computers and cell phones, allowing cybercriminals to remotely access and extract valuable data, particularly login credentials. These stealthy programs often lurk undetected within compromised systems, silently harvesting usernames, passwords, credit card details, and other personal information without the victim’s knowledge. This stolen data is then sold on the dark web, fueling illicit activities such as identity theft, financial fraud, and unauthorized access to sensitive accounts.

Infostealer malware sneaks its way onto your computer in a number of ways—often times malicious code is embedded in software that promises to be a free security tool, pirated music, movies and software, embedded in what is meant to be a simple PDF or a number of unsuspecting methods. Often times, since this malware is embedded in software, during the installation process, the infostealer malware will prompt you to disable your anti-virus software so it can “properly install,” and unsuspecting users unfortunately fall victim to this ruse. Once on your computer, this malware can do quite a bit of harm:

Keylogging: Infostealers capture keystrokes made by the user, recording entered passwords and other sensitive information as the victim types.

Form Grabbing: These infostealers intercept data entered into web forms, extracting valuable details such as usernames, passwords, and credit card information.

Screen Capturing: Some infostealers take screenshots of the victim’s screen, capturing sensitive information displayed during online sessions.

Credential Theft: Infostealers target stored credentials, including login information saved in web browsers or password management tools as well as your browsers cookies. These cookies track your login sessions (so you don’t have to login every time you visit your favorite sites), and when stolen, they can be used to trick the website’s server loading the previously authenticated session for the hacker, bypassing any need to log in, and even bypassing any multifactor authentication.

The data infostealers capture is highly pervasive, as it can reach beyond the directly infected computer. Consider modern web browsers like Google Chrome that sync your data across all your devices. While this is convenient, it can mean that your saved login credentials from all of your devices could be captured by an infostealer. This is especially problematic if you’re logged in to Chrome on your work and home computer. Most business devices are secured with industry leading security software, and are locked down with corporate policies, making it less likely that the user can accidentally download an infected file. However, most users do not have as sophisticated security on their home machines, where they’re more likely to get infected, but since their browser is syncing their work credentials to their home computer, the possibility remains that your highly valuable work credentials can get snagged by botnet malware too.

The most staggering reality is that because these credentials are stolen directly from your machine, where you store your current passwords for convenience, a site does not need to get breached in order for a hacker to access your account, if you’ve been infected by infostealer malware. While credentials and sensitive personal data is frequently breached from various sites, many customers of large, “high value” sites take comfort in knowing these companies put tremendous effort into protecting their user data. For example, large tech companies like Microsoft, Apple, and Amazon haven’t suffered any large scale breaches; same goes for large banks such as Band of America, Chase, and Wells Fargo and highly popular streaming services such as Netflix, Spotify and Hulu. However, if you’ve been infected by an infostealer, your credentials to these sites can be in the hands of Russian cyber criminals. Look at the example below of a real infostealer infection and the types of credentials exposed.

Botnet infostealers represent a hidden threat that can compromise the security of our most valuable credentials and personal information. Understanding their mechanisms and implementing robust security measures is crucial to safeguarding ourselves and our organizations from the devastating consequences of infostealer attacks. By staying vigilant, keeping software updated, and adopting best security practices, we can fortify our defenses and minimize the risk of falling victim to these stealthy adversaries.

Keon Ramezani

Sr. Sales Engineer

Breadth of Data: Why it Matters

The last decade has seen tremendous growth in the availability of identity theft protection and identity monitoring services. This has been driven by the even faster growing online presence of the world’s population. While the internet has been around for decades, how we use it changes every day. Fifteen years ago, most people did most of their shopping in-store, whereas today, e-commerce platforms such as Amazon dominate how we shop. Ten years ago, you might have found yourself in the back of a dimly lit bar hoping to meet your significant other; but today, we can stay at home on our couch, swipe right and left on our online dating platform of choice, drinking a beer we ordered online and find our soulmate. In the last couple years alone, we’ve seen tremendous transformations such as traditionally face-to-face business being conducted via online teleconferencing, we’ve taken classroom education to the digital realm, we consult our doctors online, and many of us make money on digital entertainment platforms doing jobs that didn’t even exist a few years ago.

Okay, so we’re doing more things over the internet. So what?

