Krebs on Security

Feds Charge Calif. Brothers in Cyberheists

November 14, 2013

Federal authorities have arrested two young brothers in Fresno, Calif. and charged the pair with masterminding a series of cyberheists that siphoned millions of dollars from personal and commercial bank accounts at U.S. banks and brokerages.

Adrian, left, and Gheorghe Baltaga (right). Photo: Fresnorotary.org

Taken into custody on Oct. 29 were Adrian and Gheorghe Baltaga, 25 and 26-year-old men from Moldova. Documents unsealed by the U.S. District Court for the Northern District of California laid out a conspiracy in which the brothers allegedly stole login credentials for brokerage accounts of Fidelity Investments customers, and then set up fraudulent automated clearing house (ACH) links between victim accounts and prepaid debit card accounts they controlled.

From there, according to the government, the men then used the debit cards to purchase money orders from MoneyGram and the U.S. Postal Service, which were deposited into different accounts that they could pull cash from using ATM cards. An attorney for the Baltaga brothers did not respond to multiple requests for comment.

According to interviews with investigators, the Baltaga indictments (PDF) reveal surprisingly little about the extent of the cybercrimes that investigators believe these men committed. For example, sources familiar with the investigation say the Baltaga brothers were involved in a 2012 cyberheist against a Maryland title company that was robbed of $1.7 million.

In April 2012, I was tracking a money mule recruitment gang that had hired dozens of people through bogus work-at-home jobs that were set up to help cybercrooks launder funds stolen from hacked small businesses and retail bank accounts. One of the mules I contacted said she’d just received notification that she was to expect a nearly $10,000 transfer to her bank account, and that she should pull the money out in cash and wire the funds (minus her 8 percent commission) to three different individuals in Ukraine and Russia.

The mule said she’d been hired by a software company in Australia, and that her job was to help the firm process payments from the company’s international clients. This mule told me the name of her employer’s “client” that had sent the transfer, and a Google search turned up a Washington, D.C.-area title firm which asked not to be named in this story out of concern that company’s competitors would use it against them.

Baltaga residence in a Fresno gated community.

That title firm was unaware of it at the time, but fraudsters had recently installed the ZeuS Trojan on an employee’s computer and were using it to send wire transfers and ACH payments to money mules and to bank accounts controlled by the bad guys. In many cases, victim companies will react with hostility when alerted to such crimes by a reporter, but in this case the company quickly contacted their bank and discovered that the thieves had already pushed through more than $700,000 in fraudulent wires and ACH payments. Just minutes before I contacted the title firm, the crooks had initiated a fraudulent wire transfer of $1 million.

The company and its bank were ultimately able to block the $1 million wire and claw back about half of the $700,000 in wires and fraudulent ACH transfers. The firm and its bank seemed doomed to battle it out in court over the remaining amount, but earlier this year the two sides reached a confidential settlement.

Continue reading →

Zero-Days Rule November’s Patch Tuesday

November 12, 2013

46 Comments

Microsoft today issued security updates to fix at least 19 vulnerabilities in its software, including a zero-day flaw in Internet Explorer browser that is already being actively exploited. Separately, Adobe has released a critical update that plugs at least two security holes in its Flash Player software.

Three of the eight patches that Microsoft released earned its most dire “critical” label, meaning the vulnerabilities fixed in them can be exploited by malware or miscreants remotely without any help from Windows users. Among the critical patches is an update for Internet Explorer (MS13-088) that mends at least two holes in the default Windows browser (including IE 11). MS13-089 is a critical file handling flaw present in virtually every supported version of Windows.

The final critical patch — MS13-090 — fixes essentially another IE flaw (ActiveX) that showed up in targeted attacks late last week. Microsoft says attackers used a second, “information disclosure” vulnerability in tandem with the ActiveX flaw, but that the company is still investigating that one. It noted that its Enhanced Mitigation Experience Toolkit (EMET) tool successfully blocked the ActiveX exploit.

