One of the cybercrime underground’s more active sellers of Social Security numbers, background, and credit reports has been pulling data from hacked accounts at the US consumer data broker USinfoSearch.
Since at least February 2023, a service advertised on Telegram called USiSLookups has operated an automated bot that allows anyone to look up the SSN or background report on virtually any American. For prices ranging from $8 to $40 and payable via virtual currency, the bot will automatically return detailed consumer background reports in just a few moments.
USiSLookups is the project of a cybercriminal who uses the nicknames JackieChan/USInfoSearch, and the Telegram channel for this service features a small number of sample background reports, including that of President Joe Biden and podcaster Joe Rogan. The data in those reports includes the subject’s date of birth, address, previous addresses, previous phone numbers and employers, known relatives and associates, and driver’s license information.[1]
JackieChan’s service abuses the name and trademarks of Columbus, OH-based data broker USinfoSearch, whose website says it provides “identity and background information to assist with risk management, fraud prevention, identity and age verification, skip tracing, and more.”
“We specialize in non-FCRA data from numerous proprietary sources to deliver the information you need, when you need it,” the company’s website explains. “Our services include API-based access for those integrating data into their product or application, as well as bulk and batch processing of records to suit every client.”
As luck would have it, it was also listed on the Telegram channel for this identity fraud service, presumably as a teaser for would-be customers. On 19 October 2023, KrebsOnSecurity shared a copy of this file with the real USinfoSearch, along with a request for information about the provenance of the data.
USinfoSearch said it would investigate the report, which appears to have been obtained on or before 30 June 2023. On 9 November 2023, the general manager of USinfoSearch shared a written statement about their investigation that suggested the ID theft service was trying to pass off someone else’s consumer data as coming from USinfoSearch:
Regarding the Telegram incident, we understand the importance of protecting sensitive information and upholding the trust of our users is our top priority. Any allegation that we have provided data to criminals directly opposes our fundamental principles and the protective measures we have established and continually monitor to prevent any unauthorized disclosure. Because Martin Data is known for high-quality data, thieves may steal data from other sources and disguise it as ours. While we implement appropriate safeguards to guarantee that our data is only accessible by those legally permitted, unauthorized parties will continue to try to access our data. Thankfully, the requirements to pass our credentialing process are challenging, even for established, honest companies.
USinfoSearch’s statement did not address any questions put to the company, such as whether it requires multi-factor authentication for customer accounts or whether my report had come from USinfoSearch’s systems.
After much badgering, on 21 November, USinfoSearch acknowledged that their identity fraud service on Telegram was pulling data from an account belonging to a vetted USinfoSearch client. “I do know 100% that my company did not give access to the group who created the bots, but they did gain access to a client,” it said of the Telegram-based identity fraud service. “I apologize for any inconvenience this has caused.”
USinfoSearch heavily vets any new potential clients, and all users must undergo a background check and provide certain documents. Even so, he said, several fraudsters present themselves as credible business owners or C-level executives each month during the credentialing process, completing the application and providing the necessary documentation to open a new account. “The level of skill and craftsmanship demonstrated in creating these supporting documents is incredible,” the company said. “The numerous licenses provided appear to be replicas of the original document. Fortunately, I’ve discovered several methods of verification that do not rely solely on those documents to catch the fraudsters.”
“These people are unrelenting, and they act without regard for the consequences,” it continued. “After I deny their access, they will contact us again within the week using the same credentials. In the past, I’ve notified the individual whose identity is being used fraudulently and the local police. Both are hesitant to act because nothing can be done to the offender if they are not apprehended. That is where most attention is needed.”
SIM SWAPPER’S DELIGHT - JackieChan is most active on Telegram channels focused on “SIM swapping,” which involves bribing or tricking mobile phone company employees into redirecting a target’s phone number to a device the attackers control. SIM swapping allows crooks to temporarily intercept the target’s text messages and phone calls, including any links or one-time codes for authentication that are delivered via SMS.
Reached on Telegram, JackieChan said most of his clients hail from the criminal SIM swapping world and that the bulk of his customers use his service via an application programming interface (API) that allows customers to integrate the lookup service with other web-based services, databases, or applications. “Sim channels is where I get most of my customers,” JackieChan told KrebsOnSecurity. “I’m averaging around 100 lookups per day on the [Telegram] bot and around 400 per day on the API.”
