One of the cybercrime underground's more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned. Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. The data in those reports includes the subject's date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver's license information. JackieChan's service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides "Identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more." "We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it," the company's website explains. "Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client." On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data. USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted, unauthorized parties will continue to try to access our data. USinfoSearch's statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts, or whether my report had actually come from USinfoSearch's systems. On Nov. 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch client. "I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client," Hostettler said of the Telegram-based identity fraud service. Hostettler said USinfoSearch heavily vets any new potential clients, and that all users are required to undergo a background check and provide certain documents. SIM swapping allows crooks to temporarily intercept the target's text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS. Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world, and that the bulk of his customers use his service via an application programming interface that allows customers to integrate the lookup service with other web-based services, databases, or applications. JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time. In 2013, KrebsOnSecurity broke the news that an identity fraud service in the underground called "SuperGet[.]info" was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big-three credit bureau Experian. The consumer data resold by Superget was not obtained directly from Experian, but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data, and vice versa. The U.S. Secret Service agent who oversaw Ngo's capture, extradition, prosecution and rehabilitation told KrebsOnSecurity he's unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo. REAL POLICE, FAKE EDRS. JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Mr. Hostettler's ongoing battle with fraudsters seeking access to his company's service. These police credentials are mainly marketed to criminals seeking fraudulent "Emergency Data Requests," wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs and social media companies. In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information, and other attributes of the requestor. Each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor's email address. In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access. Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell "Non-FCRA" data - i.e., consumer data that cannot be used for the purposes of determining one's eligibility for credit, insurance, or employment. Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to "Skip tracers," essentially bounty hunters hired to locate others in real life - often on behalf of debt collectors, process servers or a bail bondsman. The harsh reality is that all it takes for hackers to apply for access to data brokers is illicit access to a single police email account.
This Cyber News was published on krebsonsecurity.com. Publication date: Thu, 30 Nov 2023 20:25:06 +0000