A Wolf in Sheep’s Clothing: Hacker Poses as Private Investigator to Access Credit Bureau Data

One of the top three credit bureaus in the country has been unknowingly providing personal data to an underground cybercriminal group since March 2012. Experian, a company that provides credit reports, credit monitoring, and “identity theft protection” to consumers was found to have been sharing information to the creator of Superget.info, an underground black market website that sells “fullz”—the “full” package of personally identifiable information (PII) on US citizens.

This is particularly concerning as Experian operates such a large and otherwise trusted database of personal information. Experian released a statement to Krebs saying that customer credit files were not accessed in this ordeal, however, data including Social Security numbers and banking information appears to have been shared. This only represents a small portion of the information for sale on Superget.info. Other pieces of PII are an individual’s name, address, date of birth, place of work, duration of work, state driver’s license number, mother’s maiden name, bank account number(s), bank routing number(s), email account(s) and other account passwords—quite the laundry list of data. Cybercriminals have been purchasing these “fullz” from Superget.info in order to steal victims’ identities, take out fraudulent loans, and file false tax refund requests.

Krebs first discovered the underground Superget.info in November of 2011 but couldn’t determine the source of their data—until now. This week, he unraveled the story—exposing a long and windy road leading back to Experian. After learning about the recent hack of data brokerage LexisNexis, one of Krebs’ readers reviewed earlier stories and discovered that the Superget.info data was being imported from a website called USInfoSearch.com. When questioned by Krebs, U.S. Info Search CEO Marc Martin said that the data sold by Superget.info was not obtained directly through his company, but through a third party company called Court Ventures, with which they have a data sharing agreement. Court Ventures was purchased by Experian in March 2012.

According to Martin, the proprietor of Superget.info (a Vietnamese hacker named Hieu Minh Ngo) was able to get access to the troves of personal data by posing as a U.S. based private investigator. He has been paying Experian for the data access by sending monthly wire transfers originating from Singapore—something that Martin asserts should have been a red flag, especially to a company in the business of preventing identity theft. Ngo has since been taken into U.S. custody and faces 15 separate criminal charges, including conspiracy to commit identification fraud, aggravated identity theft, and wire fraud. His operations, which included a site called “Findget.me” in addition to Superget.info provided full data profiles on more than half a million Americans.

It’s still unclear how the Federal Trade Commission and other federal regulators will respond to Experian’s involvement. Their agreement with U.S. Info Search did state that the “information was to be used for fraud prevention and identity verification, and was only to be sold to licensed and credentialed U.S. businesses,” not to someone overseas. Although Experian ceased selling the data once the Secret Service notified them of Ngo’s operation and worked closely with government agents to shut Ngo down, their actions may not be beyond legal repercussion.

One of the biggest takeaways from this fiasco for larger data brokerage firms will be to bolster security surrounding who has access to consumer information. Consumers should also take note—no matter how good a company claims to be at protecting your personal information, it’s important to take precautions to enhance your own security.

  • Limit the personal information you share online. Whether it’s through social networking, personal blogging, or any other means, it’s important to curb the desire to share. It’s one thing to divulge personal stories to a trusted friend via email, but leave out the credit card numbers, addresses, and so on.
  • Be careful who you share your information with… even at a doctor’s office or school. Use your judgment to determine whether the asking party really needs your mother’s maiden name and Social Security number to process your forms correctly. Companies have gotten in the habit of asking for more personal information than they may need—don’t be afraid to ask questions about how your information will be used and what steps will be taken to protect it.
  • Be extra cautious when connecting in public. Whether using a public computer or your personal computer to connect to public Wi-Fi, be conscious of the data you’re accessing. It’s best to leave secure transactions, such as banking or shopping, for your own private network and device.
  • Browse securely. Most browsers will indicate when you are accessing a secure website. Secure websites are often marked with “HTTPS” at the beginning of the URL. They can also be represented by a lock symbol to the left of the URL or at the bottom of the browser window. When any of these symbols are present, you can rest assured that any information you transmit will be encrypted.
  • Double check your credit report. With so many shady services floating around the Internet black market, it’s important to stay on your toes. Check your credit report at least once a year to make sure that nothing looks out of place.
  • Install comprehensive security software. While many browsers indicate when you’re accessing a secure website (as noted above), many fail to alert you when a website is not secure. McAfee LiveSafe™ service provides comprehensive security for PCs, Macs, smartphones, and tablets that warns you before you click on malicious websites.

To stay up to date on the latest consumer security news, be sure to follow us on Twitter @McAfeeConsumer and Like us on Facebook.
Gary Davis



Leave a Comment

13 − 12 =