A group of thieves suspected of being responsible for collecting millions of fraudulent small business loans and unemployment insurance benefits as part of COVID-19 economic relief efforts have collected personal data on people and companies they impersonate by exploiting multiple accounts compromised on little-known US consumer data. broker, KrebsOnSecurity learned.
In June, KrebsOnSecurity was contacted by a cybersecurity researcher who discovered that a group of crooks were sharing very detailed personal and financial files on Americans through a free webmail service that allows anyone who knows the name of user of an account to view all e-mails sent to the latter. account – without needing a password.
The source, who asked not to be identified in this story, said he has been monitoring the group’s communications for several weeks and sharing the information with state and federal authorities in an attempt to disrupt their fraudulent activity.
The source said the group appears to be made up of several hundred individuals who have collectively stolen tens of millions of dollars from US public and federal treasuries via bogus loan applications with the U.S. Small Business Administration (SBA) and through fraudulent unemployment insurance claims filed against multiple states.
KrebsOnSecurity reviewed dozens of emails the fraud group had exchanged and noticed that a large number of consumer records they shared had a rating that said they had been cut and pasted from the output. requests made to Interactive Data LLC, a Florida-based data analytics company.
Interactive data, also known as IDIdata.com, markets access to a “big data repository” on US consumers to a range of clients, including law enforcement officials, debt collection professionals, and anti-fraud and compliance personnel in various organizations.
Consumer records obtained from the IDI and shared by fraudsters contain an overwhelming amount of sensitive data, including:
– full social security number and date of birth;
– current and all known previous physical addresses;
-all known current and past mobile and residential telephone numbers;
-the names of all known parents and associates;
– all known associated email addresses
-IP addresses and dates related to the consumer’s online activities;
– vehicle registration and ownership information
– available lines of credit and amounts, and their opening dates
– bankruptcies, liens, judgments, foreclosures and commercial affiliations
Contact by phone, Derek Dubner, CEO of IDI Holdings acknowledged that a review of consumer records sampled from the fraud group’s shared communications indicates that “a handful” of authorized IDI customer accounts had been compromised.
“We have identified a handful of legitimate businesses that are customers who may have suffered a breach,” Dubner said.
Dubner said all customers are required to use multi-factor authentication and anyone requesting access to its services goes through a rigorous verification process.
“We absolutely do accredit businesses and have a number of ways to do that and get past the gold standard, which follows some of the credit bureau guidelines,” he said. “We validate the identity of the candidates [for access], check with the state licensor and the applicant’s individual licenses. “
Citing an ongoing police investigation into the case, Dubner declined to say whether the company knew how long the handful of customer accounts had been compromised, or how many consumer records were accessed through those stolen accounts.
“We are communicating with the police on this subject,” he said. “I can’t share much more because we don’t want to obstruct the investigation. “
The source told KrebsOnSecurity that it had identified more than 2,000 people whose SSNs, DoBs and other data were used by the fraud gang to apply for UI benefits and SBA loans, and that a thieves alone can earn $ 20,000 or more in salary. Additionally, he said, it seems clear that fraudsters are recycling stolen identities to file bogus unemployment insurance claims in several states.
Hacked or ill-gotten accounts at consumer data brokers have fueled identity theft and identity theft services of all kinds for years. In 2013, KrebsOnSecurity announced that the US Secret Service had arrested a 24-year-old man named Hieu Minh Ngo for running an identity theft service at his home in Vietnam.
The NGO service, variously called superget[.]info and finds[.]me, has given customers access to the personal and financial data of over 200 million Americans. He obtained this access by posing as a private investigator to a data broker affiliate acquired by Experiential, one of the three major credit bureaus in the United States.
Experian was dragged to Congress to explain the failure and assured lawmakers there was no evidence that consumers have been harmed by NGO access. But as follow-up reports have shown, Ngo’s department was frequented by identity thieves who specialized in filing fraudulent tax refund claims with the Internal Revenue Service, and was in high demand by an identity theft network operating in the New York-New Jersey area.
Also in 2013, KrebsOnSecurity announced that ssndob[.]Mrs, then a major identity theft service in underground cybercrime, had infiltrated the computers of some of the largest consumer and corporate data aggregators in the United States, including LexisNexis inc., Dun & Bradstreet, and Kroll Background America Inc.
In 2006, The Washington Post reported that a group of five men used stolen or illegally created accounts at LexisNexis subsidiaries to search for SSNs and other personal information on more than 310,000 people. And in 2004, it emerged that identity thieves posing as clients of a data broker Point of choice had stole the personal and financial records of more than 145,000 Americans.
These trade-offs were remarkable because the consumer information stored by these data brokers can be used to find the answers to so-called knowledge-based authentication (KBA) questions used by companies seeking to validate the financial backgrounds of people requesting credit. new lines of credit.
In that sense, thieves involved in identity theft might target data brokers like IDI and their clients better than major credit bureaus, said. Nicolas Tisserand, researcher at International Institute of Informatics and speaker at UC Berkeley.
“This means that you have access not only to the consumer’s SSN and other static information, but also everything you need for knowledge-based authentication, because these are the types of companies that provide KBA data. “
The fraud group’s communications reviewed by this author suggest that they mainly cash through financial instruments such as prepaid cards and a small number of online-only banks that allow consumers to open accounts and transfer money. simply by providing a name, date of birth and associated SSN. .
While most of these instruments place daily or monthly limits on the amount of money users can deposit and withdraw from accounts, some of the most popular instruments for identity thieves seem to be those that allow spending, send or withdraw between $ 5,000 and $ 7,000. per transaction, with high limits on the total number or dollar value of transactions allowed in a given time period.
KrebsOnSecurity is investigating the extent to which a small number of these financial instruments can be massively overrepresented in the incidence of unemployment insurance benefit fraud at the state level and in SBA loan fraud at the federal level. Anyone in the financial industry or government agencies with information on these apparent trends can confidentially contact this author at krebsonsecurity @ gmail point com, or via the encrypted messaging service Wickr at “krebswickr“.
The looting of state unemployment insurance programs by identity thieves has been well documented in recent times, but public attention has focused much less on targeting fraud. Economic disaster loan (EIDL) and advance grant programs run by the US Small Business Administration in response to the COVID-19 crisis.
At the end of last month, the Office of the Inspector General of the SBA (OIG) published a scathing report (PDF) saying it has been inundated with complaints from financial institutions reporting suspected fraudulent EIDL transactions, and has so far identified $ 250 million in loans made to “potentially ineligible recipients.” The OIG said many of the complaints involved credit applications for people who had never applied for a loan or grant for economic harm.
Figures released by the SBA OIG suggest that the financial impact of fraud may be seriously underestimated at this time. For example, the OIG said nearly 3,800 of the 5,000 complaints it received came from just six financial institutions (out of several thousand in the United States). A credit union reportedly told the US Department of Justice that 59 of the 60 SBA deposits it received appeared to be fraudulent.