06
Aug 20

Hacked Data Broker Accounts Fueled Phony COVID Loans, Unemployment Claims

A group of thieves thought to be responsible for collecting millions in fraudulent small business loans and unemployment insurance benefits from COVID-19 economic relief efforts gathered personal data on people and businesses they were impersonating by leveraging several compromised accounts at a little-known U.S. consumer data broker, KrebsOnSecurity has learned.

In June, KrebsOnSecurity was contacted by a cybersecurity researcher who discovered that a group of scammers was sharing highly detailed personal and financial records on Americans via a free web-based email service that allows anyone who knows an account’s username to view all email sent to that account — without the need of a password.

The source, who asked not to be identified in this story, said he’s been monitoring the group’s communications for several weeks and sharing the information with state and federal authorities in a bid to disrupt their fraudulent activity.

The source said the group appears to consist of several hundred individuals who collectively have stolen tens of millions of dollars from U.S. state and federal treasuries via phony loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims made against several states.

KrebsOnSecurity reviewed dozens of emails the fraud group exchanged, and noticed that a great many consumer records they shared carried a notation indicating they were cut and pasted from the output of queries made at Interactive Data LLC, a Florida-based data analytics company.

Interactive Data, also known as IDIdata.com, markets access to a “massive data repository” on U.S. consumers to a range of clients, including law enforcement officials, debt recovery professionals, and anti-fraud and compliance personnel at a variety of organizations.

The consumer dossiers obtained from IDI and shared by the fraudsters include a staggering amount of sensitive data, including:

-full Social Security number and date of birth;
-current and all known previous physical addresses;
-all known current and past mobile and home phone numbers;
-the names of any relatives and known associates;
-all known associated email addresses
-IP addresses and dates tied to the consumer’s online activities;
-vehicle registration, and property ownership information
-available lines of credit and amounts, and dates they were opened
-bankruptcies, liens, judgments, foreclosures and business affiliations

Reached via phone, IDI Holdings CEO Derek Dubner acknowledged that a review of the consumer records sampled from the fraud group’s shared communications indicates “a handful” of authorized IDI customer accounts had been compromised.

“We identified a handful of legitimate businesses who are customers that may have experienced a breach,” Dubner said.

Dubner said all customers are required to use multi-factor authentication, and that everyone applying for access to its services undergoes a rigorous vetting process.

“We absolutely credential businesses and have several ways do that and exceed the gold standard, which is following some of the credit bureau guidelines,” he said. “We validate the identity of those applying [for access], check with the applicant’s state licensor and individual licenses.”

Citing an ongoing law enforcement investigation into the matter, Dubner declined to say if the company knew for how long the handful of customer accounts were compromised, or how many consumer records were looked up via those stolen accounts.

“We are communicating with law enforcement about it,” he said. “There isn’t much more I can share because we don’t want to impede the investigation.”

The source told KrebsOnSecurity he’s identified more than 2,000 people whose SSNs, DoBs and other data were used by the fraud gang to file for unemployment insurance benefits and SBA loans, and that a single payday can land the thieves $20,000 or more. In addition, he said, it seems clear that the fraudsters are recycling stolen identities to file phony unemployment insurance claims in multiple states.

ANALYSIS

Hacked or ill-gotten accounts at consumer data brokers have fueled ID theft and identity theft services of various sorts for years. In 2013, KrebsOnSecurity broke the news that the U.S. Secret Service had arrested a 24-year-old man named Hieu Minh Ngo for running an identity theft service out of his home in Vietnam.

Ngo’s service, variously named superget[.]info and findget[.]me, gave customers access to personal and financial data on more than 200 million Americans. He gained that access by posing as a private investigator to a data broker subsidiary acquired by Experian, one of the three major credit bureaus in the United States.

