[BreachExchange] Dark Web markets selling babies' Social Security numbers, personal data and mothers' maiden names

Destry Winant destry at riskbasedsecurity.com
Wed Jan 24 20:54:19 EST 2018


Cybercriminals have been found selling the Social Security numbers and
other personal data of babies for hundreds of dollars on the Dark Web.
According to Dark Web intelligence firm Terbium Labs, one listing
spotted on the Dream Market – one of the largest marketplaces on the
dark web – reads: "Infant fullz get em befor tax seson [sic]".

For $312 (£222) worth of Bitcoin, a buyer can purchase an infant's
name, Social Security number, date of birth and mother's maiden name.
The valuable stolen data offers nefarious actors access to a clean
credit history allowing them to apply for credit cards, receive
government benefits, take out mortgages, claim extra tax credits to
maximize their return and more, CNN reports.

"With a maximum child tax credit of $1,000 per child, that is a
potentially significant return on investment, assuming the buyer
successfully files and claims the return," Terbium Labs wrote in a
blog post. "An enterprising buyer can find the remaining details
through open-source data sets or by harvesting the parents' other
online presences like social media accounts."

This malicious behaviour can potentially go unnoticed for years until
the victim is old enough to open their own credit account. Although
the personal data of children has been previously seen for sale in
these marketplaces, researchers said this was the first time they
found infants' data.

"It's unusual to have information specifically marked as belonging to
children or to infants on these markets," Terbium Labs' director of
analysis Emily Wilson told CNN.

Researchers noted the timing of the posting given that tax season in
the US is coming up in April.

"Unlike other forms of fraud, tax fraud is cyclical; there's little
interest in purchasing a W2 or other tax-specific information in
July," researchers said. "Now that tax season approaches, however,
it's likely the volume of tax fraud-specific listings on the dark web
will grow, with more vendors listing products to match demand.

Throughout the year, troves of personal data harvested from data
breaches and leaks are put up for sale on the dark web as full
identity packs or "fullz". These include full names, Social Security
numbers, driver's license numbers and dates of birth among other
personal details.

Tax fraud guides and tutorials were also spotted on the dark web for
as little as $2 in some cases and detail how to file a fraudulent tax
return without being detected. However, many of them are often out of
date or do not include topical information rendering them useless,
they added. Before tax season hits, W2 forms, Employee Identification
Numbers and pay stubs are also available for as little as $35 for
cybercriminals to file fraudulent tax returns.

"The most useful guides may not be publicly advertised at all; rather
than selling to just any buyer, experienced fraudsters tend to keep
the most valuable tips and tricks to themselves, or circulate it among
a small, trusted group," Terbium Labs notes.

"The recent disruption to the tax code and the shake-ups on the dark
web will not stop the tax fraud machine," researchers said. "As
always, fraud finds a way."

More information about the BreachExchange mailing list