One of the most active sellers of Social Security numbers, backgrounds and credit reports in the cybercrime underground has been extracting data from hacked accounts of U.S. consumer data brokers US information searchKrebsOnSecurity has been informed.
Since at least February 2023, a service advertised on Telegram is called USiS query An automated bot was run that allowed anyone to look up the SSN or background report of almost any American. For prices between $8 and $40 paid via virtual currency, the bot will automatically return a detailed consumer background report within minutes.
USiSLookups is a project of cybercriminals using nicknames Jackie Chan/USInfoSearchand the service’s Telegram channel provides a small number of sample background reports, including President Joe Bidenand podcasts Joe Rogan. Data in these reports include the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and co-workers, and driver’s license information.
Jackie’s Services misused the Columbus, Ohio profile broker’s name and trademark US information searchIts website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”
“We focus on non-FCRA data from numerous proprietary sources to provide you with the information you need, when you need it,” the company’s website explains. “Our services include API-based access to integrate data into their products or applications, as well as batch and lot logging to meet each customer’s needs.”
Fortunately, my report was also listed on the identity fraud service’s Telegram channel, presumably as a teaser to potential customers. On October 19, 2023, KrebsOnSecurity shared a copy of the document with the real USinfoSearch and requested information about the source of the material.
USinfoSearch said it will investigate the report, which appears to have been obtained on or before June 30, 2023. November 9, 2023 Scott HostlerGeneral Manager of USinfoSearch parent company Martin Data LLC shared a written statement about their investigation indicating that the identity theft service attempted to pass off other people’s consumer profiles as coming from USinfoSearch:
Regarding the Telegram incident, we understand the importance of protecting sensitive information and maintaining user trust is our top priority. Any allegation that we provide data to criminals is directly contrary to our fundamental principles and the safeguards we have in place and continuously monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as our data. Although we implement appropriate safeguards to ensure that our data is only accessible by those permitted by law, unauthorized parties will continue to attempt to access our data. Thankfully, the requirements required to pass our certification process are stringent, even for established and honest companies.
USinfoSearch’s statement did not address any of the questions raised with the company, such as whether multi-factor authentication is required for customer accounts or whether my reports actually came from USinfoSearch’s systems.
After some wrangling, Hostettler admitted on November 21 that the USinfoSearch identity fraud service on Telegram actually pulled data from accounts belonging to censored USinfoSearch clients.
“I do know 100% that my company did not grant access to the organization that created the bot, but they did gain access to the customer,” Hostettler said of the Telegram-based identity fraud service. “For the consequences of this, I apologize for any inconvenience.”
Hostettler said any new potential customers will be rigorously vetted by USinfoSearch, and all users must undergo a background check and provide certain documentation. Even so, he said, several fraudsters each month present themselves as trusted business owners or C-level executives during the certification process, completing applications and providing the documents needed to open new accounts.
“The level of skill and craftsmanship that went into creating these support documents is incredible,” Hostetler said. “The large number of licenses provided appear to be exact replicas of the original files. Fortunately, I discovered several verification methods that rely solely on more than just these files to catch fraudsters.”
“These people showed no mercy and acted without regard to the consequences,” Hostetler continued. “After I denied them access, they would contact us again within a week using the same credentials. In the past, I have notified the individual whose identity was used and the local police. Both were hesitant to take action because If you don’t arrest the criminals, nothing can be done. That’s where the most attention needs to be.”
SIM swapper’s delight
Jackie Chan is the most active on the Telegram channel, mainly focusing on “SIM card exchange“, which involves bribing or tricking mobile phone company employees into redirecting a target’s phone number to a device controlled by the attacker. SIM swapping allows scammers to temporarily intercept a target’s text messages and phone calls, including any authentication information sent via text message. link or one-time code.
Jackie Chan said on Telegram that most of his clients are from the criminal field of SIM swapping and that most of his clients use his services through an application programming interface (API), which allows customers to combine the search service with other web-based services. Integration, database or application.
“The Sim channel is where I get most of my clients,” Jackie told KrebsOnSecurity. “I average about 100 searches a day on the site [Telegram] Bots, there are about 400 on the API every day. “
JackieChan claims that his USinfoSearch bot on Telegram abused stolen credentials needed to access APIs used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were run by a botnet he claimed had been running for some time Road-related malware theft. .