Ngo’s ID theft service superget.info

Experian was hauled before Congress to account for the lapse, and assured lawmakers there was no evidence that consumers had been harmed by Ngo’s access. But as follow-up reporting showed, Ngo’s service was frequented by ID thieves who specialized in filing fraudulent tax refund requests with the Internal Revenue Service, and was relied upon heavily by an identity theft ring operating in the New York-New Jersey region.

Also in 2013, KrebsOnSecurity broke the news that ssndob[.]ms, then a major identity theft service in the cybercrime underground, had infiltrated computers at some of America’s large consumer and business data aggregators, including LexisNexis Inc., Dun & Bradstreet, and Kroll Background America Inc.

The now defunct SSNDOB identity theft service.

In 2006, The Washington Post reported that a group of five men used stolen or illegally created accounts at LexisNexis subsidiaries to lookup SSNs and other personal information more than 310,000 individuals. And in 2004, it emerged that identity thieves masquerading as customers of data broker Choicepoint had stolen the personal and financial records of more than 145,000 Americans.

Those compromises were noteworthy because the consumer information warehoused by these data brokers can be used to find the answers to so-called knowledge-based authentication (KBA) questions used by companies seeking to validate the financial history of people applying for new lines of credit.

In that sense, thieves involved in ID theft may be better off targeting data brokers like IDI and their customers than the major credit bureaus, said Nicholas Weaver, a researcher at the International Computer Science Institute and lecturer at UC Berkeley.

“This means you have access not only to the consumer’s SSN and other static information, but everything you need for knowledge-based authentication because these are the types of companies that are providing KBA data.”

The fraud group communications reviewed by this author suggest they are cashing out primarily through financial instruments like prepaid cards and a small number of online-only banks that allow consumers to establish accounts and move money just by providing a name and associated date of birth and SSN.

While most of these instruments place daily or monthly limits on the amount of money users can deposit into and withdraw from the accounts, some of the more popular instruments for ID thieves appear to be those that allow spending, sending or withdrawal of between $5,000 to $7,000 per transaction, with high limits on the overall number or dollar value of transactions allowed in a given time period.

KrebsOnSecurity is investigating the extent to which a small number of these financial instruments may be massively over-represented in the incidence of unemployment insurance benefit fraud at the state level, and in SBA loan fraud at the federal level. Anyone in the financial sector or state agencies with information about these apparent trends may confidentially contact this author at krebsonsecurity @ gmail dot com, or via the encrypted message service Wickr at “krebswickr“.

The looting of state unemployment insurance programs by identity thieves has been well documented of late, but far less public attention has centered on fraud targeting Economic Injury Disaster Loan (EIDL) and advance grant programs run by the U.S. Small Business Administration in response to the COVID-19 crisis.

Late last month, the SBA Office of Inspector General (OIG) released a scathing report (PDF) saying it has been inundated with complaints from financial institutions reporting suspected fraudulent EIDL transactions, and that it has so far identified $250 million in loans given to “potentially ineligible recipients.” The OIG said many of the complaints were about credit inquiries for individuals who had never applied for an economic injury loan or grant.

The figures released by the SBA OIG suggest the financial impact of the fraud may be severely under-reported at the moment. For example, the OIG said nearly 3,800 of the 5,000 complaints it received came from just six financial institutions (out of several thousand across the United States). One credit union reportedly told the U.S. Justice Department that 59 out of 60 SBA deposits it received appeared to be fraudulent.

