A website xxxxx.su (think “simple past tense” here) on Monday published credit report details on several celebrities and public figures. These included Kim Kardashian, US Vice President Joe Biden, Hillary Clinton, Michelle Obama, Aston Kutcher, Donald Trump, Robert Mueller (FBI chief) and Arnold Schwarzenegger. So how did they do this?
Firstly if reports are correct, Equifax* (a US credit reference agency) was alerted to the fact that Personal Identifiable Information (PII) was used to access various celebrity and public figures credit files. The PII would start with collecting credit/debit card data – a card dump of 16 digits along with full name and card expiry dates and CVV code can easily be skimmed, but this would have to be done in person.
*AnnualCreditReport.com is a triple report facility allowing individuals to check their credit files with Equifax, Experian and TransUnion. Hackers used this site to bypass authentication measures.
So right now I’d guess the ‘hackers’ have been collecting the data from their network of people working in say retail for several months. Collecting Social Security Numbers (SSN), date of birth, phone numbers, and address (including previous) information isn’t that difficult to research online and dumpster diving. Fraudsters will spend considerable time collecting the data to build a profile of their “marks” (“marks” are identity fraud targets).
The authentication process of the credit reference agencies is seriously flawed given the ease at which the authentication questions can be guessed. In addition in most instances you don’t need a credit or debit card linked to your name to access your credit report.
So what about the xxxxx.su website?
Well it uses CloudFlare (which I use on this site) which acts as a reverse proxy (see bootnote), so it is difficult to trace the TCP/IP origins. CloudFlare are a US company who are well known to me, but would never disclose the whois information on this website, but it is well known in security circles that anonymous use their services as well as the Tor Onion Network. The .su site was registered on whois 2011-10-28 and updated on 2012-03-02. So it has been around for sometime. This might give us an idea as to how long they have spent collecting the PII to attempt accessing the credit reports.
It’s also worth pointing out that no identity fraud has taken place. It’s ‘identity theft’ if you steal someone else’s personal information and don’t actually use it to commit ‘identity fraud’ – in most instances financial fraud.
Update 18 March: The .su website mentioned above is now offline.
Safe surfing folks!
Bootnote: Reverse proxies can hide the existence and characteristics of the origin server(s).