Nevertheless, it’s important for IE users to apply these updates as quickly as possible. According to Rapid7, exploit code for the ActiveX vulnerability appeared on Pastebin this morning.

“It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public,” said Ross Barrett, senior manager of security engineering at Rapid7. “I would call patching this issue priority #1.” For what it’s worth, Microsoft agrees, at least according to this suggested patch deployment chart.

Today’s patch batch from Redmond did not include an official patch for yet another zero-day vulnerability that has been under active exploitation, although Microsoft did release a stopgap Fix-It tool last week to help blunt the threat. The company also is once again advising Windows users to take another look at EMET.

Check out Microsoft’s Technet blog for more information on these and other updates that the company released today.

In a separate patch release, Adobe issued a fix for its Flash Player software for Windows, Mac, Linux and Android devices. The Flash update brings the ubiquitous player to v. 11.9.900.152 on Mac and Windows systems. Users browsing the Web with IE10 or IE11 on Windows 8.x should get the new version of Flash (11.9.900.152) automatically; IE users not on Windows 8 will need to update manually if Flash is not set to auto-update.

To check which version of Flash you have installed, visit this page. Direct links to the various Flash installers are available here. Be aware that downloading Flash Player from Adobe’s recommended spot — this page — often includes add-ons, security scanners or other crud you probably don’t want. Strangely enough, when I visited that page today with IE10 , the download included a pre-checked box to install Google Toolbar and to switch my default browser to Google Chrome.

Continue reading →

Facebook Warns Users After Adobe Breach

November 11, 2013

60 Comments

Facebook is mining data leaked from the recent breach at Adobe in an effort to help its users better secure their accounts. Facebook users who used the same email and password combinations at both Facebook and Adobe’s site are being asked to change their password and to answer some additional security questions.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe user data.

Message that Facebook has been sending to certain users whose information was found in the stolen Adobe data.

Facebook spokesman Jay Nancarrow said Facebook is constantly on the lookout for data leaked from other breach incidents that may endanger accounts of its own users. Nancarrow said that the social networking service has similarly acted in the wake of other high profile breaches to determine if any of its own users’ credentials may have been affected.

“We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said Nancarrow, who declined to say exactly how many Facebook users were seeing the above message. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.”

In a breach first announced on this blog Oct. 3, 2013, Adobe said hackers had stolen nearly 3 million encrypted customer credit card records, as well as login data for an undetermined number of Adobe user accounts. Earlier this month, Adobe said it had actually notified more than 38 million users that their encrypted account data may have been compromised. But as first reported here on Oct. 29, the breach may have impacted closer to 150 million Adobe users.

What’s more, experts say Adobe appears to have used a single encryption key to scramble all of the leaked user credentials, meaning that anyone who computes, guesses or acquires the decryption key immediately gets access to all the passwords in the database. In a detailed analysis of the enormity of Adobe’s blunder, Paul Ducklin of Sophos describes how researchers managed to work out a decent chunk of the encrypted user passwords just by comparing the leaked data to other large password breaches and to password hint information included in the Adobe account cache.

Update, 2:07 p.m. ET: Looks like Diapers.com and Soap.com sent similar notices to their customers on Sunday. A hit tip to readers Arthur and Dave for sharing copies of the emails from those two sites.

Update, Nov. 12, 4:07 p.m. ET: The initial story seems to have confused a number of readers, perhaps because I left out an explanation of what exactly Facebook did. As a result, many readers seem to have hastily and erroneously concluded that Facebook doesn’t properly secure its users passwords if it can simply compare them in plain text to the Adobe passwords that have already been worked out.

As I proffered in a follow-up comment on this story, Facebook and any other company can take any of the Adobe passwords that have already been guessed or figured out and simply hash those passwords with whatever one-way hashing mechanism(s) they use internally. After that, it’s just a matter of finding any overlapping email addresses that use the same password. Facebook’s Chris Long confirmed that this is more less what the company did.

