Most people who have frozen their credit files with Equifax have been issued a numeric Personal Identification Number (PIN) which is supposed to be required before a freeze can be lifted or thawed. Unfortunately, if you don’t already have an account at the credit bureau’s new myEquifax portal, it may be simple for identity thieves to lift an existing credit freeze at Equifax and bypass the PIN armed with little more than your, name, Social Security number and birthday.

Consumers in every U.S. state can now freeze their credit files for free with Equifax and two other major bureaus (Trans Union and Experian). A freeze makes it much harder for identity thieves to open new lines of credit in your name.

In the wake of Equifax’s epic 2017 data breach impacting some 148 million Americans, many people did freeze their credit files at the big three in response. But Equifax has changed a few things since then.

Seeking to manage my own credit freeze at equifax.com as I’d done in years past, I was steered toward creating an account at myequifax.com, which I was shocked to find I did previously possess.

Getting an account at myequifax.com was easy. In fact, it was too easy. The portal asked me for an email address and suggested a longish, randomized password, which I accepted. I chose an old email address that I knew wasn’t directly tied to my real-life identity.

The next page asked me enter my SSN and date of birth, and to share a phone number (sharing was optional, so I didn’t). SSN and DOB data is widely available for sale in the cybercrime underground on almost all U.S. citizens. This has been the reality for years, and was so well before Equifax announced its big 2017 breach.

myEquifax said it couldn’t verify that my email address belonged to the Brian Krebs at that SSN and DOB. It then asked a series of four security questions — so-called “knowledge-based authentication” or KBA questions designed to see if I can about my recent financial history.

In general, the data being asked about in these KBA quizzes is culled from public records, meaning that this information likely is publicly available in some form — either digitally or in-person. Indeed, I have long assailed the KBA industry as creating a false sense of security that is easily bypassed by fraudsters.

One potential problem with relying on KBA questions to authenticate consumers online is that so much of the information needed to successfully guess the answers to those multiple-choice questions is now indexed or exposed by search engines, social networks and third-party services online — both criminal and commercial.

The first three multiple-guess questions myEquifax asked were about loans or debts that I have never owed. Thus, the answer to the first three KBA questions asked was, “none of the above.” The final question asked for the name of our last mortgage company. Again, information that is not hard to find.

Satisfied with my answers, Equifax informed me that yes indeed I was Brian Krebs and that I could now manage my existing freeze with the company. After requesting a thaw, I was brought to a vintage Equifax page that looked nothing like myEquifax’s sunnier new online plumage.

This page informed me that if I previously secured a freeze of my credit file with Equifax and been given a PIN needed to undo that status in any way, that I should be ready to provide said information if I was requesting changes via phone or email. 

In other words, credit freezes and thaws requested via myExquifax don’t require users to supply any pre-existing PIN.

Fine, I said. Let’s do this.

myEquifax then asked for the date range requested to thaw my credit freeze. Submit.

“We’ve successfully processed your security freeze request!,” the site declared.

This also was exclaimed in an email to the random old address I’d used at myEquifax, although the site never once made any attempt to validate that I had access to this inbox, something that could be done by simply sending a confirmation link that needs to be clicked to activate the account.

In addition, I noticed Equifax added my old mobile number to my account, even though I never supplied this information and was not using this phone when I created the myEquifax account.

myEquifax.com does not currently seek to verify the account by requesting confirmation via a phone call or text to the phone number associated with the account (also, recall that even providing a phone number was optional).

Happily, I did discover then when I used a different computer and Internet address to try to open up another account under my name, date of birth and SSN, it informed me that a profile already existed for this information. This suggests that signing up at myEquifax is probably a good idea, given that the alternative is more risky.

It was way too easy to create my account, but I’m not saying everyone will be able to create one online. In testing with several readers over the past 24 hours, myEquifax seems to be returning a lot more error pages at the KBA stage of the process now, prompting people to try again later or make a request via email or phone.

Equifax spokesperson Nancy Bistritz-Balkan said not requiring a PIN for people with existing freezes was by design.

“With myEquifax, we created an online experience that enables consumers to securely and conveniently manage security freezes and fraud alerts,” Bistritz-Balkan said..

“We deployed an experience that embraces both security standards (using a multi-factor and layered approach to verify the consumer’s identity) and reflects specific consumer feedback on managing security freezes and fraud alerts online without the use of a PIN,” she continued. “The account set-up process, which involves the creation of a username and password, relies on both user inputs and other factors to securely establish, verify, and authenticate that the consumer’s identity is connected to the consumer every time.”

