Identity Seller Uses Botnet to Steal from Data Brokers

An identity theft service selling Social security numbers, credit and background check reports, used a botnet to infect and steal data from brokers such as LexisNexus, Dun & Bradstreet and Kroll Background America.

An online peddler of Social Security numbers, credit and background check reports, and other information valuable to identity thieves appears to have ascertained this data by compromising the systems of a number of prominent data brokerage firms, according to an investigative report published by security reporter Brian Krebs.

The website is SSNDOB[dot]MS and Krebs characterizes it as an “identity theft service.” Whomever is responsible for the service, the report claims, compromised and installed botnet malware on the systems of a number of prominent data firms, including two servers at the legal database company LexisNexis, another two servers at Dun & Bradstreet, a New Jersey-based collector of corporate licensure information, and a fifth server belonging to an employment background screening company called Kroll Background America Inc.

The malware infected servers transmitted data from these systems to a command and control server under the control of SSNDOB’s operators, supplying some amount of the information sold on that site. Krebs ran the malware samples through Virus Total, a website that scans malicious files to see which antivirus products will detect them, in early September. None of the 46 tools used by Virus Total detected the threat. At publication, Krebs said that the total had risen to six of 46 tools.

Over the summer, the site was compromised, giving Krebs and others access to the entire database. An examination of that database revealed that the site had some 1,300 customers that spent hundreds of thousands of dollars collecting the SSNs, birth dates, drivers license records, and the credit and background check information of more than four million U.S. citizens.

The source of all this data remained unknown until a group of hackers apparently associated with the UGNazi hacktivist collective used SSNDOB to accrue data for another website, exposed[dot]su, that publishes various information about celebrities and prominent public figures. Beyonce, Jay Z, First Lady Michelle Obama, CIA Director John Brennan, and former FBI Director Robert Mueller are among the individuals whose information could be found on the site, according to Krebs. The information on this second site highlighted the thoroughness SSNDOB’s access to sensitive information, but it wasn’t until the site was later compromised that Krebs was able to examine the entire database.

Beyond statistical information, the compromise of SSNDOB gave Krebs the ability to analyze the network activity there, which in turn led him to the existence of the botnet fueling the service.

SSNDOB has been running for two years, offering personal information such as SSNs and birth records for between 50 cents and $2.50 and credit background check information for between $5 and $15, according to the report.

Krebs writes that LexisNexus confirmed the compromise, Dun & Bradstreet told Krebs the information he provided was “very helpful,” and Kroll Background America’s parent company, Altegrity, neither confirmed nor denied the compromise. All three companies are coordinating with law enforcement and the FBI is “aware of and investigating the case.”

Suggested articles