Prominent Data Aggregators Hacked by Identity Theft Service

A report released after a seven-month investigation by well-known cybersecurity researcher Brian Krebs has revealed that some of the United States’ largest consumer and business data aggregators have been hacked by an identity theft service that sells Social Security Numbers (SSNs), birth records, and credit and background reports on millions of Americans. For the past two years, the website ssndob[dot]ms (SSNDOB) has offered social security numbers (SSNs), birth records, and other personal data of US residents for between 50 cents and $2.50 per record, and credit reports and background checks for between $5 and $15. Subscribers to the site generally pay using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney. SSNDOB first gained public attention in March 2013, when hackers allegedly connected to the hacktivist group UGNazi posted information from SSNDOB on exposed.su, a website that listed the SSNs, dates of birth, phone numbers, and current and previous addresses of dozens of celebrities, including First Lady Michelle Obama, Microsoft founder Bill Gates, and singers Beyonce and Kanye West. During the summer of 2013, multiple hackers attacked SSNDOB, and Krebs was able to review and analyze a copy of the site’s database. The review revealed that since the site’s launch in early 2012, 1300 customers have purchased data on over four million Americans, including over 1.02 million unique SSNs and nearly 3.1 million date of birth records. In addition, SSNDOB appears to have licensed its system for use by at least a dozen high-volume users. There is evidence indicating that these users operate third-party identity theft services. While the SSNDOB database did not indicate the sources of the stolen information, an analysis of the networks and credentials used by SSNDOB administrators indicated that they had also operated a small but very potent botnet, which appears to have been in direct communication with internal systems at a number of large American data brokers since the spring of 2013. An analysis of the botnet malware revealed that it was so sophisticated that none of the 46 top anti-malware tools on the market detected it as malicious. Two of the hacked servers were located inside the networks of LexisNexis Inc, which maintains one of the world’s largest electronic databases of legal and public records-related information. Two other hacked servers were located inside the networks of Dun & Bradstreet, a New Jersey data aggregator that licenses information about businesses for use in credit decisions, business-to-business marketing and supply chain management. The fifth and final hacked server was located at Internet addresses assigned to Kroll Background America, Inc, which offers employment background, drug and health screening. The companies have confirmed that their systems were compromised, but have not yet conclusively determined whether the hackers reached or obtained any customer or consumer data. All three are working with federal authorities and third-party forensics firms to determine how far the breaches extended, and whether the hackers appropriated any sensitive information from their networks. Fraud experts say that, contrary to the prevailing wisdom, hackers are not generally interested in individuals’ personal data, such as their SSN and date of birth; what is most valuable to them is the data that companies hold about consumer and business habits and practices. For example, the main factor most credit-granting organizations use in assessing whether an application for credit is fraudulent is the accuracy of an applicant’s answers to a set of questions about their financial and consumer history, a process referred to as “knowledge-based authentication” (KBA). Thus, an identity thief equipped with this type of information about a person, as opposed to only their SSN and date of birth, is more likely to successfully obtain a line of credit in that person’s name. Analysts warn that in light of attacks such as those of SSNDOB on the computer systems of large, well-respected data brokers, credit-granting organizations will need to develop alternatives to either replace or supplement KBA. A follow-up report released by Krebs on October 1, 2013 indicated that the SSNDOB hackers had also infiltrated and stolen data from the networks of the National White Collar Crime Center (NW3C), a congressionally-funded non-profit organization that provides training, investigative support and research to agencies and entities involved in the prevention, investigation and prosecution of cybercrime. Krebs’s initial report on SSNDOB can be found at: http://tinyurl.com/knc795c, and the follow-up report on the NW3C hacking can be found at: http://tinyurl.com/kh3cfg5. Summary by: Kathryn May