News and commentaries were everywhere in 2015 about a site that made Brazilians’ personal data public—everything from addresses to personal tax identification numbers (CPFs), full names and more. At the time there wasn’t much talk about data protection, but it’s become very clear now that exposed personal information can cause deep concerns and severe damage. Unfortunately, the situation doesn’t look any better today than it did in 2015: there are all sorts and sizes of very real schemes for stealing and selling this type of data.
The value of a series of letters and numbers
Not so long ago, giving out your Social Security number (SSN) and your address was an everyday occurrence. But together, this information is extremely valuable to cybercriminals. To get an idea of how targeted it is, just do a Google search for “SSN generator”; the results will demonstrate the level of interest in this topic:
If such data is so sought after and even “artificially produced,” it’s because the real thing is very valuable. In some cases we’ve encountered, an individual’s complete information could be sold for up to $15. The conclusion is obvious: If there are crooks willing to pay that much, the data is being used in some very lucrative schemes.
It must be noted, however, that the “correct hands” that legitimately deal with this data must be the most attentive: Europe’s General Data Protection Regulation (GDPR), and a host of similar legislation emerging worldwide, make it crystal clear that companies that deal with their clients’ personal data are responsible for the care of that information.
Criminal sales schemes
The process of selling stolen data can be divided into three steps: First, the wrongful acquisition of the information; second, selling it to specific groups or marketplaces; and finally, using the data for fraudulent purposes. Each “step” has some very interesting peculiarities:
Acquiring the data
A cybercriminal can take several paths to gain access to personal information. That’s why we need to stress the importance of monitoring your company’s data exposure, which must be one of the pillars of a good compliance and risk management program. Among the attack vectors used to obtain this data are:
- Fake pages that capture data from people who are shopping for low-cost loans, offering them fees that are well below the going market rate (digital scams);
- Chatbots that simulate the customer services of companies with well-known brands;
- Fake job openings offering high salaries, using prominent corporate brands;
- Faulty systems that allow access to client or citizen databases (such as Brazil’s CadSUS public health care system).
Selling the data
Once collected, the data can be sold in closed groups or in specialized marketplaces in the deep and dark web. Sometimes data is preordered, so it is not directly exposed in those marketplaces.
There are organized groups that buy such data, which will subsequently be used in fake documents or to open financial services accounts (new accounts, credit requests, etc.).
Here’s an example of an “order” (with preferences indicated) from Brazil:
WHO HAS FULL DATA?
CPF NUMBER (SSN)
PEOPLE BETWEEN 18 AND 30 YEARS OLD
MEN AND WOMEN
PREFERABLY SÃO PAULO
CALL PV WILL BUY OR EXCHANGE FOR INFO
These problems also show up in the form of central offices and advisory panels. Such websites function as a professional service to supplement the personal data needed to pull off a digital scam. An example:
The statement, Abaixo as consultas contratadas em seu plano (“Below are the queries contracted in your plan”), shows how the same seller molds one product into different formats. In the center of this image (redacted due to the information’s sensitive nature), page access options include CPFs, business tax identification numbers (CNPJ), national ID cards, father’s name, zip code (CEP) and even credit scores.
Fraudulent use of the data
Once the data is collected, the criminals’ primary activity is creating dummy accounts. After they’ve been validated, these accounts are sold on the deep and dark web. In some cases, fraudsters open a credit card account and make purchases using an identity other than their own.
The data can even serve as a basis for creating fake documents. Editable templates for making national identity cards, driver’s licenses and other documents are also sold on the deep and dark web.
Monitoring to protect the consumer
All three steps in this criminal process for using personal data online leave tracks and must be constantly monitored. The greatest responsibility is borne by the companies attacked, who have the duty of correctly caring for their clients’ data, in accordance with the GDPR and similar laws.
At Axur, our robots protect your brand online. Threat Intelligence scans the deep and dark webs daily, issuing automated alerts. If corporate credentials are leaked, Hashcast can instantly issue an alert. In this way, you can avoid unauthorized access and maintain control over the data that leaves your company.