CryptoLocker Crew Ratchets Up the Ransom

November 6, 2013

141 Comments

Last week’s article about how to prevent CryptoLocker ransomware attacks generated quite a bit of feedback and lots of questions from readers. For some answers — and since the malware itself has morphed significantly in just a few day’s time — I turned to Lawrence Abrams and his online help forum BleepingComputer.com, which have been following and warning about this scourge for several months.

This message is left by CryptoLocker for victims whose antivirus software removed the file needed to pay the ransom.

This message is left by CryptoLocker for victims whose antivirus software removes the file needed to pay the ransom.

To recap, CryptoLocker is a diabolical new twist on an old scam. The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment via Bitcoin or MoneyPak and installs a countdown clock on the victim’s desktop that ticks backwards from 72 hours. Victims who pay the ransom receive a key that unlocks their encrypted files; those who let the timer expire before paying risk losing access to their files forever.

Or, at least, that’s how it worked up until a few days ago, when the crooks behind this scam began easing their own rules a bit to accommodate victims who were apparently willing to pay up but simply couldn’t jump through all the hoops necessary in the time allotted.

“They realized they’ve been leaving money on the table,” Abrams said. “They decided there’s little sense in not accepting the ransom money a week later if the victim is still willing to pay to get their files back.”

Part of the problem, according to Abrams, is that few victims even know about Bitcoins or MoneyPak, let alone how to obtain or use these payment mechanisms.

“We put up survey and asked how many [victims] had paid the ransom with Bitcoins, and almost no one said they did, Abrams said. “Most paid with MoneyPak. The people who did pay with Bitcoins said they found the process for getting them was so cumbersome that it took them a week to figure it out.”

Another major stumbling block that prevents many otherwise willing victims from paying the ransom is, ironically, antivirus software that detects CryptoLocker — but only after the malware has locked the victim’s most prized files with virtually uncrackable encryption.

“Originally, when antivirus software would clean a computer, it would remove the CryptoLocker infection, which made it so the user could not pay the ransom,” Abrams said. “Newer versions change the desktop background to include a URL where the user can download the infection again and pay the ransom.”

The idea of purposefully re-infecting a machine by downloading and executing highly destructive malware may be antithetical and even heresy to some security pros. But victims who are facing the annihilation of their most precious files probably have a different view of the situation. Abrams that said his testing has shown that as long as the registry key “HKCU\Software\Cryptolocker_0388″ remains in the Windows registry, re-downloading the malware would not try to re-encrypt the already encrypted data — although it would encrypt any new files added since the initial infection.

“Some antivirus companies have been telling victims not to pay the ransom,” Abrams said. “On the one hand, I get it, because you don’t want to encourage these malware writers. But on the other hand, there are some companies that are facing going out of business if they don’t, and can’t afford to take the holier-that-thou route.”

CRYPTOLOCKER DECRYPTION SERVICE

On Friday, Nov. 1, the crooks behind this malware campaign launched a “customer service” feature that they have been promising to debut for weeks: a CryptoLocker Decryption Service. “This service allow [sic] you to purchase private key and decrypter for files encrypted by CryptoLocker,” the site reads. “Customers” of the service can search for their “order number” simply by uploading any of the encrypted files.

“They’re calling it an ‘order,’ as if victims posted an order at Amazon.com,” Abrams said.

The “Cryptolocker Decryption Service.”

“If you already purchased private key using CryptoLocker, then you can download private key and decrypter for free,” explains the service, which is currently hosted at one of several addresses on the Tor anonymity network. The decryption service site is not reachable from the regular Internet; rather, victims must first download and install special software to access the site — yet another potential hurdle for victims to jump through.

According to Abrams, victims who are still within the initial 72-hour countdown clock can pay the ransom by coughing up two Bitcoins — or roughly $200 using a MoneyPak order. Victims who cannot pay within 72 hours can still get their files back, but for that unfortunate lot the ransom rises fivefold to 10 bitcoins — or roughly USD $2,232 at current exchange rates. And those victims will no longer have the option to pay the ransom via MoneyPak.

