Here at The AntiSocial Engineer we are always keen to identify the things that enable social engineers. The name is more than a play on words, our business is all about throwing the spanners into serious organised crime and making it hard for the criminals.
So last week we were simply delighted to notified of a very useful stash of data. A Chap on Twitter Paul Barton (Check him here) was Tweeting about a file that was being passed around.
It grabbed our focus because fraudsters love this type of data. They ring you up, address you by name. A few seconds in to the call they will use your address to build trust. Phishing emails and SMShing messages are also dependant on these simple datasets.
Data Validation
First of all, our consultant was in there. That made it easy to see that the data could indeed be genuine. Totalling 1.5 Million rows we searched for other UK residents by phone number. The details were scarily accurate.
Set out as; Row, Mobile Number, First Name, Last Name, Address Line 1, Address Line 2
We started to search by address and there were several entries of questionable legitimacy: 1348204, 44XXXXXXXXX, Elizabeth Winsor, Buckingham Palace, The Mall, London
Where is it From?
This took about 15 minutes. The data was a scrape of the Locate Family website. It’s common such data sets are scraped and then sold off in batches to the relevant markets to be used for social engineering scams. The website is beyond help and no attempt was made to rectify the situation directly with the owners. We informed the ICO who have stated they have started an initial investigation.
What’s the data used for?
The data is used to make simple scams more believable. We think we tracked down some people using the data and we placed a call to them, in the vishing call we are playing a victim that has just received a threatening call from HMRC informing them of an urgent criminal matter!
During the call them you can hear them searching the data. He is likely checking the last batch of calls they have placed for a Frank. Notice how he doesn’t ask for Frank’s last name? But he knows there was no Frank in the records. Without identifying the caller (phone on withheld too) he couldn’t progress with the call. It’s phone calls just like this that use your address and full name to instil fear into victims.
So What About The Victims?
Any
If laws were different we’d like to send a text message to every one of the potential victims informing them of the likelihood of frauds and warning them in advance – ask them to watch out for communications that use their details to make things more believable. The reality is though, this is a minor event in a charging economy of crime. The reports to the ICO, Action Fraud and NCA will go unheard.
The importance isn’t so much in this data set. The importance is in staying secure amongst the hundreds of scams that rely on these data sets every single day.
Learn about SMShing – Introducing SMShing Assessments
Read about a Vishing Scam – Technology Makes Us Safer… Sometimes…
Understand SIM Swap Frauds – Sim Swap Fraud – A Victim’s Perspective
Discover complex phishing – CEO Fraud: Cutting Everything Out