ID Theft Service Resold Access to USInfoSearch Data Krebs on Security
pOne of the cybercrime undergrounds more active sellers of Social Security numbers background and credit reports has been pulling data from hacked accounts at the US consumer data broker USinfoSearch KrebsOnSecurity has learnedppSince at least February 2023 a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American For prices ranging from 8 to 40 and payable via virtual currency the bot will return detailed consumer background reports automatically in just a few momentsppUSiSLookups is the project of a cybercriminal who uses the nicknames JackieChanUSInfoSearch and the Telegram channel for this service features a small number of sample background reports including that of President Joe Biden and podcaster Joe Rogan The data in those reports includes the subjects date of birth address previous addresses previous phone numbers and employers known relatives and associates and drivers license informationppJackieChans service abuses the name and trademarks of Columbus OH based data broker USinfoSearch whose website says it provides identity and background information to assist with risk management fraud prevention identity and age verification skip tracing and moreppWe specialize in nonFCRA data from numerous proprietary sources to deliver the information you need when you need it the companys website explains Our services include APIbased access for those integrating data into their product or application as well as bulk and batch processing of records to suit every clientppAs luck would have it my report was also listed in the Telegram channel for this identity fraud service presumably as a teaser for wouldbe customers On October 19 2023 KrebsOnSecurity shared a copy of this file with the real USinfoSearch along with a request for information about the provenance of the datappUSinfoSearch said it would investigate the report which appears to have been obtained on or before June 30 2023 On Nov 9 2023 Scott Hostettler general manager of USinfoSearch parent Martin Data LLC shared a written statement about their investigation that suggested the ID theft service was trying to pass off someone elses consumer data as coming from USinfoSearchppRegarding the Telegram incident we understand the importance of protecting sensitive information and upholding the trust of our users is our top priority Any allegation that we have provided data to criminals is in direct opposition to our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure Because Martin Data has a reputation for highquality data thieves may steal data from other sources and then disguise it as ours While we implement appropriate safeguards to guarantee that our data is only accessible by those who are legally permitted unauthorized parties will continue to try to access our data Thankfully the requirements needed to pass our credentialing process is tough even for established honest companiesppUSinfoSearchs statement did not address any questions put to the company such as whether it requires multifactor authentication for customer accounts or whether my report had actually come from USinfoSearchs systemsppAfter much badgering on Nov 21 Hostettler acknowledged that the USinfoSearch identity fraud service on Telegram was in fact pulling data from an account belonging to a vetted USinfoSearch clientppI do know 100 that my company did not give access to the group who created the bots but they did gain access to a client Hostettler said of the Telegrambased identity fraud service I apologize for any inconvenience this has causedppHostettler said USinfoSearch heavily vets any new potential clients and that all users are required to undergo a background check and provide certain documents Even so he said several fraudsters each month present themselves as credible business owners or Clevel executives during the credentialing process completing the application and providing the necessary documentation to open a new accountppThe level of skill and craftsmanship demonstrated in the creation of these supporting documents is incredible Hostettler said The numerous licenses provided appear to be exact replicas of the original document Fortunately Ive discovered several methods of verification that do not rely solely on those documents to catch the fraudstersppThese people are unrelenting and they act without regard for the consequences Hostettler continued After I deny their access they will contact us again within the week using the same credentials In the past Ive notified both the individual whose identity is being used fraudulently and the local police Both are hesitant to act because nothing can be done to the offender if they are not apprehended That is where most attention is neededppJackieChan is most active on Telegram channels focused on SIM swapping which involves bribing or tricking mobile phone company employees into redirecting a targets phone number to a device the attackers control SIM swapping allows crooks to temporarily intercept the targets text messages and phone calls including any links or onetime codes for authentication that are delivered via SMSppReached on Telegram JackieChan said most of his clients hail from the criminal SIM swapping world and that the bulk of his customers use his service via an application programming interface API that allows customers to integrate the lookup service with other webbased services databases or applicationsppSim channels is where I get most of my customers JackieChan told KrebsOnSecurity Im averaging around 100 lookups per day on the Telegram bot and around 400 per day on the APIppJackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some timeppThis is not the first time USinfoSearch has had trouble with identity thieves masquerading as legitimate customers In 2013 KrebsOnSecurity broke the news that an identity fraud service in the underground called SuperGetinfo was reselling access to personal and financial data on more than 200 million Americans that was obtained via the bigthree credit bureau ExperianppThe consumer data resold by Superget was not obtained directly from Experian but