I asked Bistritz-Balkan what else besides a username and a password the company may have meant by “multi-factor;” I’m still waiting for clarification. But I did not experience anything like multi-factor in setting up or logging into my myEquifax account.

This may by closer to Equifax’s idea of multi-factor: The company told me that if I still really wanted to use my freeze PIN, I could always call their 800 number (800-349-9960) or make the request via mail. Nevermind that if I’m a bad guy looking to hack others, I’m definitely going to be using the myEquifax Web site — not the options that make me have to supply a PIN.

Virtually the entire United States population in 2017 became eligible for free credit monitoring from Equifax following its 2017 breach. Credit monitoring can be useful for recovering from identity theft, but consumers should not expect these services to block new account fraud; the most they will likely do in this case is alert you after ID thieves have already opened new accounts in your name.

A credit freeze does not impact your ability to use any existing financial accounts you may have, including bank and credit/debit accounts. Nor will it protect you from fraud on those existing accounts. It is mainly a way to minimize the risk that someone may be able to create new accounts in your name.

If you haven’t done so lately, it might a good time to order a free copy of your credit report from annualcreditreport.com. This service entitles each consumer one free copy of their credit report annual from each of the three credit bureaus — either all at once or spread out over the year.

Additional reading:

Credit Freezes are Free: Let the Ice Age Begin

Plant Your Flag, Mark Your Territory

Experian Site Can Give Anyone Your Freeze PIN

Survey: Americans Spent $1.4B on Credit Freeze Fees in Wake of Equifax Breach

Equifax Breach Fallout: Your Salary History

Data Broker Giants Hacked by ID Theft Service

Experian Sold Access to ID Theft Service

Cybercriminals are auctioning off access to customer information stolen from an online data broker behind a dizzying array of bait-and-switch Web sites that sell access to a vast range of data on U.S. consumers, including DMV and arrest records, genealogy reports, phone number lookups and people searches. In an ironic twist, the marketing empire that owns the hacked online properties appears to be run by a Canadian man who’s been sued for fraud by the U.S. Federal Trade Commission, Microsoft and Oprah Winfrey, to name a few.

Earlier this week, a cybercriminal on a Dark Web forum posted an auction notice for access to a Web-based administrative panel for an unidentified “US Search center” that he claimed holds some four million customer records, including names, email addresses, passwords and phone numbers. The starting bid price for that auction was $800.

Several screen shots shared by the seller suggested the customers in question had all purchased subscriptions to a variety of sites that aggregate and sell public records, such as dmv.us.org, carhistory.us.org, police.us.org, and criminalrecords.us.org.

A few hours of online sleuthing showed that these sites and dozens of others with similar names all at one time shared several toll-free phone numbers for customer support. The results returned by searching on those numbers suggests a singular reason this network of data-search Web sites changed their support numbers so frequently: They quickly became associated with online reports of fraud by angry customers.

That’s because countless people who were enticed to pay for reports generated by these services later complained that although the sites advertised access for just $1, they were soon hit with a series of much larger charges on their credit cards.

Using historic Web site registration records obtained from Domaintools.com (a former advertiser on this site), KrebsOnSecurity discovered that all of the sites linked back to two related companies — Las Vegas, Nev.-based Penguin Marketing, and Terra Marketing Group out of Alberta, Canada.

Both of these entities are owned by Jesse Willms, a man The Atlantic magazine described in an unflattering January 2014 profile as “The Dark Lord of the Internet” [not to be confused with The Dark Overlord].

The Atlantic pointed to a sprawling lawsuit filed by the Federal Trade Commission, which alleged that between 2007 and 2011, Willms defrauded consumers of some $467 million by enticing them to sign up for “risk free” product trials and then billing their cards recurring fees for a litany of automatically enrolled services they hadn’t noticed in the fine print.

“In just a few months, Willms’ companies could charge a consumer hundreds of dollars like this, and making the flurry of debits stop was such a convoluted process for those ensnared by one of his schemes that some customers just canceled their credit cards and opened new ones,” wrote The Atlantic’s Taylor Clark.

Willms’ various previous ventures reportedly extended far beyond selling access to public records. In fact, it’s likely everyone reading this story has at one time encountered an ad for one of his dodgy, bait-and-switch business schemes, The Atlantic noted:

“If you’ve used the Internet at all in the past six years, your cursor has probably lingered over ads for Willms’s Web sites more times than you’d suspect. His pitches generally fit in nicely with what have become the classics of the dubious-ad genre: tropes like photos of comely newscasters alongside fake headlines such as “Shocking Diet Secrets Exposed!”; too-good-to-be-true stories of a “local mom” who “earns $629/day working from home”; clusters of text links for miracle teeth whiteners and “loopholes” entitling you to government grants; and most notorious of all, eye-grabbing animations of disappearing “belly fat” coupled with a tagline promising the same results if you follow “1 weird old trick.” (A clue: the “trick” involves typing in 16 digits and an expiration date.)”

