Information Leak: Posted, Discovered & Misused! How easy for Criminals to get your data?

NOTE: This article explains about How easy to accumulate Personal Data which are then allegedly used for offensive purposes by Cybercriminals using Surface/Deep/Dark Web. This article is intended for only EDUCATIONAL PURPOSES.

Getting hold of Personal Data in this Digitized world (which is meant to be kept strictly personal) is a walk in the park nowadays as most of them get exposed (un)intentionally in various instances.

As plenty of data is being exposed in various instances, the chances of getting your data misused is a doddle for anyone who holds your data.

Criminals use OSINT for Data Collection | Source: peakpx.com

Often, the exposed information (which includes Shopping Habits, Diet Plans, Travel Interests, Dating Preferences, Health Information, Financial Status, Password Choices, etc) would help the bad actors to tailor their cyber attacks against the victims more efficiently.

Snippet from Business Insider Report

Snippet from TheHinduBusinessLine

Such leaks are the anchor points for cyber criminals to kick-start their next Hack Series against the same victims and newer ones.

A few reasons behind such leaks are:-

1. Careless Data Sharing on Social Media Platforms
2. Data Breaches from various Hacks
3. 3rd Party Leaks
4. Data Trading on Dark Web Marketplaces
5. Deep/Dark Web Crawling

In this article, I will showcase a case study about “How Data can be collected effortlessly?”

NOTE: This article focuses on INDIA

Most of the leaks target a specific country. To utilize the data breach, we need to understand How are things functioning in that specifically targeted country?

Here are some of the sensitive data which are to be kept private in INDIA:-

Aadhaar
PAN Card
Driving License
Passport
Bank Card
Voters ID

Mobile Number
Email Address
DOB
Home Address
Vehicle Number
CVV Numbers

But due to the necessary daily needs like registering for any service, one needs to submit any of the above-mentioned documents on various occasions in their life.

Let’s dive into 5 major Internet Identities which are easy targets for anyone to tail:-

TARGET — 1: AADHAAR

Aadhaar is a 12-digit number assigned to the citizens of India. This is similar to SSN in the US. Aadhaar also encompasses biometric data such as Iris Scan and Thumb Impression. Random Aadhaar Cards are being uploaded to various image-sharing sites.

One can collect such data effortlessly just a click away!

Individual’s Aadhaar Card

Aaadhaar Data is freely available

There are minute details such as Ward Number, District, and Sub-district can also be extracted by scanning the QR Code present in the AADHAAR card, which is not present in the card at the initial glance.

Anyone can even use your AADHAAR data to register for any services (which you even haven’t heard of) conducting financial/identity fraud. Apart from this, data collected from this can map to other connected services to obtain the statuses.

Anyone can figure out whether their AADHAAR is linked to their PAN

NOTE: In this case, anyone who holds AADHAAR info could map it with any PAN Numbers by providing the holder’s data virtually, as there is no direct inquiry involved in this process.

Access to this Personal Information (that includes Physical Location) is highly dangerous. The same information could be used for various other nefarious activities including SIM Register (with the same name to receive OTPs), Applying for Loans, and much more. This is a clear case of Identity Fraud.

NOTE: In the worst-case scenario, this could even cause Physical Harm to the target.

As AADHAAR is linked to every service (except Voter’s ID); a person who holds necessary data has a clear blueprint of your digital life.

NOTE: Wikileaks had uncovered a CIA Project titled “ExpressLane” in 2017 that intends to collect biometric information of global citizens. “Crossmatch” is said to be the official partner which supplies Biometric Recording Hardware devices to their clients (including Government or private organizations).

TARGET — 2: PAN

PAN stands for Permanent Account Number which is a 10-digit Alphanumeric unique number used to identify Tax Payers in India. Hence, consider this as a financial tracker for a person.

Genuine PAN obtained from Internet Search

From the above obtained PAN leak, anyone can use his personal information including a digital signature for malicious purposes.

This case is no different from the above-mentioned AADHAAR data as numerous services can be registered with this ID card as well.

Various PAN Cards are available for free

TARGET — 3: BANK STATEMENTS

Exposure of an individual’s bank statements is a treasure trove for cyber criminals to plan a detailed targeted attack against the victim.

Unprotected Bank Statement found via Search

Any sensitive information can be obtained by criminals using various techniques like Social Engineering, Dumpster Diving, Phishing, Vishing, etc.

NOTE: Some people use image-sharing sites genuinely to save their sensitive documents in case of any physical loss. But this is harmful and can cause catastrophic effects by exploitation of the same. One of the popular platforms is Pinterest where a bunch of AADHAAR/PAN/Driving Licences are available for free.

TARGET — 4: VEHICLE NUMBER PLATES

As Vehicle Number Plates cannot be masked while you are driving, the chances to get your vehicle’s number out (on Social Media) can be minimized as anyone can locate your information with just a single click. This would reveal a large amount of information including:-

Registration Details
Tax Info
Fitness insurance
NOC
History
Lease
Permanent and Current address of the Owner

Next time, when you post your fancy car on Social Media; don’t forget to blur your number plates (if visible) ;-)

TARGET — 5: FLIGHT BOARDING PASS

Most netizens directly post their Flight Boarding Pass on Social Media or on Blogs either to boast about their Travel Destination or to register complaints directly via Twitter for quicker response.