This isn’t the first time USinfoSearch has run into trouble with identity thieves masquerading as legitimate customers. In 2013, KrebsOnSecurity broke the news that there was an underground species called “Super Get[.]information“The personal and financial data of more than 200 million Americans obtained through the three major credit bureaus is being resold. Experian.
The consumer data Superget resells is not obtained directly from Experian, but through USinfoSearch.At the time, USinfoSearch was working with a company called Court VenturesCourt Ventures customers can access USinfoSearch data and vice versa.
In 2012, when Court Ventures was acquired by Experian, SuperGet’s owner—a man named Wu Xiaoming Someone who had posed as an American private investigator – considered a client.this United States Secret Service The special agent who oversaw Ngo’s arrest, extradition, prosecution, and recovery told KrebsOnSecurity that he is not aware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo.
Real police, fake EDRS
Jackie also sold access to hacked email accounts of U.S. and foreign law enforcement officials. Hacked police department emails could come in handy for identity thieves trying to impersonate law enforcement officers in hopes of purchasing consumer profiles from platforms like USinfoSearch. As a result, Mr. Hostetler has been battling fraudsters seeking to use his company’s services.
These police credentials are primarily sold to criminals seeking fraudulent “urgent information requests” in which scammers use compromised government and police department email accounts to quickly obtain customer account information from mobile providers, ISPs and social media companies .
Often, these companies will request a subpoena from law enforcement before turning over customer or user records. But EDR allows police to get around that process by proving that the information sought is relevant to an urgent matter of life or death, such as an imminent suicide or terrorist attack.
In response to the alarming increase in the number of fraudulent EDRs, many service providers have chosen to require all EDRs to be processed through a service called Kodex, which is designed to filter EDRs based on the reputation and other information of the law enforcement entity requesting the information. Properties of the requester.
For example, if you want to send an EDR to Coin Library or twillio, you first need to have valid law enforcement credentials and establish an account on these companies’ Kodex online portals. However, Kodex may still limit or block any requests from any account if it raises certain red flags.
In their own separate Kodex portal, Twilio cannot see requests submitted to Coinbase and vice versa. But everyone can see if the law enforcement entity or individual associated with one of their requests has previously submitted a request to a different Kodex client, and then drill down further to learn additional data about the submitter, such as the internet address used, and who made the request The age of the email address.
In August, Jackie advertised a working Kodex account for sale on a cybercriminal channel, including an edited screenshot of the Kodex account dashboard as proof of access.
Co-Founder of Codex Matt Donahue told KrebsOnSecurity that his company immediately discovered that the law enforcement email address used to create the Kodex account featured in Jackie Chan’s ad was likely stolen from a police officer in India. Donahue said a big clue was that the person who created the account was operating from a Brazilian Internet address.
“We can create a lot of friction for illegal actors,” Donahue said. “We don’t allow people to use VPNs. In this case, we let them into the honeypot and that’s how they get the screenshots. But the account is not allowed to transmit anything.”
USinfoSearch and dozens of other data brokers that obtain and sell “non-FCRA” data (consumer data that cannot be used to determine an individual’s credit or insurance eligibility) provide a wealth of information about you and your personal history. , or employment.
Anyone who works in or adjacent to law enforcement is eligible to apply to use these data brokers, who often market themselves to police departments and are “skip tracers,” essentially being hired to find people in real-life situations. Bounty hunter for other people – usually for debt collectors, process servers or bail bondsmen.
There are tens of thousands of police jurisdictions around the world, including about 18,000 in the United States alone. The harsh reality is that all it takes for a hacker to gain access to a data proxy (and abuse the EDR process) is to gain illegal access to a single police email account.
The problem is that leaked credentials for law enforcement email accounts are showing up for sale with alarming frequency on the Telegram channel where Jackie Chan and many of her clients are. In fact, Donahue said Kodex has discovered fake EDR attempts so far this year from compromised email accounts of police departments in India, Italy, Thailand and Turkey.
1 Comment
Very interesting info!Perfect just what I was looking for!Expand blog