In a separate lawsuit, Microsoft accused Willms’ businesses of trafficking in massive quantities of counterfeit copies of its software. Oprah Winfrey also sued a Willms-affiliated site (oprahsdietscecrets.com) for linking her to products and services she claimed she had never endorsed.

KrebsOnSecurity reached out to multiple customers whose name, email address and cleartext passwords were exposed in the screenshot shared by the Dark Web auctioneer who apparently hacked Willms’ Web sites. All three of those who responded shared roughly the same experience: They said they’d ordered reports for specific criminal background checks from the sites on the promise of a $1 risk-free fee, never found what they were looking for, and were subsequently hit by the same merchant for credit card charges ranging from $20 to $38.

I also pinged several customer support email addresses tied to the data-broker Web sites that were hacked. I received a response from a “Mike Stef,” who described himself as a Web developer for Terra Marketing Group.

Stef said the screenshots appeared to be legitimate, and that the company would investigate the matter and alert affected customers if warranted. Stef told me he doubts the company has four million customers, and that the true number was probably closer to a half million. He also insisted that the panel in question did not have access to customer credit card data.

Nevertheless, it appears from the evidence above that Willms and several others who were named in the FTC’s 2012 stipulated final judgment (PDF) are still up to their old tricks. The FTC has not yet responded to requests for comment. Nor has Mr. Willms.

I can’t help express feeling a certain amount of schadenfreude (schadenfraud?) at the victim in this hacking case. But that amusement is tempered by the reality that the hundreds of thousands or possibly millions of people who got suckered into paying money to this company are quite likely to find themselves on the receiving end of additional phishing and fraud attacks (particularly credential stuffing) as a result of their data being auctioned off to the highest bidder.

Terra Marketing Group’s Web developer Mike Stef responded to my inquiries from an email address at the domain “tmgbox.com.” That message was instrumental in identifying the connection to Willms and Terra Marketing/Penguin. In the interests of better informing people who might wish to become future customers of this group, I am publishing the list of the domains associated with tmgbox.com and its parent entities. This list may be updated periodically as new information surfaces.

In case it is useful for others, KrebsOnSecurity is also publishing the results of several reverse WHOIS lookups for historic domains tied to email addresses of several people Mike Stef described as “senior customer support managers” of Terra Marketing, as these also include some interesting and related (albeit mostly dead) domains.

Reverse WHOIS on Peter Graver and Jesse Willms (rickholl2k9@gmail.com)

Reverse WHOIS on mike@tmgbox.com

Reverse WHOIS on Jason Oster (joster2008@gmail.com)

Public records search domains associated with Terra Marketing Group and Penguin Marketing:

memberreportaccess.com
publicrecords.us.org
dmvrecords.co
dmv.us.org
courtrecords.us.org
myfeeplan.com
police.us.org
warrantcheck.com
myinfobill.com
propertysearch.us.org
homevalue.us.org
carinfo2.com
backgroundchecks.us.org
arrestrecords.us.org
propertyrecord.com
criminalrecords.us.org
jailinmates.us.org
vehiclereportusa.com
dmvinfocheck.com
carrecordusa.com
carhistoryindex.com
autohistorychecks.com
mugshots.us.org
trafficticket.us.org
prison.us.org
reversephonelookup.us.org
deathrecords.us.org
deathrecord.com
deathcertificates.us.org
census.us.org
phonelookup.us.org
vehiclehistoryreports.us.org
vinsearchusa.org

KrebsOnSecurity would like to thank cybersecurity firm Intel471 for their assistance in researching this post.

A 20-year-old Illinois man has pleaded guilty to running multiple DDoS-for-hire services that launched millions of attacks over several years. The plea deal comes almost exactly five years after KrebsOnSecurity interviewed both the admitted felon and his father and urged the latter to take a more active interest in his son’s online activities.

Sergiy P. Usatyuk of Orland Park, Ill. pleaded guilty this week to one count of conspiracy to cause damage to Internet-connected computers and for his role in owning, administering and supporting illegal “booter” or “stresser” services designed to knock Web sites offline, including exostress[.]in, quezstresser[.]com, betabooter[.]com, databooter[.]com, instabooter[.]com, polystress[.]com and zstress[.]net.

