How much does it cost for thieves to discover the data that unlocks identity for creditors, such as your Social Security number, birthday, or mother’s maiden name? Would it surprise you to learn that crooks are selling this data to any and all comers for pennies on the dollar?
At least, that’s the going price at superget.info. This fraudster-friendly site has been operating since July 2010, and markets the ability to look up SSNs, birthdays and other sensitive information on millions of Americans. Registration is free, and accounts are funded via WebMoney and Liberty Reserve, virtual currencies that are popular in the cybercriminal underground.
Superget lets users search for specific individuals by name, city, and state. Each “credit” costs USD$1, and a successful hit on a Social Security number or date of birth costs 3 credits each. The more credits you buy, the cheaper the searches are per credit: Six credits cost $4.99; 35 credits cost $20.99, and $100.99 buys you 230 credits. Customers with special needs can avail themselves of the “reseller plan,” which promises 1,500 credits for $500.99, and 3,500 credits for $1000.99.
“Our Databases are updated EVERY DAY,” the site’s owner enthuses. “About 99% nearly 100% US people could be found, more than any sites on the internet now.”
Customers who aren’t choosy about the identities they’re stealing can get a real bargain. Among the most trafficked commodities in the hacker underground are packages called “fullz infos,” which include the full identity information on dozens or hundreds of individuals.
The table at the right shows the bulk lookup price-per-identity in this class. In the “Fullz Info USA Type A” package, each record includes the subject’s first name, last name, middle name, email address, email password, physical address, phone number, date of birth, Social Security number, drivers license number, bank name, bank account number, bank routing number, the victim employer’s name, and the number of years that individual has been at his or her current job. The proprietor of this shop says he has more than 330,000 records of this type, and is adding 300-400 new records each day.
If you want the mother’s maiden name included in each of the bulk records, you’ll need to select “Fullz Info USA Type B”; the site’s owner says this package includes data from an older database, and perhaps that explains why the prices for these identities (pictured at left) are so much lower than those in the Type A category. The price in Type B starts at 16 cents per identity, and falls as low as nine cents per record for those requesting more than 20,000 fullz from this category.
It’s not clear how many records Superget has got, but even lookups for uncommon names produce numerous “hits.” Interestingly, each purchasable record contains a two- to three-letter “sourceid,” which may provide clues as to the source of this identity information. In the screen shot below, there are three different sourceids shown: “TH,” “MV,” and “NCO”. I found two other sourceids, including “EX” and “CM,” but there may be others I haven’t yet encountered. If anyone has a clue what these abbreviations stand for, please drop me a line in the comments or via email. My money is on the credit reporting bureaus and/or state motor vehicle departments, or real estate firms that have access to such information.
I scoured the interwebs for this domain to see who might be promoting it. I found a scammer-friendly forum called talkgold.com where a user named “hieupc” is promoting superget.info as his site. It’s unclear whether this same individual is related, but there is a fairly active Vietnamese hacker who uses the nickname “hieupc;” That user appears to have gotten started defacing Web sites, even attacking the Web site of his former university in New Zealand after the school kicked him out for alleged credit card fraud. As it happens, the Web server address history for superget.info shows that it was hosted last year in Vietnam.
This hieupc character struck me as a bit too amateurish to have come up with this service on his own, so I had another look around the underground for some more clues. I can’t be certain, but it appears that Superget is little more than a reseller of this service, which offers the same products but at a slightly cheaper price point.
Have you seen:
How Much is That Phished PayPal Account?…Compromised PayPal accounts are a valuable commodity in the criminal underground, and crooks frequently trade them in shadowy online forums. But it wasn’t until recently that I finally encountered a proper Web site dedicated to selling hacked PayPal accounts.