ID Theft Service Resold Access to USInfoSearch Data

One of the cybercrime underground's more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned. Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. The data in those reports includes the subject's date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver's license information. JackieChan's service abuses the name and trademarks of Columbus, OH based data broker USinfoSearch, whose website says it provides "Identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more." "We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it," the company's website explains. "Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client." On October 19, 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data. USinfoSearch said it would investigate the report, which appears to have been obtained on or before June 30, 2023. Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data has a reputation for high-quality data, thieves may steal data from other sources and then disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted, unauthorized parties will continue to try to access our data. USinfoSearch's statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts, or whether my report had actually come from USinfoSearch's systems. On Nov. 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch client. "I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client," Hostettler said of the Telegram-based identity fraud service. Hostettler said USinfoSearch heavily vets any new potential clients, and that all users are required to undergo a background check and provide certain documents. SIM swapping allows crooks to temporarily intercept the target's text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS. Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world, and that the bulk of his customers use his service via an application programming interface that allows customers to integrate the lookup service with other web-based services, databases, or applications. JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch, and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time. In 2013, KrebsOnSecurity broke the news that an identity fraud service in the underground called "SuperGet[.]info" was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big-three credit bureau Experian. The consumer data resold by Superget was not obtained directly from Experian, but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data, and vice versa. The U.S. Secret Service agent who oversaw Ngo's capture, extradition, prosecution and rehabilitation told KrebsOnSecurity he's unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo. REAL POLICE, FAKE EDRS. JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Mr. Hostettler's ongoing battle with fraudsters seeking access to his company's service. These police credentials are mainly marketed to criminals seeking fraudulent "Emergency Data Requests," wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs and social media companies. In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information, and other attributes of the requestor. Each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client, and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor's email address. In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access. Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell "Non-FCRA" data - i.e., consumer data that cannot be used for the purposes of determining one's eligibility for credit, insurance, or employment. Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to "Skip tracers," essentially bounty hunters hired to locate others in real life - often on behalf of debt collectors, process servers or a bail bondsman. The harsh reality is that all it takes for hackers to apply for access to data brokers is illicit access to a single police email account.

This Cyber News was published on krebsonsecurity.com. Publication date: Thu, 30 Nov 2023 20:25:06 +0000


