Stolen Equifax Consumer Data Could Command More Than 32 Million on the Black Market

What happened?

On September 9, Equifax, a major credit bureau that provides credit reports in the US, announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. According to the company’s statement, the breach lasted more than a month -- from mid-May until July of this year. Information stolen by the hackers includes customer names, Social Security numbers, birth dates, addresses, and even some driver’s license numbers. They also got credit card numbers for 209,000 people and dispute documents with personal information for 182,000 consumers.

How valuable is this type of data?

IntSights monitors the outlets where attackers often sell information such as that stolen from Equifax. Credit card numbers and personal identifiers are commonly sold on private chats, black markets, underground forums and even on closed social media groups.

A credit card number is usually sold for around 8-10 USD, whereas a valid card along with full personal information, including SSN and DOB, would typically sell for 20 USD. A single registry of full identification details including SSN, DOB, phone number and address would sell for around 0.2 USD on average (without a valid card). Hackers could still use these details for committing various acts of fraud such as tax refund scams, ordering credit cards on behalf of the victim, or opening a mule account (an account that will accept fraudulent money transfers from a compromised account).

Following are ads to one of the many vendors who offer stolen data on the deep web:

pasted image 0.png
pasted image 0 (1).png

How valuable is the leaked Equifax data?

The leaked data is said to contain 143 million entries, of which 209,000 contain valid credit card numbers.

Therefore: 142,791,000 contain only personal identification details, so each would sell for 0.2 USD 209,000 contain a valid card number along with full identification details, hence are worth 20 USD per entry. (142,791,000 x 0.2) + (209,000 x 20) = 32,738,200.

The value of the entire database, based on its market potential, would therefore be equal approximately 32.7 million USD.

Who’s behind the leak?

Although its veracity has yet to be confirmed, a hacking duo named ‘PastHole Hacking Team’ claimed responsibility for the breach, and took to a dedicated TOR website to demand a payment of 600 BTC (around 2.5 million USD) to address 17vkHnkXwYaSRiLipEWNWvNqPvC51ZBswy. As of this writing, it has received only 45 USD.

pasted image 0 (2).png

The two claim to have received far more data than they expected when deciding to target the firm. They threatened to share the data publicly if ransom is not paid by September 15. According to a blogger named Luke (at: https://rehmann.co/) , he sent an email to the attackers and received the following response:

pasted image 0 (3).png

“We are processing information is not a single file and we must still unite which data correspond to which people.

We are not going to give interviews.

We do not have expectations to collect anything so that on the 15th everything will be published except the credit cards.

09/15 at 4pm UTC

PastHole

Оборудование для взлома”

The email’s signature suggests that the attackers might be from Russia.

How did it happen?

Based on the company’s own statement, “Criminals exploited a U.S. website application vulnerability to gain access to certain files.” Later reports stated that the vulnerability utilized by the attackers is in Apache Struts, a popular open-source programming framework for building web applications in Java. Two vulnerabilities in Struts have been discovered in 2017, one of which was just announced on September 4. That vulnerability could have been in use since as early as 2008, and would have allowed an attacker to remotely execute a code on an affected server. It has been given the identifier CVE-2017-9805.

What should I do if I think my details have been breached?

Equifax asks that consumers check whether their personal details were compromised by using resources they've made available on their website. The company also offers a free year of credit monitoring by TrustedID.

Another option is to freeze your credit report, which would prevent it from being shared amongst lenders with whom you do not already have an active interaction. Note that freezing or temporarily un-freezing your credit report might require paying a fee.

Stay up to Date!

Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.