Tags: , , , , , , ,

42 comments

  1. Crazy Super Genius

    And their opt-out document is questionable, at best…

    IDI Opt-Out Policy
    IDI affords certain individuals the opportunity to request that their personal information be made unavailable to subscribers of IDI’s product, idiCORETM. IDI will consider your request if you meet one of the following requirements and you provide the required documentation in support of your request:
     You are a public official or law enforcement officer under threat of death or serious bodily harm; or
     You must provide a letter from your supervisor on the agency’s letterhead substantiating the threat.
    *Note: Your position as a public official or law enforcement officer, in and of itself, does not satisfy these requirements – there must be exceptional circumstances, such as a special assignment, that gives rise to the threat.
     You are a private individual subject to a substantial risk of physical harm.
     You must provide a copy of a police report, a copy of a court protective order, or
    similar documentation.
    All requests, with the required supporting documentation, are to be submitted to the following address:
    IDI Opt-Out Request
    P.O. Box 812680
    Boca Raton, Florida 33481
    IDI reserves the right, in its sole discretion, to grant or deny your request. Information provided by you in support of your request will be used by IDI solely in considering your request. This policy applies to information made available through idiCORE only. Granting your request will not prevent third parties from displaying your personal information.
    IDI will respond to your request within 90 days of receipt of all required documentation.
    ©2020 Interactive Data

    • How (or can) I obtain a copy of the data they have on me?

    • A lot of bogus entities hail from Boca Raton ( which translates as the Rat’s Mouth). That being said, a good way to get a federal civil action handed to you is to be a purveyor of information that this consumer has not given you the right to possess or use. I think a certified letter to this organization is in order…

    • James joseph silva sandoval

      ANN Artificial neural network- used in my case to harvest genius from an oppressed individual , otherwised mamed useless.

      Hackers, tnanysec are using my mental power to mine btc, time travel teleport, and play saints and sinnera in real life. Teamexecuter has provided the microprocessors for evm chips on all Tennessee’s debit cards, to divide unclaimed money from unclaimed money. I cant even have A job or do A google. Name is james Joseph silva sandoval. Tndl108300698. Clones being used by shadow brokers to cash out money. Opression near 3rd world country. Twitter jjsandoval20 majiztec other sm as well. Deprecated internet used in place of real internet, selective use based on participation, i cant even get A job , nati wants me to be ouch my balls #idiocracy plus my daughter is missing.

  2. the inspector’s name is really “hannibal war”?

    you can’t make this stuff up.

  3. Now may be a good time to send Interactive Data LLC a GDPR / CCPA deletion request to get all your data deleted: https://yourdigitalrights.org/d/ididata.com/

  4. The Sunshine State

    Another great informative article !

  5. This is what scares me: free web-based email service that allows anyone who knows an account’s username to view all email sent to that account — without the need of a password.

    Can you let us.know which email service is this? Thank you

    • If you don’t recognize it by description, you probably never heard of it.

      • This doesn’t sound correct to me. How can a 3rd party service access mailboxes it doesn’t have the password to?

        Further how can a 3rd party service bypass all the TLS encryption used everywhere?

        Robert

        • First, as a previous commentor already stated, it functions much like the free Mailinator used to: There’s no ownership of email addresses on the service. You can get email sent to any username you choose on the service, but since there is no password needed to view the inbox for a given username, it’s not wise to send stuff there that you don’t want others to see. The fraudsters tried to lessen the chance others would see their emails by using very long usernames.

          Second, the service actually still doesn’t use any kind of encryption, TLS or otherwise. It’s http://

          • Ahh Ok. I misunderstood. I thought you were saying you could use the service to scan other messaging systems such as gmail.com, hotmail.com, private messaging environments etc and access those messages without needing any kind of Auth.

            Robert

    • I don’t know the name of the service in this article, but websites like the “mailinator” provided something like that. You assumed they were not secure.

      https://www.slant.co/options/6559/alternatives/~mailinator-alternatives

    • Do a Google search on “disposable email address”

      mailinator dot com is one of the first, I believe.

  6. It’s interesting that Mnuchin didn’t/doesn’t want scrutiny or investigations or depth-digging into who got what under his massive money giveaway authorized by Donald Trump, the focus of hundreds of fraud investigations. Assets, seize thyselves.

