The War for Information

Written By Ryan Daly

The front lines of the battle of Identity Theft and Fraud rest primarily in the battle over information. Today, I wanted to touch on source information and dark web obtention of PII.

The threat landscape currently sees vulnerabilities from everywhere: insider threats, data leaks, cyberattacks, and more. Most recently, we’ve encountered a significant number of insider threats from people working at banks and stealing user information (account numbers, passwords, security questions, balances, etc.), people with counterfeit accounts for data brokers (Transunion, LexisNexis, etc.), and even people working at government institutions with access to “secure” databases. The only positive to these insider threats is that it does leave a quite obvious trail and makes securing a case against them easy (given you have the cooperation of the company or organization). However, the big drawback is the legwork required to connect victims which is often a significant failure of law enforcement (in both ability to manage resources to investigate scammers in depth and also in communication failures between agencies).

One of the struggles of our modern world that we run into now as well is the breadth of companies that require information for logins, the data collection policies of these companies, and also failure of the consumer to recognize that these companies will sell their information to third parties (data brokers, advertisers, and more).

Given the absolute free flow of information online and the ease of which it is to conceal your online identity more and more these days, we’ve come to find that the marketplace for the sale of stolen PII and identity packages has become a booming industry for those involved.

Telegram has become, as far as we have seen being on the ground with scammers, the most popular dark-web alternative by far. EVERY SINGLE SCAMMER that we have come across has Telegram and uses it to buy stolen data, buy fake IDs, and communicate and orchestrate fraud—most scammers refer to Telegram as “Telle” or “Telly.”

For those of you who don’t know about Telegram, it is a messaging/social platform that is end-to-end encrypted. You can join groups on Telegram and you can also create usernames and conceal your phone number.

There are hundreds to thousands of groups on Telegram that offer “services” (some more pernicious than others). For example, lots of accounts with “grub” in their name offer the sale of stolen checks that you can buy in bundles. Other accounts with “TLO,” “panda,” or “lookup” offer services where you can query databases like TLO (for a price) and these accounts are run by scripts.

It should come as no surprise, the primary method of payment within these groups is Bitcoin and other cryptocurrencies. What I have come to learn is that conducting investigations into these data brokers is often a fruitless endeavor resulting in an immense amount of time invested with results that only point to the use of proxy servers, VPNs, and anonymous bitcoin wallets.

Companies must address the vast insider threat issue, auditing its users regularly to check for anomalous usage/queries. Consumers must recognize that while their data can’t be scrubbed completely from the internet, to be responsible and conscious of who they freely give over their information to.

Ryan Daly
Previous

Telegram - Who Needs Onions..
Next

Bank Fraud - “Let’s Eat”