Abrams said the service exposes two lies that the attackers have been perpetuating about their scheme. For starters, the bad guys have tried to dissuade victims from rolling back their system clocks to buy themselves more time to get the money together and pay the ransom. According to Abrams, this actually works in many cases to delay the countdown timer. Secondly, the launch of the Cryptolocker Decryption Service belies the claim that private keys needed to unlock files encrypted by CryptoLocker are deleted forever from the attacker’s servers after 72 hours.

Continue reading →

Microsoft Warns of Zero-Day Attack on Office

November 5, 2013

12 Comments

Microsoft warned today that attackers are targeting a previously unknown security vulnerability in some versions of Microsoft Office and Windows. The company also has shipped an interim “Fix-It” tool to blunt attacks on the flaw until it has time to develop and release a more comprehensive patch.

In a post on its Technet blog, Microsoft said the attacks observed so far against the vulnerability have been “carefully carried out against selected computers, largely in the Middle East and South Asia.” It added that the exploit needs some user interaction because it arrives disguised as an email that entices potential victims to open a specially crafted Microsoft Word attachment.

The exploit attacks an unpatched security flaw in the way some older versions of Office and Windows process graphical images. According to Microsoft, the exploit combines multiple techniques to bypass exploit mitigation techniques such as data execution prevention (DEP) and address space layout randomization (ASLR). The company says this exploit will not affect Office 2013, but will affect older versions such as Office 2003 and Office 2007.

“Due to the way Office 2010 uses the vulnerable graphic library, it is only affected only when running on older platforms such as Windows XP or Windows Server 2003, but it is not affected when running on newer Windows families (7, 8 and 8.1),” Microsoft wrote.

Microsoft’s latest Fix-It tool should help blunt attacks on this vulnerability. Also, while this particular exploit does try to evade DEP and ASLR protections, it’s probably as good a time as any to remind readers about Microsoft EMET, a free tool that can increase the security of third party applications that run on top of Windows.

Interestingly, news of the exploit surfaced less than 48 hours after Microsoft announced it would expand its $100,000 bug bounty program for researchers who can find and report novel exploitation techniques for evading Windows’ built-in defenses.

Hackers Take Limo Service Firm for a Ride

November 4, 2013

60 Comments

A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.

CorporateCarOnline says: “Trust Us: Your Data is Secure”

The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.

In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”

I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”

It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.

Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research in this post, said CorporateCarOnline confirmed to him that the data was stolen from its systems.

“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”

Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.

Below are some of the rich and famous whose pick up and drop-off information — and in some cases credit card data — was in the stolen archive. Nearly all of these individual records were marked with “VIP” or “SuperVIP!” notations. Included in quotes are notes left for the chauffeur.

CELEBRITIES

Photo: Keith Allison

LeBron James – Thomas & Mack Center sports arena, athlete entrance, July 22, 2007; “Call Lynn upon arrival.”

Tom Hanks – Chicago Midway, June 19, 2013; “VVIP. No cell/radio use with passenger/prepaid. 1500 W. Taylor Street Chicago, Rosebud, Dinner Reser @8pm”

Aaron Rodgers – Duncan Aviation, Kalamazoo, Mich., June 26, 2010; “Kregg Lumpkin and wife. 3 Bottle Waters. Greg Jennings Foundation.”

LAWMAKERS

-House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.), July 4, 2011, Indianapolis International Airport; “Meet and Greet Baggage Claim. US Congressman. A DFTU situation” [not quite sure what this stands for, but my guess is “Don’t F*** This Up”]

–Sen. Mark Udall (D-Colo.), chair of the Senate Armed Services Committee’s Subcommittee on Strategic Forces. Boston Logan Intl. Airport, Sept. 14, 2009; “Contact if need be Yolanda Magallanes [link added]. Client will have golf clubs with him.”