  7. Hey Brian awesome article as always can you maybe look into the other lawsuit Micheal terpin filed on another sim swapper

  8. Well like all Around the World USA started quantive easing year 2008 it ended 2020
    The bubble has popped the Old money is out of the circlelation… Now the Federal reserve printing new money and new credit but in Order to Give out new money someone must borrow this money with Security collateral wich is ssn and dob.
    That’s Why they made the loans to get it Easy
    2020 is economy Restarting time Every restart to get loan its Easy… By the End When bubble will pop there is difficult to get loan Even with solid collateral.
    Let’s look at Back to 2008 now the 2008 is all here.

    • Pls refresh and explain clearly and slowly.

      Are you saying my EIDL loan will be be comprised!

  9. Nice Article as Always Brian!

  10. Others have probably said this in comments to other posts, but any time you are asked to fill out knowledge based answers for security create a set of nonsense answers, a unique set for each site, and store those securely. Essentially, I create a secure password for each question for each site. I use random strings of characters as answers and store those in a Keychain item.

  11. I got a hard pull on my credit information from the SBA. Luckily, I immediately got an alert from Equifax. I called the SBA and they flagged whatever activity was going on in my name and said I didn’t need to worry about a loan being taken out in my name.

    I have now froze my information with all 3 credit bureaus. I know I should have done this along time ago as suggested several times on this site.

  12. These massive data lakes of personal info needs to be placed into a specialized data locker and secured with CIA level encryption along with approved access rights for the companies that use this info.

    Brian, is this a good idea?

  13. To my knowledge, there is no way to check if a fraudster has applied for UI in my name. The only way to know is wait until it happens and hope I get a notice in the mail telling me my UI claim has been approved.

    It would be great it I could preemptively “block” my state from enrolling me in UI, similar to a credit freeze.

    Any thoughts on this?

  14. uifraudrecipient

    At least within the state you reside, establish a UI account–even if you do not need to file right now.

    The online UI account seems like it would at least be an indication–as you would loose access when a fraudster gets the UIA to reassign your SSN.

  15. KoSReader600000

    “And their opt-out document is questionable, at best…”- Crazy Super Genius

    1+

    This organization sounds like a “front company” for something much different than it appears.

    and

    “How do I prove to them that I am in California?”-Gary

    You have to give them a California Drivers license and much more information. This company is very sketchy.

  16. KoSReader600000

    “And their opt-out document is questionable, at best…”- Crazy Super Genius

    1+

    This organization sounds like a front for something much different than it appears (criminal organization or what ever).

    and

    “How do I prove to them that I am in California?”-Gary

    You have to give them a California Drivers license and much more information. This company is very sketchy.

    Please delete dups

    • I agree, if this isn’t owned by criminals it’s perfect for them to buy or break into.
      Likely worth while to buy into with a shell company, like criminals paying to host a server in a cloud service, just to start on an inner layer.

  17. Hi Brian,

    Did this guy actually say it like this when you contacted him?

    “…exceed the gold standard, which is following some of the credit bureau guidelines.”

    Credit bureaus? Gold Standard??

    Am I in the twilight zone? This can’t be real.

  18. Brings this back to mind:

    SSN that should not be used used as identity, used as identity, and if stolen the consequences are bad. The system is inherently insecure.

    https://www.youtube.com/watch?v=Erp8IAUouus

  19. > IDIdata.com, markets access to a “massive data repository” on U.S. consumers [list of data]

    So… other than including some IP addresses, it’s any generic credit reporting agency? [not that I’d put IP harvesting beyond what the famous ones do]

  20. RE: CVE-2020-1472. Microsoft’s documentation is vary vague regarding Windows 7. Is Windows 7 included or excluded by the solution to the CVE?

  21. Maybe that is why when I applied for unemployment insurance benefits, I could not get past the login process with an error that my login info was not what they had on file. I tried resetting my password but was presented with security questions I didn’t know the answer to. I have NEVER applied for EDD benefits in my life.

  22. Hello, of course this paragraph is truly nice and I have learned lot of things from it about blogging.
    thanks.