Wolves of the Internet: Where do fraudsters hunt for data online? 19 June 2018

Collaborative research that provides insight as to what personal information is available on the Internet and explore some of the methods used to obtain it. The report aims to: Explore what personal information is available online Show the methods that can be used to obtain personal information Demonstrate how the collation of personal information can be used in impersonation.

What did we do?

8,646 individuals identified (29% match rate) Sampling 81,470 records sent to Forensic Pathways Bulk search was carried out using API 30,000 selected from records with a ‘hit’ which provided a 90% confidence level Overall, there was 35% match rate to individuals where we had name, date of birth and both telephone and email There was a 22% match rate to individuals those with a name, date of birth and only a telephone number. Both these results had a 90% confidence match with them as to identification of the individual, therefore a sample of 30,000 individuals were selected from these two set of individuals. FP also had a 15% match rate with name, date of birth and neither telephone or email, but this only had a 30% confidence level. FP then identified 8,646 individuals from the two sets of individuals – a 29% match. These individuals were also searched on the dark web using a web crawler they had designed to identify if any victims of impersonation appear on the dark web. It was agreed that we would not fund criminal activity by purchasing any data sets, therefore the findings were limited. A random sample was then taken from those which were identified on social media and those that were not to identify if their email account had been released via any breaches using the haveibeenpwnd site. 8,646 individuals identified (29% match rate) Sample of 240 emails selected from both those found on surface web and those not found to check for data breach

Findings

Where is personal data sold? On the dark web, 10,000 posts were found in relation to ‘Fullz’. FP identified 21,000 live sites on the TOR network in May 2018. Various online shops and forums on surface web also sell personal data For one forum designed for telecom advice, 454 of the 465 posts made in April 2018 were in relation to selling personal data Personal data sold on surface web is cheaper than that sold on dark web. From 80 ‘Fullz’ profiles found, 13% related to victims of impersonation 90% were posted prior to the victim being filed onto the Cifas database. 80% of profiles had mother’s maiden name, 60% had passwords to emails. Mostly used for personal credit card applications and personal current accounts One individual had their details used 22 times.

How data from a ‘Fullz’ profile has been used This chart shows how an individual’s details from a Fullz profile can be used. Victim 1 had his details filed on a forum and his details were used in 22 fraudulent applications over a span of two 2 years. The details had been posted 41 times on forums since 2016 and there were at least 271 URLS that linked back to the data held within that profile. What this chart demonstrates is that there are potential two different individuals using the details for fraudulent applications, as well as targeting the details of other innocent parties to obtain services or products that they would not have been otherwise entitled to.

Impersonation and social media Females under 21 more likely to be found than males. From the age of 31, more men could be commonly identified. 69% of individuals found on Facebook and 38% found on both Facebook and LinkedIn. Younger victims had a higher presence on social media, including recruitment sites. Older victims were more likely to be found on phone directory sites or contact information directory sites for individuals and businesses. Victims aged under 21 more likely to have their details used for mobile phone contracts, mail order, store cards and pay day loans Victims aged over 61 were more likely to have their details used for credit cards and personal current accounts. Some of the websites are old social media sites

Company directors 13% of those with an occupation listed were company directors. 96% of these were found on Companies House. 76% had their home address listed as their correspondence address – a large number listed for dissolved directorships. Majority had a Facebook footprint (61%), 31% had a presence on LinkedIn. Of note, a number also had a company page on Facebook. Facebook offers an API to harvest public data posted on Facebook. LinkedIn also produces a wealth of information about an individual, from their employment history and educational history, to their interests and skills. Although The Companies (Disclosure of Address)(Amendments) Regulation 2018 states that you can apply to have your home address removed providing you can supply an alternative correspondence address for £55. However you cannot remove your home address if it is your company’s registered address. The dilemma comes where an individual needs to promote themselves for commercial reasons – their digital footprint may be higher than a lot of other victims of impersonation. It is how information can be pieced together from not only social media sites in terms of what the individual has released about themselves, but also what is publicly available. Is this a risk worth taking in the name of self-promotion?

Data Breaches 68% of those found on social media could be found within a data breach compared to 54% of those who could not be found on social media. Those aged over 61 years old were more likely to be part of multiple data breaches compared to their younger counter-parts Over recent years, there have been a number of high profile data breaches where organisations have lost large amounts of personal data. For instance, the most recent Carphone Warehouse breach, LinkedIn data breach in 2016 and in August 2017, there was one breach which exposed 711 unique email address and passwords.

Conclusions

Conclusions 65% of individuals could be found on social media or through a data breach. For the 35% that could not be found, their details may have been breached through a phishing attack. Personal data is also sold on surface web, not just the dark web. Forums play a pivotal role in this. Personal data can be obtained not only through social media platforms, but also pieced together with publically available data. APIs are an accessible way to obtain personal information in bulk.

Recommendations

Recommendation for consumers Old profiles on social network sites that are no longer used should be deactivated and deleted

Recommendation for consumers AND organisations The monitoring and administration of forums should be enforced to ensure old forums are removed and there are sufficient channels to report abuse

Recommendation for discussion Consideration to be given to the balance between transparency and proportionality of publicly available data

Questions?