The more we do online, the more of our personal data leaves our control. This isn’t a bad thing, as the potential downsides are easily outweighed by the convenience and technological advancements afforded by our digitized world. We simply need to be mindful of what’s out there. If you haven’t already, take a moment to read our blog about your digital exhaust, where we discuss how you leave behind digital breadcrumbs, and what to do about it in part 2 of the publication. In short, the bits of your personal data you may not realize are floating in the digital ether are highly valuable to threat actors and if exploited, can cost you money and your privacy. Thankfully, there are remedies for this problem, the most prominent of which is to enroll in an identity theft protection or identity monitoring service.

But not all identity theft protection services are created equal. You can read about what makes a great identity monitoring service here, which includes key factors such as data quality, volume, accuracy and global coverage, but today, we’ll discuss the importance of breadth of data.

What exactly is “breadth of data”?

Let’s begin by looking at a more traditional metric, “depth” or “volume” of data—this refers to “coverage”, or “does this data set include the data exposures that matter to me?” This is typically the first thing an identity data provider will implement—which is good, but unfortunately is no longer “good enough” on its own. Many identity exposure data providers are still focused on what mattered most at the inception of ID protection—email addresses and passwords. Yes, these are important attributes to track, and they’re among the most prevalent, but it doesn’t paint a complete picture. A focus on just emails and passwords leads down a narrow avenue—what we need today is something broader, and so we arrive at breadth of coverage.

We’ve established how much of our data gets exposed, but is your identity theft protection service capturing it all? Breadth of coverage refers to not only identifying that your email address and password appear in a data breach, but looking further and understanding that your telephone number, name, address, etc have also been exposed and they’re linked to your email. While this seems trivial on the surface, there are a lot of complexities and intricacies that must be considered when capturing a broad swath of data. Constella has spent the last decade mastering this art.

Adequately Capturing Broad Data

Think back to the last several times you’ve signed up for a new website or filled out a digital form. You almost certainly provided an email address and made up a password, you probably gave your name and mobile phone number, and you likely even revealed additional data about something more obscure, like your license plate number, and make, model and year of your car for a parking service, for instance. When a website captures such obscure data, they need to designate a spot in their database for it—think of it as adding another column to a spreadsheet. In turn, when an identity monitoring data provider captures breached data, they need to recognize these obscure data types and identify them. Without this identification, this additional data would be useless—consider a 9-digit number captured form a breach without additional context; is it an international phone number, social security number, a passport number, or something completely different? To generate value through breadth of data, we need to not only capture the broader data points, but also identify the type of data we’re dealing with.

Constella recognizes over 250 data types and is constantly growing that list. We dedicate part of our data analysis and quality checks towards field identification, and so, we’re able to identify less common identity attributes such as gender, weight, height, sexual orientation, hair color, eye color and more; we can classify attributes such as license plate numbers and vehicle identification numbers; we recognize the name of the company you work for, job titles, the university you attended, your graduation year and salary information. As we grow the data types we can support, we’ve recently added coverage for a variety of online profile IDs from over a dozen different platforms, coverage for gaming IDs (a “gamertag”) and even business-centric attributes like VAT number and company registration numbers. Most prominently, Constella has worked hard to maintain international coverage by recognizing the tax ID and national ID number formats of over 50 countries.

How does broad data help us?

In short, capturing data exposures at full breadth means we can see the complete picture. The totality of an individual or business’s exposures gives in-depth perspective of the risk profile that person or business carries. Understanding the extent of your digital footprint allows you to anticipate where you may be vulnerable. It is these details that cyber criminals are certainly capturing and using to their advantage—for instance, a data breach that exposes users’ automobile information allows a malicious actor to carry out targeted phishing attacks in bulk. Consider a generic phishing email that reads, “Dear sir or madam, this is your auto insurance company, your policy is about to be cancelled for non-payment; click here to fix this problem.” It doesn’t sound very credible and will be dismissed as a phishing email by many. On the other hand, imagine the same email but with personal details, “Dear Joe, this is your auto insurance company, Geico, letting you know that your policy ending in 1234 for your 2019 Toyota Camry is about to expire for non-payment…”, now that is bound to trick quite a few people into giving up payment info to a fraudster. Having a complete picture can help you remain cognizant of the attack vectors a malicious actor may use against you.

Get Breadth, Volume and Quality Data from Constella

Constella not only captures and curates the full breadth of data exposed in a breach, but we meticulously verify and validate the data we publish, ensuring you’ll receive high-quality, high-confidence alerts that you can count on. Contact us today to see how Constella’s industry-leading data can power your solution.

