Investigators: Cory Kujawski, Vikas Parthasarathy, Dina Haines, Rosemary Cipriano
When was the last time you updated your WiFi router? You know the one. Hiding in plain sight somewhere in your home, collecting dust from the moment it was installed. Let’s back up: did you know that you needed to update your router? It’s ok, most people don’t.
The White Ops Threat Intelligence team received a tip via Twitter user @Bad_Packet’s honeypot system about mass scanning for vulnerability CVE-2018-18287. From this tip, we found evidence of at least 50K, and possibly as many as 120K, hacked routers worldwide. To add insult to injury, we found a MySQL database filled with more than 500K US victims personally identifiable information (PII). Our team proactively monitors for router exploitations and frequently shares those results with law enforcement.
This vulnerability was contained within Asus router devices, typically used in home networks, and allowed attackers to discover IP addresses by reading data in the HTML source code. The mitigation for this exploit is to ensure the affected Asus routers have the latest update, available here.
Our research tells us the operation began around August 2019, and is only getting ramped up. The residential IP addresses combined with the PII can create the perfect crime: anyone with this information can go forth and pretend to be someone else entirely on the internet. And if the wrong person gets a hold of credit card or bank information, credit card fraud is just the beginning.
The Technical Details
The crux of this operation rests on an old and patched Asus router vulnerability. The fraudster scanned the internet for vulnerable Model RT-AC58U routers with firmware version 3.0.0.4.380_6516. The vulnerability for this router was disclosed online on October 14, 2018 (yup, 2018), including the exploit script and step-by-step directions on how to use it. The vulnerability allowed attackers to discover hostnames and IP addresses by reading dhcpLeaseInfo data in the HTML source code of the Main_Login.asp page.
Once the fraudster finds a vulnerable router, they attack the device and configure it for their malicious intent. By using Dynamic DNS (aka DDNS), the fraudster doesn’t even have to worry about the residential IP address changing without notice. DDNS assigns a custom domain name to an IP address and then dynamically keeps track of any changes to that IP address through the given domain name.
Knowing this, let’s take a step back. There are some important characteristics of an IP address that make it a lucrative piece of information for fraudsters:
- The IP address should be in the residential IP space. Most anti-fraud entities, including banks and credit card companies, automatically block any transactions originating from a data center IP space. Humans are typically seen online originating from a residential location, with an IP address provided to them from their Internet Service Provider (ISP), not from a known data center.
- The IP address needs to be clean. If the residential IP address has been previously involved in fraudulent transactions, that IP could be flagged or blacklisted by credit card issuers, banks or large e-commerce sites. Fraudsters do not want to spend time and money to identify and sell an IP address that doesn’t work; it is “bad” for your fraud business “reputation.”
- Geolocation can make or break an operation. If the person lives in the NYC area but there are a lot of charges from California, that might be an indication of malicious activity to a bank or entity.
The Cherry On Top: Data Enrichment
In this case, the fraudster enriched the IP address data to make it even more lucrative. This is the cherry on top of the cybercrime ice cream sundae. They ran the newly identified IP address through numerous 3rd party “quality” checks and generated their own risk and fraud score, in this case, how likely this IP address will be successful for carrying out fraudulent activities.
Figure 1 - Screenshot of IP Risk and Fraud Scores
Source: White Ops Threat Intelligence
This quality checking process is similar to what e-commerce shops do as quality control to prevent bots and fraudsters from transacting business with them. The same tools were simply repurposed for deception.
Some of the quality checks were:
- Risk Score: when given an IP address, the system will return a probabilistic value of how likely the IP address is a “bad” IP address.
- Fraud Score: this is the overall fraud score of the user based on the IP address, user agent, language, and any other optionally passed variables.
- Blacklists: this is a reference of whether the IP address has been blacklisted anywhere before.
- Geolocation: where is this IP address located?
White Ops Threat Intelligence discovered a database with more than 500K U.S. victims’ PII including name, full address, social security number, and date of birth. The fraudster likely obtained this by either stealing it or acquiring it from a previous data breach.
Figure 2 - Screenshot of Victim Data (redacted pending investigative actions)
Source: White Ops Threat Intelligence
By enriching the seized PII data with geolocated, quality IP data, the fraudster maximizes their return on investment. Financial institutions have fraud monitoring set up for their account holders: if they notice a lot of transactions from a strange or non-local IP address, the account flags for potential fraudulent activity. But, if the PII data is enhanced with similarly-located IP addresses that don’t appear on known blacklists, belong to a residential IP space, and scored for low risk/fraud, the data suddenly becomes much more valuable to fraudsters.
A Packaged Deal
White Ops Threat Intelligence believes that the fraudster likely packages a vetted IP address with a victim’s PII (located in the same geographical region) and then sells this as a bundle. The buyer can then attempt to deceive financial entities by not only knowing the victim’s personal data but also appearing from an IP address in the same general location as the victim.
The team also discovered three separate databases with credit card numbers, and banking information numbers (BINs). BINS are used to identify financial institutions that issued a credit card.
Figure 3 - Screenshot of BIN Codes
Source: White Ops Threat Intelligence
Given this evidence, we believe this fraudster is a middle man - selling the bundle for others to perform fraud. The fraudster’s customers likely use the bundle to create credit cards, establish bank accounts, or apply for loans using the victim’s name. With this information, they can even transfer money. The possibilities are endless when you have this level of detail on a person’s life.
Figure 4 - Screenshot of Fraudster’s Customer Table (redacted pending investigative actions)
Source: White Ops Threat Intelligence
This operation is a clear example of how fraudsters are upping their game. Account takeover is, and always has been, a widespread problem across the internet and across industries. It can happen on banking sites, ticketing sites, social media - the list goes on. Packaging and enriching the data in this way lowers the barrier for entry. As account takeovers, credential stuffing, and credential cracking become increasingly sophisticated and more fraudsters get into the game, enterprises need to have measures in place to find and stop even the most elusive of cybercriminals. White Ops Application Integrity helps protect from account takeover attacks such as these. But, until there’s more robust security across the entire internet, now may be a good time to change your passwords and update your router.
For this investigation, White Ops has been, and will continue, monitoring this threat actor. We have notified the FBI and have shared this data specifically with them. Finally, we will be sharing this with the U.S. Department of Homeland Security (DHS) pending an update of the dataset so they can work with additional corporate partners for further dismantlement-related actions.