September 17, 2012

A Web site that sells Social Security numbers, bank account information and other sensitive data on millions of Americans appears to be obtaining at least some of its records from a network of hacked or complicit payday loan sites.

Usearching.info sells sensitive data taken from payday loan networks.

Usearching.info boasts the “most updated database about USA,” and offers the ability to purchase personal information on countless Americans, including SSN, mother’s maiden name, date of birth, email address, and physical address, as well as and driver license data for approximately 75 million citizens in Florida, Idaho, Iowa, Minnesota, Mississippi, Ohio, Texas and Wisconsin.

Users can search for an individual’s information by name, city and state (for .3 credits per search), and from there it costs 2.7 credits per SSN or DOB record (between $1.61 to $2.24 per record, depending on the volume of credits purchased). This portion of the service is remarkably similar to an underground site I profiled last year which sold the same type of information, even offering a reseller plan.

What sets this service apart is the addition of more than 330,000 records (plus more being added each day) that appear to be connected to a satellite of Web sites that negotiate with a variety of lenders to offer payday loans.

I first began to suspect the information was coming from loan sites when I had a look at the data fields available in each record. A trusted source opened and funded an account at Usearching.info, and purchased 80 of these records, at a total cost of about $20. Each includes the following data: A record number, date of record acquisition, status of application (rejected/appproved/pending), applicant’s name, email address, physical address, phone number, Social Security number, date of birth, bank name, account and routing number, employer name, and the length of time at the current job. These records are sold in bulk, with per-record prices ranging from 16 to 25 cents depending on volume.

But it wasn’t until I started calling the people listed in the records that a clearer picture began to emerge. I spoke with more than a dozen individuals whose data was being sold, and found that all had applied for payday loans on or around the date in their respective records. The trouble was, the records my source obtained were all dated October 2011, and almost nobody I spoke with could recall the name of the site they’d used to apply for the loan. All said, however, that they’d initially provided their information to one site, and then were redirected to a number of different payday loan options.

SSN and DOB prices range from to $1.61 to $2.24 per record.

Then I heard from Samantha, a Virginia resident who requested that I not use her full name in this piece. Samantha acknowledged “foolishly entering her information at one of these payday loan sites about a year ago” because she’d had major surgery at the time and needed some extra funds.

“Not long after that I started getting calls from a so-called collection agency for payday loans that I never took,” Samantha explained in an email. “The people calling had heavy Indian accents and were posing as processor servers for the state of Virginia, police officers, or just straight out threatening me. Luckily, I never verified my information with these people and filed complaints with the Federal Trade Commission and the state of Virginia. The FTC has since busted some of these ‘companies’ for these fake collection calls.”

Samantha said she provided her data at a site called 1min-payday-loan.com, which directed her to a number of lenders. I reached out to that Web site early last week but have not yet received a reply.

She never did get approved for a payday loan. It’s probably just as well: such loans are illegal in Virginia and several other states. Many online payday loan companies don’t seem to care which state you live in or whether it’s illegal there. The site Samantha said she sent her personal information to offers payday loans to residents of all 50 states.

“If they operate illegally, then they probably don’t care how they treat you as a customer,” Samantha said.

I asked a number of legal experts about the legality of selling someone else’s Social Security number. There are a number of state and federal laws that apply here, but the consensus seems to be that the determining factor is intent. Two federal law enforcement officials who asked not to be quoted said roughly the same thing: That the possession and trafficking of SSNs should fall under 18 USC 1029(a)(2) and (a)(3), with SSNs defined (albeit not obviously) as “unauthorized access devices”.  In addition, contempt and conspiracy language in that statute should allow the charge to extend to parties knowingly hosting and profiting from the activity.

This service deftly illustrates the ease with which miscreants can obtain your most personal data. The next time you call your bank or interact with a company that asks you to authenticate yourself by reciting some or all of your Social Security number, birth date, mother’s maiden name — or any other personal information that you may assume is private — remember that services like this exist. Whenever possible, I think it’s an excellent idea to insist that these entities authenticate you using alternative questions and answers that are truly private to you and to you alone.


8 thoughts on “ID Theft Service Tied to Payday Loan Sites

  1. UndergroundMember

    9 out of 10 sites that offer payday loans and take your information redirect you to yet another site which takes your information which if your lucky will finally take you to a legitimate site which could have easily been found in a google search. They will have you input your information yet again which leads to the question, Where did the information go that you filled out with the previous sites?

    These sites can operate “legally” because they are supposedly providing you with a lead to a legitimate lender. The problem is none of your information is passed on to the lender, nor are they in any way affiliated.

    Buy a couple fullz and give it a shot one day, you’d be surprised at how corrupt the online payday loan scene is.

  2. Jim Bob

    I still cannot wrap my mind around how a site which traffics SSNs can legally exist. Are all of these domains hosted off-shore or in foreign countries which do not cooperate with US law enforcement agencies? The mind reels…

  3. d

    As a newly minted Virginian, Pay Day loan companies are always in the news, especially with all the military in my area. However, enforcement seems to fall to the level of the Do-Not-Call list. Government as a whole (state and federal) seems to be wholly unprepared for, and way behind, the crooks who run scams on the Internet.

    Good job, Brian. You should definitely pitch your findings to the wider media.

  4. really?

    echoing Jim Bob, can someone, maybe Brian, talk about how these sites are able to operate so openly.

    1. BrianKrebs Post author

      Most of these sites aren’t exactly advertised in a traditional sense. They rely on word-of-mouth in the underground, and on some pretty targeted ads on sites that generally do not get indexed by search engines.

      It’s important to keep in mind that all these guys will do if they get shut down is move their domain to another place. It cost next to nothing to set the site up in a new place.

  5. george

    The problem are banks and other institutions who issue creditcards (conveniently) using telephone, mail or Internet applications and use, as Brian pointed out security questions with answers which can easily researched over the internet or found out the way those bad guys do. If it would not be possible to obtain a creditcard or something else of value without physically coming into a bank office and be identified, I would not care if someone “stole” my identity.

  6. Sonja

    What I don’t understand is how people can be so dumb as to actually think entering their SSN into these sites is a good idea…

Comments are closed.