Unconsciously, they are becoming an Internet Prey by publicizing their data.

A Passenger showing her Boarding Pass on a Blog

With the above-uploaded image, the following information can be simplified as:-

Using apps like “Read my Boarding Pass”, anyone could extract more information for better reconnaissance of their targets.

NOTE: Here, I haven't mentioned Social Media OSINT as that is a common method to map a profile.

NOTE: As OTP is the most challenging part for the attackers to gain control, methods such as SIM Cloning, SMS Redirect Service, SS7 Signal Flaw, etc would help the hackers to gain access to the victim’s phone.

— — — — — — — — — — I SEEK WHAT YOU LEAK!!! — — — — — — — — —

DARK/DEEP WEB DATA EXPOSURES

Now, let’s peek into the offensive Deep Web, where cyber criminals express their data hunger and get their interests fulfilled over Dark/Deep Web forums and marketplaces.

INCIDENT — 1: Dark Web Forums

Indian ID Data found on Dark Web Forum

This is a Data leak that appeared in a Dark Web forum where people trade their leaks in return for Karma Points to gain popularity among the Hacking Community.

INCIDENT — 2: Private Data Repository

Indian Military Database Breach

This is another leak found on a file-sharing site. This data consists of 100+GBs of Indian Data.

INCIDENT — 3: Pasties

Data scraped from various sources are being posted anonymously on various paste sites where anyone can view the data and collect them for future crime cycles.

INCIDENT — 4: Ransomware Data Breach

Data listed on the offered package

This is a Data Breach of an Indian Payment System. From this, it can be assumed that most of the sensitive information such as Passwords, Users, BitLocker Keys, etc are stored in Excel sheets and anyone with this information could infiltrate into the corporate network and can stealthily conduct financial/identity fraud which leads to various crimes such as Ransomware Deployment, Data Breach, Backdoor Implant, Hidden Shell Access, Data Crawling, Initial Access Brokers, Selling data on Dark Web, etc.

Corporate Information could be leaked by Ransomware Operators on their Leak Site after the attack (if the victims deny ransom payments).

INCIDENT — 5: Dark Web Leak Market

Data Leak Offering from Dark Web Market

Indiabulls — A Popular Financial Service was hit by Clop Ransomware in June 2020 and all the financial files were breached online to the public. All those leaks are now collected by Cyber Criminals and are put on for sale on Dark Web (which is only accessed via TOR).

There are dedicated marketplaces on Dark Web where anyone can offer their breached data and get paid in cryptocurrencies such as Bitcoin, Ether, or Monero.

INCIDENT — 6: Telegram Shops

Data Trading via Telegram

Recently, cyber criminals began to offer their services (like Leaks, Exploits, and Ransomware) via Telegram Channels unlike setting up a brand new website and providing an extra layer of security to obscure the Registrant’s name to conceal their real identity.

Telegram also facilitates criminals to provide direct service to their followers rather than selling their products on a Marketplace which takes a cut as per the general marketplace thumb rule.

INCIDENT — 7: Cyber Attack Campaigns

Many Cyber Attack Campaigns take place due to various political disagreements between countries. As an outcome, many Cyber Attacks usually happen such as “#OpIsrael” where many Israeli websites get hacked and the data gets dumped via Twitter or other Social Media Platforms.

Following is the result of an operation carried out by a Hack Group, targeting India:-

Indian Female Data dumped by Hackers

CONCLUSION

As more and more novice services are mushrooming each day, the demand to submit personal information got minimized to quicken the prolonged traditional approaches. This is the loophole used by attackers/scammers to defraud common people.

More data are fed into the Internet, and the chances of getting similar data discovered are easy as most of them are algorithmic-driven.

NOTE: As this article purely focused on India, however this same methodology can be adopted by anyone to target any country’s sensitive documents to defraud innocents; because INFORMATION LEAK poses a serious digital danger! Notified CERT-IN, awaiting response.

KEY-TAKEAWAYS

Never upload your sensitive documents on any online file/image sharing sites. In case, check whether it’s in protected/private mode.

Never upload your digital signatures on any platform.

Always use the masked version of AADHAAR in order to conceal your AADHAAR number.

Never showcase your Flight Boarding Pass or Vehicle Number (in the case of Social Media Posts).

If your private information is exposed in a Google Search (or any other Search Engine Result), you can remove the information by submitting your details to the hosting party.

Not to use same password for different platforms, in case of accidental Email Compromise.

Never reveal your AADHAAR Number or any other sensitive details on any public complaint forum, where anyone can use the same to tail you.

You may never know whether your data got breached at any instance. But you can make sure by visiting HaveIBeenPwned (for email address and Phone Number).

It’s not always your fault to get your sensitive data leaked, as there are chances of 3rd party leaks where the company accidentally leaks it due to bad security practices. Hence, the blame is not always on you, but you can minimize the risk.

Always Remember: An Easy Digital Life comes with a Huge Hidden Price!

Stay away from the well-crafted Emails/Requests/Phone Calls netted by criminals to deceive you, Next time!!!

Follow me on Twitter for interesting DarkWeb/InfoSec Short findings! ;-)

NOTE:- The article is purely an Individual Research and is not subjected to be used/published anywhere without the Author’s consent.