On Sept. 25 Brian Krebs published information about a serious database link that allowed a cyber crime group to access and sell millions of Social Security numbers, background checks, birth dates and other sets of personal identifying information stolen some of the most powerful data collectors in the United States.
The group ran their store through an underground website selling information that as credible as the information guarded by your id theft protection service. Actually that is because they have tapped into the very same data pools. Earlier this year a group of hacktivists called UGNazi showed where the magic data was coming from. It was coming from the very same data sources used by the identity protection services. It makes perfect sense I want your data so I go to the companies that you shared it with.
The cyber crime group sold Social Security numbers, birth records, credit and background reports on millions of Americans according to a seven-month long investigation by KrebsonSecurity. Prices range from 50 cents to $2.50 per record, and from $5 to $15 for credit and background checks. Customers pay for their subscriptions using largely unregulated and anonymous virtual currencies, such as Bitcoin and WebMoney.
The underground source (name suppressed) was using botnets attached to software systems at Dunn & Bradstreet, Lexis Nexis, and Kroll. The interesting thing was the source of the data sold by the group remained a mystery for quite a period of time. In March 2014 some teen hackers allegedly associated with a hacktivist group called UGNazi opened the door to investigating the service’s access. It is definitely something to think about while you are considering renewing your identity theft protection service.
As of the published article by Brian Krebs only 6 out of 46 detection software products could recognize the rogue program. The good news is the companies where the data has been tapped into are working closely with the FBI to track down the author of the malware.
The botnet’s online dashboard for the LexisNexis systems shows that a tiny unauthorized program called “nbc.exe” was placed on the servers as far back as April 10, 2013. Others were place around the same time period. An initial analysis of the malicious bot program installed on the hacked servers reveals that it was carefully engineered to avoid detection by antivirus tools. In fact, scanning by Virustotal.com which is a powerful anti-hacking discovery tool gave the servers clean bills of health.
All three victim companies said they are working with federal authorities and third-party forensics firms in the early stages of determining how far the breaches extend, and whether indeed any sensitive information was accessed and exfiltrated (taken) from their networks. The thieves have since changed websites but probably remain in business.