Cyber News related to ID Theft Service Resold Access to USInfoSearch Data

ID Theft Service Resold Access to USInfoSearch Data - One of the cybercrime underground's more active sellers of Social Security numbers, background and credit reports has been pulling data from hacked accounts at the U.S. consumer data broker USinfoSearch, KrebsOnSecurity has learned. Since at least ...
11 months ago Krebsonsecurity.com
How to perform a proof of concept for automated discovery using Amazon Macie | AWS Security Blog - After reviewing the managed data identifiers provided by Macie and creating the custom data identifiers needed for your POC, it’s time to stage data sets that will help demonstrate the capabilities of these identifiers and better understand how ...
1 month ago Aws.amazon.com
31 Alarming Identity Theft Statistics for 2024 - Identity theft is a prevalent issue that affects millions of people annually. Although the numbers are startling, we've selected the 31 most concerning identity theft statistics to help you understand how to secure your identity. In 2022, the FTC ...
10 months ago Pandasecurity.com
The Latest Identity Theft Methods: Essential Protection Strategies Revealed - Identity theft has evolved far beyond the days of stolen mail and dumpster diving. Today's identity thieves employ sophisticated techniques, including account takeovers and government benefit fraud, making it essential for you to stay vigilant to ...
9 months ago Hackread.com
Unmasking Identity Theft: Detection and Mitigation Strategies - In an increasingly digital world, the threat of identity theft looms large, making it imperative for individuals to be proactive in detecting potential breaches and implementing effective mitigation measures. This article delves into key strategies ...
10 months ago Cybersecurity-insiders.com
Building a Sustainable Data Ecosystem - Finally, I outline future research and policy refinement directions, advocating for a collaborative and responsible approach to building a sustainable data ecosystem in generative AI. In recent years, generative AI has emerged as a transformative ...
8 months ago Feeds.dzone.com
Data Protection in Educational Institutions - This article delves into the significance of data protection in educational institutions, emphasizing three key areas: the types of educational data, data privacy regulations, and data protection measures. Lastly, robust data protection measures are ...
11 months ago Securityzap.com
Data Classification: Your 5 Minute Guide - Data classification has become a vital component of data security governance. With the rise of virtual data networks, organizations must take necessary measures to protect and secure confidential information. Data classification is the process of ...
1 year ago Tripwire.com
Decoding the data dilemma: Strategies for effective data deletion in the age of AI - Businesses today have a tremendous opportunity to use data in new ways, but they must also look at what data they keep and how they use it to avoid potential legal issues. Forrester predicts a doubling of unstructured data in 2024, driven in part by ...
8 months ago Venturebeat.com
Aim for a modern data security approach - Risk, compliance, governance, and security professionals are finally realizing the importance of subjecting sensitive workloads to robust data governance and protection the moment the data begins traversing the data pipeline. Why current data ...
11 months ago Helpnetsecurity.com
When a Data Mesh Doesn't Make Sense - The data mesh is a thoughtful decentralized approach that facilitates the creation of domain-driven, self-service data products. Data mesh-including data mesh governance-requires the right mix of process, tooling, and internal resources to be ...
8 months ago Feeds.dzone.com
Data Classification Software Features to Look Out For - For organizations looking to improve their data protection and data compliance strategies, technology is essential. Implementation of the right software can help you gain visibility into your company's data, improving your ability to protect customer ...
11 months ago Securityboulevard.com
Data Privacy and Security - Organizations are gradually becoming concerned regarding data security in several instances, such as collecting and retaining sensitive information and processing personal information in external environments, which include information sharing and ...
11 months ago Feeds.dzone.com
American Intellectual Property Theft a $600 Billion Dollar Issue - American Intellectual Property theft is costing the domestic economy as much as $600 billion per year, as reported by the Associated Press, and it appears lawmakers and watchdogs have taken note. Understanding the events that have precipitated the ...
11 months ago Securityzap.com
New Microsoft Purview features use AI to help secure and govern all your data - More than 90% of organizations use multiple cloud infrastructures, platforms, and services to run their business, adding complexity to securing all data.1Microsoft Purview can help you secure and govern your entire data estate in this complex and ...
11 months ago Microsoft.com
Developing Software Applications Under the Guidance of Data-Driven Decision-Making Principles - To architect and cultivate an application that yields precise outputs in alignment with business requirements, paramount emphasis must be given to the foundational data and the pertinent data scenarios shaping the application. Software application ...
9 months ago Feeds.dzone.com
Strategies for Securing Student Data in Cloud Services - This article addresses the strategies that educational organizations can employ to ensure the protection and confidentiality of student data in cloud services. Implementing strong access controls is crucial for ensuring the security of student data ...
10 months ago Securityzap.com
How To Implement Data Management Into Your AI Strategy - While an AI strategy has different components, including infrastructure, technology stack, organizational changes, and more, the most important is the data strategy. A well-defined data strategy is the foundation for successful AI implementation. AI ...
11 months ago Feeds.dzone.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
11 months ago Esecurityplanet.com
Data Loss Prevention for Business: Strategies and Tools - Data Loss Prevention has become crucial in today's data-driven business landscape to protect sensitive information. This discussion aims to provide valuable insights into DLP strategies and tools for business, helping mitigate data loss risks ...
9 months ago Securityzap.com
The Dangerous Consequences of Data Megathefts: Dutch Suspect Locked Up - A Dutch suspect was recently locked up by authorities in connection with a series of alleged personal data meagthefts. The case highlights the dangers posed to businesses and people's personal information when criminals target data. ...
1 year ago Nakedsecurity.sophos.com
Protect Your Data: Why Data Is More Valuable Than You Realize - Data is more valuable than you realize, and protecting it should always be a top priority. Data privacy has never been more important, and organizations need to understand the risks of data exposure and implement measures to protect against data ...
1 year ago Welivesecurity.com
Data De-Identification: Balancing Privacy, Efficacy & Cybersecurity - COMMENTARY. Global data privacy laws were created to address growing consumer concerns about individual privacy. These laws include several best practices for businesses about storing and using consumers' personal data so that the exposure of ...
11 months ago Darkreading.com
Business Data Privacy Laws: Compliance and Beyond - Governments worldwide have implemented strict data privacy laws to protect individuals' information in the face of increasing cyber threats and data breaches. Let's dive into the world of business data privacy laws as we navigate the complexities of ...
10 months ago Securityzap.com
Cybersecurity Compliance: Understanding Regulatory Frameworks - Data breaches continue to increase year over year: there was a 20% increase in data breaches from 2022 to 2023 and globally and there were twice the number of victims in 2023 as compared to 2022. Compliance frameworks vary by industry, region, and ...
7 months ago Offsec.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)