The dark side of digitalization. How fraudsters can legally receive data to enrich leaked databases
In November, DarkWeb discovered a service for verifying data on phone users using the Fast Payment System (FPS) News in the Information Leaks channel. A list of phones is sent to the system input, which, after the checker, are supplemented with such information as the name, patronymic of the subscriber and the list of banks registered with it in the SBP. This allows you to enrich data with leaked databases that are published and sold on the black market. However, the SBP is not the only system through which attackers seek to enrich leaked information. And as such systems become digitalized, so will more and more.
Content |
Phone as a passport
Now the phone number is very often used as an identity identifier, since the operator can provide law enforcement agencies with complete information about the owner of the number. However, initially, the phone number system did not imply their use as an identifier. There are not very many of them: there can be up to 10 million rooms in one zone, which allows them to be almost completely sorted out with the modern development of technologies.
In principle, there is not even a special need for personal data leaks - it is enough to call each of the numbers and see if he answers, if he answers, then the owner picks up the phone. Then the "live" numbers are run through the checker, which is discussed above, and now the scammers already have a database of telephone numbers with names and patronymics, as well as bank names and other useful information that can be used to compile a legend during social engineering. No additional data leaks are necessary.
A lot depends on implementation, but in any case, such services are a gift to hackers and information hunters, "Andrei Masalovich, president of Inforus, explained for TAdviser. - If such requests can also be implemented without authentication and restrictions on the number, this will inevitably lead to the appearance of script "vacuum cleaners" that will steal user data in whole arrays - thousands and tens of thousands. |
Moreover, the telephone number is actually already fixed as one of the possible identifiers of a person. So, in the law No. 406-FZ adopted at the end of June this year, which amends the "three-chapter" law No. 149-FZ, one of the possible authorization options when connecting to all services may be the owner's phone number. It is believed that checking in the form of a one-time code in SMS guarantees independent authorization on the corresponding service, but for an attacker to impersonate another, it is enough to simply gain access to the victim's phone for a while.
Cost optimization
Personal data fraud has already become a full-fledged industry that allows attackers to distribute roles, automate the process of taking money from the population, and even optimize costs. In particular, the data that comes from various leaks must first be checked for validity so as not to spend additional resources working out losing fraud schemes in advance. Therefore, verification of phone numbers, passports and various addresses is an important part of the work of fraudsters to work with information.
Having obtained the passport data from the leaked database, they, before starting to use it in their criminal scheme, must check its validity. And there are services for checking such data - recently Ministry of Digital Development announced the possibility of checking the passport data of Russian citizens using the Public services website, which interacts with the database of the Ministry of Internal Affairs. In principle, the owners of an illegal base can use it to optimize their activities, however, it does not pose such a danger as the SBP.
Nothing new has appeared, - said Ashot Hovhannisyan, author of the Information Leaks telegram channel and founder of the DLBI data leak intelligence service, in a conversation with TAdviser. - Everyone has always used https://service.nalog.ru/inn.do to check passports. |
The appearance of such "useful" services for scammers is not uncommon. So in early November, the SberKorus company opened a service for checking individuals, which is connected to 7 official state sources of information: the Ministry of Internal Affairs, Rosfinmonitoring, EFRSB, FNP, FTS, FSSP, traffic police. However, in order to use it, you need to open a company or work in the HR department of an existing company. In addition, the number of requests to the database is limited - in the most expensive package, you can check up to 30 people per month.
Thus, this service meets the Masalovich criterion - it requires authentication and has restrictions on the number of requests, unlike the SBP, where, although there is authorization, the number of requests is not limited. Access to a large number of official databases can make such a service useful for scammers.
Naturally, like any other legal tools, such services can be used by cybercriminals for their own purposes, but it should be borne in mind that such services themselves do not provide any confidential information about the person whose data is being verified, "said Alexander Vurasko, an expert at the Solar AURA Solar Group Center for Monitoring External Digital Threats. - By itself, checking the validity of the document does not pose a threat to its owner. Just as it is not an immediate threat and information that the owner of the phone number has accounts in a particular bank. |
Actually, such services existed for a long time and were intended just to improve security when making transactions and other similar operations. Information that the passport of a particular person is valid (provided that the requester already has passport data) cannot pose a threat, although it allows optimizing the "business processes" of cybercriminals. When designing such services, you need to maintain a balance of benefit and harm.
Intelligence on legal services
Actually, obtaining valuable information from legal services has recently been called Open-Source Intelligence (OSInt), and as government and business activities digitalize, there will only be more information for such intelligence. Digital passports, electronic invoices and insurance policies all require real-time verification and can legally provide information useful to fraudsters. When designing them, it is important to provide mechanisms for authenticating users, limiting the number of requests and monitoring suspicious activity so that in the future they can be used to investigate abuses.
At the same time, the phone number is difficult to secure from abuse. Telephony uses technologies that were developed without compliance with security requirements, which now creates problems both for the search for telephone terrorists and for investigating international incidents - the use of a telephone number should still be based on international standards. As a result, telephony is now becoming an important part of fraud, which, on the one hand, users trust, and on the other, is quite anonymous.
There is already a practice when people simply do not accept phone calls from unknown numbers, and in order to get through to a specific person, you must first warn him through one of the alternative communication channels. Trust in the telephone network is gradually destroyed, since it does not provide for modern security mechanisms.