Readers! Its been almost a year so apologies for not being proactive. Will now try and publish at-least once a week.
Recently, I came across a marketplace or a store called A1 FRAUDSTORE offering multiple compromised/stolen data related to Australian individuals.
- Drivers Licence/Medicare/Passport Scans – Used heavily for identity takeover
- Bank Logins – self explanatory
- Debit / Credit Card + Fullz – Slang for data that usually contain an individual’s name, Social Security number (USA), birth date, account numbers, phone, address email etc.
- Fresh Bank Drops
- Physical Debit
- Homemade Methods&Guides
- Various Login Details (Email/Facebook/etc) – Did not find a section for these
- Australia Post Lockers
- NatWest phishing kit by Kr3pto
The stolen identities are used for account creation to apply loans, generic scams however mostly to act as drop accounts. Drop accounts are where fraudsters can send proceeds of crime usually collected by malware or phishing. One of the most known use of such drop accounts are via money mules working with Business Email Compromise actors.
These are banking credentials which allows initial login however, based on post-authentication controls actors may or may not be able to transfer the funds out. However, once actors logs in, they can get their hands on significant personal information that can be further use for fraud. At times, if a card is connected, they can perform online transaction without users knowledge.
In the screenshot, actor has advertised, 86400.com.au, Westpac and NAB account. Although, he does mention in the details that only Commonwealth logs are available which the drops down confirms.
Full package Bank drops
According to actor these are custom packs with has account access, associated card, identities used, associated sim card and email address. Advertised screenshot actor shows cards from
- CUA bank
- ANZ bank
This readily available account information is than used to receive fraudulent funds.
Australia Post lockers
Lockers are used to receiving unsolicited and illegal parcels – in many cases individuals uses this to get drugs.
NatWest Phishing Kit by kr3pto
kr3pto is an alias of a threat actor known to create multiple phishing kits – more can be read at https://www.wmcglobal.com/blog/threat-actor-update-kr3pto
Link > meows://aaa111.company.site
; <<>> DiG 9.10.6 <<>> https://aaa111.company.site ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2136 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;https://aaa111.company.site. IN A ;; ANSWER SECTION: https://aaa111.company.site. 59 IN A 220.127.116.11 https://aaa111.company.site. 59 IN A 18.104.22.168 ;; Query time: 11 msec ;; SERVER: 22.214.171.124#53(126.96.36.199) ;; WHEN: Sat Feb 27 15:43:16 AEDT 2021 ;; MSG SIZE rcvd: 88
Whois suggest range is assigned to Amazon and on ASN – AS14618 – AMAZON-AES
Selling such data over marketplaces and over messengers is very common however, a dedicated store suggests increasing demand with success of getting hands on compromised data. Return on investment of these data is easily calculated as certain information can be used multiple times and one single success can provide thousands of dollar.
It is advisable for banks that once these drop accounts are identified it should be shared with agencies that can relay this information further to other financial institutions. It is also recommended to have proper KYC check right when an account application is being filled – whether online or in branch or via post application. A check against a known blacklist to reduce number of such drop accounts is recommended. Another option is to enable multi-factor right on login page – meaning only username and password even phishing will be of no use. One might debate the feasibility and usability but that’s banks call however, I do believe if actual survey is done account holders may pick security over them. a new change will always see some friction but if its towards improvement the positives will be eventually seen.
Banks can use above screenshots or monitor the store to identify victims and should be also able to pivot in how the actor got the data which could be mostly via phishing (could be malware) and login times and usage etc which can then be acted upon.