Data broker databases breached, stolen info used by ID theft service

Stolen users information is regularly sold and bought online by cyber crooks and attackers, and many services have sprung up to meet the demand for information that can be used to compromise online accounts and facilitate identity theft.

Among them is SSNDOB (located at ssndob[dot]ms), which has been around for at least two years and has been used by some 1,300 customers to look up personal data and financial data – including Social Service numbers and date of birth – of millions of US citizens.

We know this because of journalist Brian Krebs, who has been following the workings of the service for the last seven months and has reviewed a copy of the SSNDOB database that was compromised several months ago by a number of attackers.

“Frustratingly, the SSNDOB database did not list the sources of that stolen information; it merely indicated that the data was being drawn from a number of different places designated only as ‘DB1,’ ‘DB2,’ and so on,” he writes.

“But late last month, an analysis of the networks, network activity and credentials used by SSNDOB administrators indicate that these individuals also were responsible for operating a small but very potent botnet — a collection of hacked computers that are controlled remotely by attackers.”

Among these computers were five that have been traced to the internal systems at several of the largest US data brokers and aggregators:

  • LexisNexis – a company that apparently has the world’s largest electronic database for legal and public-records related information,
  • Dun & Bradstreet – a company that, according to Wikipedia, licenses information on businesses and corporations for use in credit decisions, business-to-business marketing and supply chain management, and
  • Kroll Background America – a company that, among other things, provides employment, health and mortgage screening.

When contacted, all three companies said that they were working with the authorities and forensic firms to investigate how the compromises came about. There’s evidence that some of the compromises go back to April 2013.

What Krebs discovered is that the malware used to rope those computer into the botnet and to allow the intruders to continually access the internal systems of the companies was specifically created to fool all the most used AV solutions (and it did for months).

“SSNDOB also appears to have licensed its system for use by at least a dozen high-volume users. There is some evidence which indicates that these users are operating third-party identity theft services,” says Krebs.

“A review of the leaked site records show that several bulk buyers were given application programming interfaces (APIs) — customized communications channels that allow disparate systems to exchange data — that could permit third-party or competing online ID theft sites to conduct lookups directly and transparently through the SSNDOB Web site. Indeed, the records from SSNDOB show that the re-sellers of its service reliably brought in more money than manual look-ups conducted by all of the site’s 1,300 individual customers combined.”

Don't miss