Keon Ramezani

Sr. Sales Engineer

The Hidden Dangers of Data Brokers: Protecting Your Personal Information

In today’s digital age, personal information has become an incredibly valuable commodity. Data brokers, companies that collect, analyze, and sell personal information, have become a thriving industry. These companies collect vast amounts of data on individuals from various sources, such as social media platforms, public records, and online purchases. However, the dangers of having your personal information with data brokers are immense, and it is essential to understand them to protect yourself.

The first danger of personal information being with data brokers is the risk of identity theft. Cybercriminals can use your personal information to open fraudulent accounts or obtain credit in your name. With access to your personal information, data brokers can provide these criminals with the necessary information, making identity theft much easier for them.

Another danger of having your personal information with data brokers is the potential for targeted advertising. Data brokers collect information about your browsing and purchasing habits, and then sell this information to advertisers. This can result in a bombardment of targeted ads that can be both annoying and intrusive. Furthermore, this can lead to the manipulation of your purchasing decisions, as advertisers can use your personal information to tailor their ads specifically to you.

Data brokers can also sell your personal information to other third-party companies. This means that your personal information can end up in the hands of companies you have no relationship with, and who may use it for purposes that you do not approve of. This can include everything from spam emails to unwanted telemarketing calls, and even more serious privacy violations.

Perhaps the most concerning danger of having your personal information with data brokers is the potential for it to be used against you by law enforcement or other government agencies. With access to your personal information, these agencies can create a profile of you that can be used to monitor your activities or investigate you. Even if you have done nothing wrong, having your personal information with data brokers can put you at risk of being wrongly targeted.

There is, however, a shred of good news: due to data privacy laws, data brokers are legally obligated to remove, or take down, your personal data from their databases upon a formal request. But a data broker is in the business of selling your data, so they deliberately make it difficult to navigate the data removal request process. There are hundreds of data brokers out there, and they each have a different data takedown request process, both deliberately cumbersome and time consuming. On average, it takes 47 minutes of work to remove your data from these sites, including verifying the removal and re-submitting requests if not initially removed. And to make things a bit more cumbersome, the data that you request to be removed may later re-appear on the very same data broker site, as the brokers can remain compliant with data privacy laws if they re-obtain and re-publish your data. This last fact simply means you’ll need a powerful identity protection solution that can not only manage takedowns on your behalf, but also continuously monitor for your personal information re-surfacing on data broker sites.  

Constella is proud to announce the upcoming launch of our data broker privacy solution. Available through both the Constella Unified Monitoring API and the Dome platform, Constella’s data broker privacy solution will monitor hundreds of data broker sites for the presence of your personal information, and upon your request, carry out the takedown process on your behalf, not only protecting your privacy, but saving your countless hours of chasing down data removal requests, and informing you as soon as your information re-surfaces.

Contact us today to learn how you can integrate Constella’s API into your product or license the Dome platform to protect your customers and your own organization.

Botnet Protection

For more than a decade, Constella Intelligence–formerly 4iQ–has been hunting, collecting, and curating breach data, which powers 6 of the top 10 identity theft protection providers, and provides identity intelligence to several partners across a number of use-cases and industries. Our fine-tuned expertise in this space allows us to deliver high-quality and actionable alerts that you can depend on. And while alerts for data exposed in a breach drives tremendous value for several applications, it is well-known that even industry leading provider like Constella cannot always alert on data exposed in a breach right after it happens. Freshly breached data usually remains in the hands of the responsible hacker for his monetary gain, then is eventually passed around on the dark web and underground marketplaces—this often translates into weeks or even months of delay between initial exposure and the end-user being alerted to it.

As a part of our continuous pursuit of maximizing value for our partners, Constella has begun capturing data stolen by botnet malware, specifically Infostealers. This type of malware is making a big comeback, and most notably, can steal any credential used on a victim’s machine, which has a far deeper reach than breached credentials. Not only can this be costly for the average user but can be devastating for an infected corporate-use machine. And so, a timely resolution is of paramount importance.

Constella can alert you to your data being exposed by botnet malware as quickly as a few hours after exposure, with an average response time from exposure to alert in one to seven days. This rapid exposure alerting is critical for all botnet malware victims, as it gives the data owner a fighting chance at changing their exposed passwords before the botnet operator can make malicious use of them. Constella can deliver these timely alerts by ingesting data exposed by over 1 million infected machines per month (and growing), each of which contains on average 38 credential pairs, comprised of 6 unique email addresses.