rather via USinfoSearch At the time USinfoSearch had a contractual agreement with a California company named Court Ventures whereby customers of Court Ventures had access to the USinfoSearch data and vice versappWhen Court Ventures was purchased by Experian in 2012 the proprietor of SuperGet a Vietnamese hacker named Hieu Minh Ngo who had impersonated an American private investigator was grandfathered in as a client The US Secret Service agent who oversaw Ngos capture extradition prosecution and rehabilitation told KrebsOnSecurity hes unaware of any other cybercriminal who has caused more material financial harm to more Americans than NgoppJackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad Hacked police department emails can come in handy for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch Hence Mr Hostettlers ongoing battle with fraudsters seeking access to his companys serviceppThese police credentials are mainly marketed to criminals seeking fraudulent Emergency Data Requests wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers ISPs and social media companiesppNormally these companies will require law enforcement officials to supply a subpoena before turning over customer or user records But EDRs allow police to bypass that process by attesting that the information sought is related to an urgent matter of life and death such as an impending suicide or terrorist attackppppIn response to an alarming increase in the volume of fraudulent EDRs many service providers have chosen to require all EDRs be processed through a service called Kodex which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information and other attributes of the requestorppFor example if you want to send an EDR to Coinbase or Twilio youll first need to have valid law enforcement credentials and create an account at the Kodex online portal at these companies However Kodex may still throttle or block any requests from any accounts if they set off certain red flagsppWithin their own separate Kodex portals Twilio cant see requests submitted to Coinbase or vice versa But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client and then drill down further into other data about the submitter such as Internet addresses used and the age of the requestors email addressppIn August JackieChan was advertising a working Kodex account for sale on the cybercrime channels including redacted screenshots of the Kodex account dashboard as proof of accessppKodex cofounder Matt Donahue told KrebsOnSecurity his company immediately detected that the law enforcement email address used to create the Kodex account pictured in JackieChans ad was likely stolen from a police officer in India One big tipoff Donahue said was that the person creating the account did so using an Internet address in BrazilppTheres a lot of friction we can put in the way for illegitimate actors Donahue said We dont let people use VPNs In this case we let them in to honeypot them and thats how they got that screenshot But nothing was allowed to be transmitted out from that accountppMassive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell nonFCRA data ie consumer data that cannot be used for the purposes of determining ones eligibility for credit insurance or employmentppAnyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers which often market themselves to police departments and to skip tracers essentially bounty hunters hired to locate others in real life often on behalf of debt collectors process servers or a bail bondsmanppThere are tens of thousands of police jurisdictions around the world including roughly 18000 in the United States alone And the harsh reality is that all it takes for hackers to apply for access to data brokers and abuse the EDR process is illicit access to a single police email accountppThe trouble is compromised credentials to law enforcement email accounts show up for sale with alarming frequency on the Telegram channels where JackieChan and their many clients reside Indeed Donahue said Kodex so far this year has identified attempted fake EDRs coming from compromised email accounts for police departments in India Italy Thailand and Turkeypp
This entry was posted on Tuesday 28th of November 2023 1057 AM
ppSince not everyone is as well versed in these acronyms
FCRA Fair Credit Reporting Act
httpsenwikipediaorgwikiFairCreditReportingActppAppreciate that thanksppThanks Rip
A couple of months ago TMobile began to retain my payment information Ive had the account since 2011 I complained to the FCC as I had twice before over the years The response this time was my request was out of process There was simply no way they would purge that information although they claimed in error that their payment bot would ask In addition thy have gone paperless and so billing documentation will take special steps to obtain and complaints harder to document Lying in FCC filings is apparently no longer a concernppI bet that scammy site provided a better service than Equifax and ExperianppIts hilarious that this article presents the crooks at USInfoSearch as somehow legitimate with an actual right to carry on their dodgy business while some dude on Telegram who bears no responsibility for the violations of privacy that they exist to perpetrate is somehow badppSo you can recognize the fact that collecting data of this nature is damaging and yet cannot seem to grasp how making that data available to criminals who want to use it to do harm is also damaging Thats some interesting thinkfuppIts better that its available to criminals than corporations and the American regimeppIts hilarious that this article presents the crooks at USInfoSearch as somehow legitimate with an actual right to carry on their dodgy business while some dude on Telegram who bears no responsibility for the violations of privacy that they exist to perpetrate is somehow badppThere are three issues converging to create this mess 1 the use of SMS for authentication by financial and email providers 2 the unfettered existence of databrokers and 3 the ability to pay for something anonymouslyppThere are three issues converging to create this mess 1 the use of SMS for authentication by financial and email providers 2 the unfettered existence of databrokers and 3 the ability to pay for something anonymouslyppHow is it that the comments from Alexandra and Ali S are identical word for word As are the comments from JNimmo and Paul Rain Is it a bug or a feature ppThe site can take some time to present comments after they have been submitted People use fake names People are impatient And there you have itppHi Krebz jackie Chan is a fed free USIS i done more lookups then all deez silly goosez