JackieChan claims his USinfoSearch bot on Telegram abuses stolen credentials needed to access an API used by the real USinfoSearch and that his service was powered by USinfoSearch account credentials that were stolen by malicious software tied to a botnet that he claims to have operated for some time.
This is not the first time USinfoSearch has had trouble with identity thieves masquerading as legitimate customers. In 2013, Krebs broke the news that an identity fraud service in the underground called “SuperGet[.]info” was reselling access to personal and financial data on more than 200 million Americans that was obtained via the big three credit bureau Experian.
The consumer data resold by Superget was not obtained directly from Experian but rather via USinfoSearch. At the time, USinfoSearch had a contractual agreement with a California company named Court Ventures, whereby customers of Court Ventures had access to the USinfoSearch data and vice versa.
When Court Ventures was purchased by Experian in 2012, the proprietor of SuperGet, a Vietnamese hacker named Hieu Minh Ngo, who had impersonated an American private investigator, was grandfathered in as a client. The US Secret Service agent who oversaw Ngo’s capture, extradition, prosecution, and rehabilitation said he’s unaware of any other cybercriminal who has caused more material financial harm to more Americans than Ngo.
REAL POLICE, FAKE EDRS - JackieChan also sells access to hacked email accounts belonging to law enforcement personnel in the United States and abroad. Hacked police department emails can be useful for ID thieves trying to pose as law enforcement officials who wish to purchase consumer data from platforms like USinfoSearch. Hence, the info company’s ongoing battle with fraudsters seeking access to his company’s service.
These police credentials are mainly marketed to criminals seeking fraudulent “Emergency Data Requests,” wherein crooks use compromised government and police department email accounts to rapidly obtain customer account data from mobile providers, ISPs, and social media companies.
Typically, these companies require law enforcement officials to supply a subpoena before turning over customer or user records. But EDRs allow police to bypass that process by attesting that the information sought is related to an urgent matter of life and death, such as an impending suicide or terrorist attack.
In response to an alarming increase in the volume of fraudulent EDRs, many service providers have chosen to require all EDRs be processed through a service called Kodex, which seeks to filter EDRs based on the reputation of the law enforcement entity requesting the information and other attributes of the requestor.
For example, if you want to send an EDR to Coinbase or Twilio, you’ll first need to have valid law enforcement credentials and create an account at the Kodex online portal at these companies. However, Kodex may still throttle or block any requests from any accounts if they set off certain red flags.
Within their own separate Kodex portals, Twilio can’t see requests submitted to Coinbase or vice versa. But each can see if a law enforcement entity or individual tied to one of their own requests has ever submitted a request to a different Kodex client and then drill down further into other data about the submitter, such as Internet address(es) used, and the age of the requestor’s email address.
In August, JackieChan was advertising a working Kodex account for sale on the cybercrime channels, including redacted screenshots of the Kodex account dashboard as proof of access.
Kodex told Krebs his company immediately detected that the law enforcement email address used to create the Kodex account pictured in JackieChan’s AD was likely stolen from a police officer in India. They said one big tipoff was that the person creating the account used an Internet address in Brazil. “There’s a lot of friction we can put in the way for illegitimate actors,” Kode said. “We don’t let people use VPNs. In this case, we let them in to honeypot them, and that’s how they got that screenshot. But nothing was allowed to be transmitted out from that account.”
Massive amounts of data about you and your personal history are available from USinfoSearch and dozens of other data brokers that acquire and sell “non-FCRA” data, i.e.: consumer data that cannot be used to determine one’s eligibility for credit, insurance, or employment.
Anyone who works in or adjacent to law enforcement is eligible to apply for access to these data brokers, which often market themselves to police departments and to “skip tracers,” essentially bounty hunters hired to locate others in real life, often on behalf of debt collectors, process servers or a bail bondsman.
There are thousands of police jurisdictions worldwide, including roughly 18,000 in the United States alone. And the harsh reality is that all it takes for hackers to apply for access to data brokers (and abuse the EDR process) is illicit access to a single police email account. The trouble is that compromised credentials to law enforcement email accounts show up for sale with alarming frequency on the Telegram channels where JackieChan and their many clients reside. Indeed, Kodex so far this year has identified attempted fake EDRs coming from compromised email accounts for police departments in India, Italy, Thailand, and Turkey.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5993554863383553632
[1] https://krebsonsecurity.com/2023/11/id-theft-service-resold-access-to-usinfosearch-data/#more-65422
Comments