Other current members of Congress whose information appears in this database include Rep. Joe Garcia (D-Fla.); Rep. Gus Bilirakis (R-Fla.); Rep. Jim Matheson (D-Utah); Rep. Lynn Westmoreland, Rep. Joe Baca (D-Calif.), Rep. Mario Diaz-Balart (R-Fla.).

A number of former lawmakers were passengers with limo companies that gave their customer data to CorporateCarOneline, including:

–Sen. Tom Daschle (D-SD), Des Moines, Iowa, July 21, 2010; “Ag Innovation Committee. Passengers plus luggage. Passengers: Lori Captain, Mary Langowski, Jonathan Sallet, Tom West, Jim Collins, Senator Tom Daschle, JB Penn, Anthony Farina.”

–Sen. John Breaux (D-La.), Aug. 27, 2010; “Ambassador Steven Green & Senator Breaux. ***VIP***DO NOT COLLECT”

–Rep. James Saxton (R-NJ), Rep. William Delahunt (D-Mass.), Rep. Billy Tauzin (R-La.),

Continue reading →

How To Avoid CryptoLocker Ransomware

November 1, 2013

82 Comments

Over the past several weeks, a handful of frantic Microsoft Windows users have written in to ask what they might do to recover from PC infections from “CryptoLocker,” the generic name for an increasingly prevalent and nasty strain of malicious software that encrypts your files until you pay a ransom. Unfortunately, the answer for these folks is usually either to pay up or suck it up. This post offers a few pointers to help readers avoid becoming the next victim.

A Cryptolocker prompt and countdown clock. Photo: Malwarebytes.org

A CryptoLocker prompt and countdown clock. Image: Malwarebytes.org

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

The trouble with CryptoLocker is not so much in removing the malware — that process appears to be surprisingly trivial in most cases. The real bummer is that all of your important files — pictures, documents, movies, MP3s — will remain scrambled with virtually unbreakable encryption unless and until you pay the ransom demand, which can range from $100 to $300 (and payable only in Bitcoins).

File-encrypting malware is hardly new. This sort of diabolical threat has been around in various incarnations for years, but it seems to have intensified in recent months. For years, security experts have emphasized the importance of backing up one’s files as a hedge against disaster in the wake of a malware infestation. Unfortunately, if your backup drives are connected physically or via the local network to the PC that gets infected with CryptoLocker, your backups may also be encrypted as well.

Computers infected with CryptoLocker may initially show no outward signs of infection; this is because it often takes many hours for the malware to encrypt all of the files on the victim’s PC and attached or networked drives. When that process is complete, however, the malware will display a pop-up message similar to the one pictured above, complete with a countdown timer that gives victims a short window of time in which to decide whether to pay the ransom or lose access to the files forever.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit — a comprehensive set of group policies that can be used to block CryptoLocker infections across a domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Continue reading →

Adobe Breach Impacted At Least 38 Million Users

October 29, 2013

73 Comments

The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. It also appears that the already massive source code leak at Adobe is broadening to include the company’s Photoshop family of graphical design products.

A posting on anonnews.org that was later deleted.

At the time, a massive trove of stolen Adobe account data viewed by KrebsOnSecurity indicated that — in addition to the credit card records — tens of millions of user accounts across various Adobe online properties may have been compromised in the break-in. It was difficult to fully examine many of the files on the hackers’ server that housed the stolen source because many of the directories were password protected, and Adobe was reluctant to speculate on the number of users potentially impacted.

But just this past weekend, AnonNews.org posted a huge file called “users.tar.gz” that appears to include more than 150 million username and hashed password pairs taken from Adobe. The 3.8 GB file looks to be the same one Hold Security CISO Alex Holden and I found on the server with the other data stolen from Adobe.

Adobe spokesperson Heather Edell said the company has just completed a campaign to contact active users whose user IDs with valid, encrypted password information was stolen, urging those users to reset their passwords. She said Adobe has no indication that there has been any unauthorized activity on any Adobe ID involved in the incident.

