Huge Identity-Theft Ring Exposed by Lone Security Researcher

The pranksters who exposed the credit reports and Social Security numbers of dozens of prominent Americans used a hidden identity-theft service that tapped directly into some of the biggest data aggregators in the country, a new report states.

Independent security researcher Brian Krebs revealed on his Krebs on Security blog yesterday (Sept. 25) that the service, known as SSNDOB (Social Security Number Date of Birth) used malware to obtain secret access to the databases of LexisNexis, Dun & Bradstreet and Kroll Background America.

LexisNexis holds legal, print media and public-records information dating back decades; Dun & Bradstreet aggregates business and credit data on companies; Kroll gives corporations background data about prospective hires, including employment and health histories and drug-test results.

Krebs' analysis shows that over two years, SSNDOB had about 1,300 clients who bought personally identifiable information on at least 4 million U.S. residents.

MORE: 7 Ways to Lock Down Your Online Privacy

One group of clients spilled the beans this past March and April by "doxing" Michelle Obama, Mitt Romney, Beyoncé, Jay Z, Paris Hilton, Kanye West, Bill Gates and two dozen other celebrities and public officials. The exposed credit reports seemed to have been obtained from credit agencies by persons using SSNDOB data to pose as the individuals concerned.

A couple of months after the "doxing" incidents, Krebs said, hackers attacked SSNDOB's website, got into its servers and stole its records. Krebs ended up with a copy of the database records.

The service's main website at ssndob.ms has been taken offline, but similar services can be found at ssndob.cc and ssndob.biz.

Krebs said the data provided by SSNDOB cost between 50 cents and $2.50 per individual record for standard Social Security numbers and dates of birth, and between $5 and $15 for background and credit checks.

Armed with that sort of data, an identity thief could build up a trail of false documentation that would let him or her open a bank account, get a drivers' license, apply for a loan or even buy a car using someone else's name.

The malware used to infect the data-aggregators' servers was so good that it remained undetectable by almost every brand of anti-virus software — until a couple of weeks ago.

An FBI spokeswoman told Krebs the bureau was "aware of and investigating this case."

Krebs promises more results from his investigation in the coming days.

Follow Paul Wagenseil at @snd_wagenseil. Follow Tom's Guide at @tomsguide, on Facebook and on Google+.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.