Getting Started with Constella Botnet Protection

Begin protecting your users immediately with Constella’s Botnet Protection data feed––if you’re already integrated with our Unified Monitoring service, our botnet feed can be enabled without any additional development work. Simply indicate which of your users you’d like to subscribe to this feed (or asks us to enable it for all your users) and immediately begin receiving alerts the same way you already have been.

Our initial rollout of our botnet protection feed is focused on the critical elements: exposed credentials. These will benefit your users in two important ways, one—inform them they’ve been infected by botnet malware, and two—protect them from account takeover attacks by suggesting a password reset on every exposed account. Alerts from this feed will include information about the exposed credentials, the URL for which those credentials were stored, and an informative description of how this data was exposed and a recommendation on how to proceed. These alerts will be triggered by matching an exposed email address or username with an email/username enrolled by the user for continuous monitoring.

In the Near Future

In the near future, we will see some extraordinary enhancements to Constella’s botnet protection data feed, including a higher volume of alerts and additional information about the botnet infection. As we mentioned above, the average Infostealer infected machine contains 38 different credential pairs across 6 different email addresses. We typically see one to two different email addresses monitored by users protected on our platform, which means, the typical user would not be alerted to all of their exposures, should they get infected by Infostealer malware. That’s exactly why the upcoming release of our botnet protection feed will provide all exposed credentials found on one infection machine, so long as one of your user’s provisioned email addresses or usernames matches the data exposed by a botnet. This has a profound significance, as it greatly increases your user’s awareness of their exposures, reminding them of email addresses they may have forgotten about, and protecting them from unseen threats.

Once we’ve rolled out the expanded set of credentials, we will begin enriching the botnet data feed with additional metadata captured by the Infostealer malware. This additional data will include information about the infected machine’s operating system, computer name, computer username, IP address, the file path to the malware on the infected machine, any exposed credit card numbers and files stolen by the malware.

Enhance the protection you provide your users by enrolling in Constella’s botnet protection feed. Deliver timely alerts in near real time following a botnet exposure and protect your users from threats they may not have otherwise detected. Contact us for a demo!

Keon Ramezani

Sr. Sales Engineer

The Resurgence of Infostealers

When you hear of 1990’s technology making a comeback in a big way, you might wonder why you haven’t seen anyone reprising their Discman portable CD player or Tamagotchi digital pet, but tragically, it’s not the fun 90’s tech that has emerged again. Born in the 1990s, a botnet malware variant known as an “Infostealer” has returned with a vengeance. Since the original discovery of botnet malware, both technology and threat actor skills have drastically improved, allowing botnets to scale in size and capability. According to NETSCOUT’s 2022 threat report, in the first half of 2022 alone, their “global honeypot network observed more than 67 million connections from 608,000 unique IP addresses, spanning … 30,000 organizations, and 165 countries.” NETSCOUT observed a staggering 2,300% increase in botnet infected devices from Q1 to Q2 of 2022.

As our lives and personal data go increasingly digital, there’s more to be gained by hackers who successfully steal your private data. The US Department of Justice reports the takedown of the Racoon Infostealer MaaS (malware as a service) and the arrest of key players in its operation in March or 2022. The FBI identified over 50 million unique credentials captured by the dismantled botnet, and PII including email addresses, bank accounts, cryptocurrency addresses, and credit card numbers. A few months later, in July 2022, version two of the Racoon Infostealer was released, and went viral under its new name, RecordBreaker. There’s no question that botnet Infostealers are making a big comeback and they’re coming after your data.

What is an Infostealer?

As the name suggests, an Infostealer steals your info—and it takes it right from where you feel the safest keeping it: your own computer and mobile device. Much like a computer virus, an Infostealer is a form of malware that infects your computer or mobile phone. But unlike most viruses, an Infostealer’s purpose is to capture whatever data it can from your computer and relay it back to the botnet’s command and control servers. Furthermore, certain varieties of botnet malware can take control of your computer, take screenshots at any point, log your keystrokes, and much more. The worst part is this all happens without the machine’s user even knowing anything is wrong. While many viruses have very noticeable symptoms (poor computer performance, frequent crashing, etc), an Infostealer is more fruitful for the threat actor when it operates undetected.

What will an Infostealer steal, exactly?