“So far, our investigation has confirmed that the attackers obtained access to Adobe IDs and (what were at the time valid), encrypted passwords for approximately 38 million active users,” Edell said [emphasis added]. “We have completed email notification of these users. We also have reset the passwords for all Adobe IDs with valid, encrypted passwords that we believe were involved in the incident—regardless of whether those users are active or not.”

Edell said Adobe believes that the attackers also obtained access to many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data. “We are still in the process of investigating the number of inactive, invalid and test accounts involved in the incident,” she wrote in an email. “Our notification to inactive users is ongoing.”

Part of the Adobe breach involved the theft of source code for Adobe Acrobat and Reader, as well as its ColdFusion Web application platform. Among the cache was a 2.56 GB-sized file called ph1.tar.gz, but KrebsOnSecurity and Hold Security were unable to crack the password on the archive. Over this past weekend, AnonNews.org posted a file by the same name and size that was not password protected, and appeared to be source code for Adobe Photoshop.

Asked about the AnonNews posting’s similarities to the leaked source code troves discovered by this publication in late September, Adobe’s Edell said indeed that it appears the intruders got at least some of the Photoshop source code. In both cases, Adobe said it contacted the sites hosting the data linked to from the AnonNews postings and had the information taken down.

“Our investigation to date indicates that a portion of Photoshop source code was accessed by the attackers as part of the incident Adobe publicly disclosed on Oct. 3,” Edell wrote.

Continue reading →

Senator Demands More Info From Experian

October 24, 2013

56 Comments

In the wake of revelations that credit bureau Experian sold consumer data to the proprietors of an underground identity theft service, a powerful U.S. senator is calling on the company to divulge more information on the extent of the potential damage to consumers.

West Virginia Senator Jay Rockefeller, a Democrat who chairs the Senate Committee on Commerce, Science and Transportation, on Wednesday sent a letter (PDF) to Experian demanding additional details about the security breach. Specifically, Rockefeller asked for responses to questions about Experian’s vetting process for its customers and current practices for sharing consumer data. The senator also urged Experian to fully respond to his related previous inquiries regarding Experian’s customers, its oversight of its disclosure to third parties, and Experian’s data sources.

“The committee’s investigation has focused to date on how companies including Experian collect and sell consumer information for marketing purposes, while the information Experian reportedly sold to identity thieves – such as Social Security numbers and banking information – appears to be data Experian collects and sells for risk assessment activities,” Sen. Rockefeller wrote in the letter to Experian President Donald Robert. “However, if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data with them, regardless of the particular line of business.”

The letter is a follow-up to an investigation that Sen. Rockefeller launched in October 2012 regarding several data brokers — including Experian — to understand how the companies collect, store, and share personal consumer data. According to the committee, Experian is one of several companies that has refused to fully respond to Rockefeller’s request for information – which Rockefeller discussed publicly in this letter.

That 2012 letter was sent to the three major credit bureaus, including Experian, Equifax, TransUnion. Rockefeller also queried Reed Elsevier, the parent company of data aggregator LexisNexis. Last month, KrebsOnSecurity broke a story showing that LexisNexis was among three other data brokers that had been hacked by a cybercriminal gang which operated a competing underground identity theft service — ssndob[dot]ms.

In a statement provided to The New York Times, Experian spokesman Gerry Tschopp said: “We have responded — and will continue to respond – in a very transparent manner to Senator Rockefeller.”

According to The Times, Sen. Rockefeller last month widened his probe, asking a dozen popular Web sites to provide information on their information-sharing practices with data brokers. The sites included in that inquiry were About.com, Babycenter.com, Bankrate.com, Health.com, Investopedia.com, Mensfitness.com and Self.com.

“While some consumers may not object to having their information categorized and used for marketing,” the senator wrote, “before they share personal information, it is important that they know it may be used for purposes beyond those for which they originally provided it.”