btw mr kreb ur info is my template text for users on my botppZyncirely
LookupsggppThis is very disturbingppWhile you mention that the hacked service is used for Age Verification we did want to make clear that it is not itself what we would consider an age verification provider Our industry code of conduct up to which all our Members must sign includes the following provisionppData privacy should be paramount Members should follow privacy and security by design principles and make all reasonable endeavours to minimise the use and retention of personal data and to maintain the security of processed or stored personal data ppWe start with the premise that the only nonhackable database is no database at all so even if PII is used during the age proofing process it is not retained centrally by an AV provider thereafter except for the date of birth itselfppThe sources of that PII are banks credit reference agencies electoral rollsregisters etc all of which face their own challenges in keeping their data secure Age verification itself does not create new honeypots of PII The essence of online age assurance is proving your age without disclosing your identity we intend to keep it that wayppYou are a criminal You should be hunted down and tried for your crimesppniceppAnd now Kodex is a prime target for crooks
httpswww404mediacohackerstargetkodexaccountsedrsref404medianewsletterppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap
This entry was posted on Tuesday 28th of November 2023 1057 AM
ppSince not everyone is as well versed in these acronyms
FCRA Fair Credit Reporting Act
httpsenwikipediaorgwikiFairCreditReportingActppAppreciate that thanksppThanks Rip
A couple of months ago TMobile began to retain my payment information Ive had the account since 2011 I complained to the FCC as I had twice before over the years The response this time was my request was out of process There was simply no way they would purge that information although they claimed in error that their payment bot would ask In addition thy have gone paperless and so billing documentation will take special steps to obtain and complaints harder to document Lying in FCC filings is apparently no longer a concernppI bet that scammy site provided a better service than Equifax and ExperianppIts hilarious that this article presents the crooks at USInfoSearch as somehow legitimate with an actual right to carry on their dodgy business while some dude on Telegram who bears no responsibility for the violations of privacy that they exist to perpetrate is somehow badppSo you can recognize the fact that collecting data of this nature is damaging and yet cannot seem to grasp how making that data available to criminals who want to use it to do harm is also damaging Thats some interesting thinkfuppIts better that its available to criminals than corporations and the American regimeppIts hilarious that this article presents the crooks at USInfoSearch as somehow legitimate with an actual right to carry on their dodgy business while some dude on Telegram who bears no responsibility for the violations of privacy that they exist to perpetrate is somehow badppThere are three issues converging to create this mess 1 the use of SMS for authentication by financial and email providers 2 the unfettered existence of databrokers and 3 the ability to pay for something anonymouslyppThere are three issues converging to create this mess 1 the use of SMS for authentication by financial and email providers 2 the unfettered existence of databrokers and 3 the ability to pay for something anonymouslyppHow is it that the comments from Alexandra and Ali S are identical word for word As are the comments from JNimmo and Paul Rain Is it a bug or a feature ppThe site can take some time to present comments after they have been submitted People use fake names People are impatient And there you have itppHi Krebz jackie Chan is a fed free USIS i done more lookups then all deez silly goosez
btw mr kreb ur info is my template text for users on my botppZyncirely
LookupsggppThis is very disturbingppWhile you mention that the hacked service is used for Age Verification we did want to make clear that it is not itself what we would consider an age verification provider Our industry code of conduct up to which all our Members must sign includes the following provisionppData privacy should be paramount Members should follow privacy and security by design principles and make all reasonable endeavours to minimise the use and retention of personal data and to maintain the security of processed or stored personal data ppWe start with the premise that the only nonhackable database is no database at all so even if PII is used during the age proofing process it is not retained centrally by an AV provider thereafter except for the date of birth itselfppThe sources of that PII are banks credit reference agencies electoral rollsregisters etc all of which face their own challenges in keeping their data secure Age verification itself does not create new honeypots of PII The essence of online age assurance is proving your age without disclosing your identity we intend to keep it that wayppYou are a criminal You should be hunted down and tried for your crimesppniceppAnd now Kodex is a prime target for crooks
httpswww404mediacohackerstargetkodexaccountsedrsref404medianewsletterppYour email address will not be published Required fields are marked ppComment ppName ppEmail ppWebsite pp
ppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppMailing ListppSearch KrebsOnSecurityppRecent PostsppStory CategoriesppWhy So Many Top Hackers Hail from Russiap