In short, everything that matters to you on your device. The most lucrative is all your stored credentials and Autofill data your web browser captures. Every time you log in to a site and your browser offers to save your password, those saved credentials are what get snagged. On average, we see 38 different pairs of credentials captured from an infected device, which includes 6 unique email addresses. Your browser’s Autofill feature also saves things like your name, address and credit card numbers for easy access the next time you need to fill out this information. Unfortunately, however, since an Infostealer is software that runs on your computer, it can quite easily extract the data saved in your Autofill database, and capture all your stored credentials, which sites those credentials work for, and any other personal detail you thought would stay private unless you decided otherwise.

Among the data an Infostealer can grab from your browser are your cookies. Cookies contain snippets of data stored locally in your web browser’s cache for convenient use later. This might be a website’s way of storing your preference for something, or it could be used for login purposes. Every time you log in to a website, a “session” is created, and the session is said to be authenticated and depending on your preferences and how the web site you’ve accessed is designed, sessions can be valid for extended periods of time. Notice that you’re still logged in when you close your browser and return to certain sites? That’s thanks to sessions—and cookies are partly responsible for keeping track of your session. The website you’ve authenticated with stores a token, or a code of some kind, in your browser’s cookies. When this cookie is present and you re-visit a site, the site checks the cookie, see’s that the stored token is still valid and cross checks a few other parameters (like your browser version, operating system type and the geolocation of your IP), and if everything checks out, your session is still considered valid and you’re not required to re-authenticate. When an Infostealer captures your cookies, and some other relevant data from your computer, it is entirely possible they can leverage this to “hijack” your session and bypass the need to authenticate. This is particularly scary considering this often defeats multi-factor authentication too.

Infostealers also capture information about your computer. This includes your machine name, IP address, operating system and version, which software you run and the type of anti-virus you use (if any). They often grab a screenshot of your desktop in addition to geolocating your machine as well.

Why the recent boom in Infostealers’ success?

Infostealers are no new concept, so why are they gaining success now? In short, the underground community has matured and evolved rapidly. As technology has advanced, so have threat actor capabilities. And with these advancements, underground marketplaces, hacker communities and their respective exploits have increased in power and efficacy. It’s important to remember there is a thriving economy supporting all of these digital nefarious activities. As noted by Tidal Cyber, here are some notable reasons for recent Infostealer growth and success:

–       Underground marketplaces are robust and cater to threat actor demand. The underground hacking communities have benefitted from economic growth (of underground communities) the same way legitimate economies grow: demand for certain products and services increases the overall quality and creates competition. In short, demand for stolen credentials and PII creates demand for better tools to capture this data. Malware as a Service has emerged, allowing anyone with a nominal fee to gain access to these tools for their own malicious work.

–       The cost and other barriers to entry are low, which build upon the growing community and concept of MaaS (malware as a service). Simply put, it’s becoming easier to deploy botnet malware attacks, for very little up front cost.

–       Established “big game” threat actors are seeking Infostealer capabilities. As the underground community scales up, well known and established cybercriminals are looking to expand their game using Infostealers.

–       Infostealers are successfully impersonating legitimate software, which seeds infections. Simply put, botnet malware creators are doing a better job at disguising their Infostealer as legitimate software, making it both harder for antivirus software to detect, and more likely a user will download and install the software.

How can Constella help?

Constella Intelligence leads the industry in the largest volume and best quality breach exposure data and is rapidly approaching the industry leading spot for phishing and botnet data. We have the unique ability to capture data stolen by a phishing site or an Infostealer (botnet malware). And unlike the relatively slow lifecycle of breach data (where cyber criminals have plenty of headway to exploit your breached data before you’re aware), we capture and deliver alerts from captured botnet data in one to seven days. Since malicious actors are stealing data via botnets at such high volumes, being alerted to an exposure even a few days later gives the would-be victim a fighting chance to reset passwords and take other preventative measures before the hacker can make use of the captured data.

While antivirus software and other network security measures are a first line of defense against malware and Infostealers, they are not 100% effective. This is not a failure of your AV software and network security, as there are many reasons why botnet malware slips through; and in general, it’s a game of cat and mouse where malicious actors fight hard to stay one step ahead of security software. As a last line of defense against botnet malware attacks, let Constella monitor your clients’ data for exposure and alert you of incidents quickly, so you can begin remediation before it’s too late. Contact us for a demo!

Keon Ramezani

Sr. Sales Engineer