Experian Sold Consumer Data to ID Theft Service

October 20, 2013

119 Comments

An identity theft service that sold Social Security and drivers license numbers — as well as bank account and credit card data on millions of Americans — purchased much of its data from Experian, one of the three major credit bureaus, according to a lengthy investigation by KrebsOnSecurity.

superget.info home page

In November 2011, this publication ran a story about an underground service called Superget.info, a fraudster-friendly site that marketed the ability to look up full Social Security numbers, birthdays, drivers license records and financial information on millions of Americans. Registration was free, and accounts were funded via WebMoney and other virtual currencies that are popular in the cybercriminal underground.

Each SSN search on Superget.info returned consumer records that were marked with a set of varying and mysterious two- and three-letter “sourceid:” identifiers, including “TH,” “MV,” and “NCO,” among others. I asked readers who may have a clue about the meaning or source of those abbreviations to contact me. In the weeks following that post, I heard from many readers who had guesses and ideas, but none who seemed to have conclusive information.

That changed in the past week. An individual who read a story about the operators of a similar ID theft service online having broken into the networks of LexisNexis and other major data brokers wrote to say that he’d gone back and reviewed my previous stories on this topic, and that he’d identified the source of the data being resold by Superget.info. The reader said the abbreviations matched data sets produced by Columbus, Ohio-based USInfoSearch.com.

Contacted about the reader’s claim, U.S. Info Search CEO Marc Martin said the data sold by the ID theft service was not obtained directly through his company, but rather via Court Ventures, a third-party company with which US Info Search had previously struck an information sharing agreement. Martin said that several years ago US Info Search and CourtVentures each agreed to grant the other company complete access to its stores of information on US consumers.

Founded in 2001, Court Ventures described itself as a firm that “aggregates, repackages and distributes public record data, obtained from over 1,400 state and county sources.” Cached, historic copies of courtventures.com are available through archive.org.

THE ROLE OF EXPERIAN

In March 2012, Court Ventures was purchased by Costa Mesa, Calif.-based Experian, one of the three major consumer credit bureaus. According to Martin, the proprietors of Superget.info had gained access to Experian’s databases by posing as a U.S.-based private investigator. In reality, Martin said, the individuals apparently responsible for running Superget.info were based in Vietnam.

Martin said he first learned of the ID theft service after hearing from a U.S. Secret Service agent who called and said the law enforcement agency was investigating Experian and had obtained a grand jury subpoena against the company.

The “sourceid” abbreviations pointed toward Court Ventures.

While the private investigator ruse may have gotten the fraudsters past Experian and/or CourtVentures’ screening process, according to Martin there were other signs that should have alerted Experian to potential fraud associated with the account. For example, Martin said the Secret Service told him that the alleged proprietor of Superget.info had paid Experian for his monthly data access charges using wire transfers sent from Singapore.

“The issue in my mind was the fact that this went on for almost a year after Experian did their due diligence and purchased” Court Ventures, Martin said. “Why didn’t they question cash wires coming in every month? Experian portrays themselves as the databreach experts, and they sell identity theft protection services. How this could go on without them detecting it I don’t know. Our agreement with them was that our information was to be used for fraud prevention and ID verification, and was only to be sold to licensed and credentialed U.S. businesses, not to someone overseas.”

Experian declined multiple requests for an interview. But in a written statement provided to KrebsOnSecurity, Experian acknowledged the broad outlines of Martin’s story and said it had worked with the Secret Service to bring a Vietnamese national to justice in connection with the online ID theft service. Their statement is as follows:

“Experian acquired Court Ventures in March, 2012 because of its national public records database. After the acquisition, the US Secret Service notified Experian that Court Ventures had been and was continuing to resell data from US Info Search to a third party possibly engaged in illegal activity. Following notice by the US Secret Service, Experian discontinued reselling US Info Search data and worked closely and in full cooperation with law enforcement to bring Vietnamese national Hieu Minh Ngo, the alleged perpetrator, to justice. Experian’s credit files were not accessed. Because of the ongoing federal investigation, we are not free to say anything further at this time.”

Continue reading →

Last »