The pranksters who exposed the credit reports and Social Security numbers of dozens of prominent Americans used a hidden identity-theft service that tapped directly into some of the biggest data aggregators in the country, a new report states.
Independent security researcher Brian Krebs revealed on his Krebs on Security blog yesterday (Sept. 25) that the service, known as SSNDOB (Social Security Number Date of Birth) used malware to obtain secret access to the databases of LexisNexis, Dun & Bradstreet and Kroll Background America.
LexisNexis holds legal, print media and public-records information dating back decades; Dun & Bradstreet aggregates business and credit data on companies; Kroll gives corporations background data about prospective hires, including employment and health histories and drug-test results.
Krebs' analysis shows that over two years, SSNDOB had about 1,300 clients who bought personally identifiable information on at least 4 million U.S. residents.
One group of clients spilled the beans this past March and April by "doxing" Michelle Obama, Mitt Romney, Beyoncé, Jay Z, Paris Hilton, Kanye West, Bill Gates and two dozen other celebrities and public officials. The exposed credit reports seemed to have been obtained from credit agencies by persons using SSNDOB data to pose as the individuals concerned.
A couple of months after the "doxing" incidents, Krebs said, hackers attacked SSNDOB's website, got into its servers and stole its records. Krebs ended up with a copy of the database records.
The service's main website at ssndob.ms has been taken offline, but similar services can be found at ssndob.cc and ssndob.biz.
Krebs said the data provided by SSNDOB cost between 50 cents and $2.50 per individual record for standard Social Security numbers and dates of birth, and between $5 and $15 for background and credit checks.
Armed with that sort of data, an identity thief could build up a trail of false documentation that would let him or her open a bank account, get a drivers' license, apply for a loan or even buy a car using someone else's name.
The malware used to infect the data-aggregators' servers was so good that it remained undetectable by almost every brand of anti-virus software — until a couple of weeks ago.
An FBI spokeswoman told Krebs the bureau was "aware of and investigating this case."
Krebs promises more results from his investigation in the coming days.