Skip to main content

Here’s what happens when you lay a trap for cybercriminals

(Image credit: Shutterstock / GoodStudio)

To leave a database exposed online for even a brief period of time carries a significant risk for businesses, according to the findings of a recent experiment.

Cybersecurity firm Comparitech set up a honeypot, in the form of a deliberately exposed database hosted on an Elasticsearch instance, which was attacked by unauthorized parties for the first time only 8.5 hours after it was made public.

During the 11-day period in which the fake database remained exposed, hackers attempted to gain access on 175 separate occasions, averaging 18 attacks per day.

Unsecured databases

According to the Comparitech report, many hackers rely on IoT search engines such as Shodan.io or BinaryEdge to identify vulnerable databases worthy of attack.

Five days after the honeypot was first deployed, the database was indexed on Shodan, leading to the largest number of attacks in a single day (22). Within just one minute of the honeypot appearing in search listings, two distinct attacks took place.

The report was noted that a significant volume of attacks took place before the database was listed by any search engine, which Comparitech says demonstrates “how many hackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines to crawl vulnerable databases.”

Of the 175 attacks incurred by the honeypot, almost all originated in the United States (89), Romania (38) and China (15). The majority of attacks attempted to gain information about the database and its settings, with hackers using the GET request method in 147 instances and the POST method in 24.

While the company's initial intention was to challenge the assumption that exposing data for a short period is unlikely to result in an attack, the experiment also served to highlight the wide range of cyberthreats businesses face.

After the research had already concluded, a ransomware bot discovered the still public honeypot and deleted the few files that remained - an attack that lasted only five seconds.

“If you want to recover your data send 0.06 TBC to [redacted address] and you must send email to [redacted address] with your IP. If you need a proof about your data just send email (sic). If you don’t do a payment all your data may be used for our purposes and/or will be leaked/sold,” read a note left behind by the malicious bot.

The security firm noted that a portion of the attackers identified as part of the study could well have been fellow security researchers (benign attackers), which are often indistinguishable from malicious actors.