A U.S. Justice Department press release on the guilty plea says Usatyuk — operating under the hacker aliases “Andrew Quez” and “Brian Martinez” — admitted developing, controlling and operating the aforementioned booter services from around August 2015 through November 2017. But Usatyuk’s involvement in the DDoS-for-hire space very much predates that period.

In February 2014, KrebsOnSecurity reached out to Usatyuk’s father Peter Usatyuk, an assistant professor at the University of Illinois at Chicago. I did so because a brief amount of sleuthing on Hackforums[.]net revealed that his then 15-year-old son Sergiy — who at the time went by the nicknames “Rasbora” and “Mr. Booter Master”  — was heavily involved in helping to launch crippling DDoS attacks.

I phoned Usatyuk the elder because Sergiy’s alter egos had been posting evidence on Hackforums and elsewhere that he’d just hit KrebsOnSecurity.com with a 200 Gbps DDoS attack, which was then considered a fairly impressive DDoS assault.

“I am writing you after our phone conversation just to confirm that you may call evening time/weekend to talk to my son Sergio regarding to your reasons,” Peter Usatyuk wrote in an email to this author on Feb. 13, 2014. “I also have [a] major concern what my 15 yo son [is] doing. If you think that is any kind of illegal work, please, let me know.”

That 2014 story declined to quote Rasbora by name because he was a minor, but his father seemed alarmed enough about my inquiry that he insisted his son speak with me about the matter.

Here’s what I wrote about Sergiy at the time:

Rasbora’s most recent project just happens to be gathering, maintaining huge “top quality” lists of servers that can be used to launch amplification attacks online. Despite his insistence that he’s never launched DDoS attacks, Rasbora did eventually allow that someone reading his posts on Hackforums might conclude that he was actively involved in DDoS attacks for hire.

“I don’t see what a wall of text can really tell you about what someone does in real life though,” said Rasbora, whose real-life identity is being withheld because he’s a minor. This reply came in response to my reading him several posts that he’d made on Hackforums not 24 hours earlier that strongly suggested he was still in the business of knocking Web sites offline: In a Feb. 12 post on a thread called “Hiring a hit on a Web site” that Rasbora has since deleted, he tells a fellow Hackforums user, “If all else fails and you just want it offline, PM me.”

Rasbora has tried to clean up some of his more self-incriminating posts on Hackforums, but he remains defiantly steadfast in his claim that he doesn’t DDoS people. Who knows, maybe his dad will ground him and take away his Internet privileges.

I’m guessing young Sergiy never had his Internet privileges revoked, nor did he heed advice to use his skills for less destructive activities. His dad hung up on me when I called Wednesday evening requesting comment.

Court documents (PDF) related to his case indicate Sergiy Usatyuk and an unnamed co-conspirator earned nearly $550,000 launching some 3.8 million attacks through their various DDoS-for-hire services. The government says he ran the booter services through a Delaware corporation called “OkServers LLC,” which routinely ignored abuse complaints and as such effectively operated as a “bulletproof” hosting company — despite Sergiy’s claims to the contrary.

Here’s Sergiy’s response to multiple abuse complaints about OKServers filed in the summer of 2018 by Troy Mursch, chief research officer at Bad Packets LLC.

Sergiy’s guilty plea comes amid a major crackdown by the FBI and the Justice Department on booter services and their operators. In December 2018, the DOJ brought charges against three men as part of an unprecedented, international takedown targeting 15 different booter sites.

According to the government, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, seizure of computers or other electronics, significant prison sentences, and a penalty or fine.

Roughly one year ago, KrebsOnSecurity published a lengthy investigation into the individuals behind Coinhive[.]com, a cryptocurrency mining service that has been heavily abused to force hacked Web sites to mine virtual currency. On Tuesday, Coinhive announced plans to pull the plug on the project early next month.

In March 2018, Coinhive was listed by many security firms as the top malicious threat to Internet users, thanks to the tendency for Coinhive’s computer code to be surreptitiously deployed on hacked Web sites to steal the computer processing power of its visitors’ devices.

Coinhive took a whopping 30 percent of the cut of all Monero currency mined by its code, and this presented something of a conflict of interest when it came to stopping the rampant abuse of its platform. At the time, Coinhive was only responding to abuse reports when contacted by a hacked site’s owner. Moreover, when it would respond, it did so by invalidating the cryptographic key tied to the abuse.

Trouble was, killing the key did nothing to stop Coinhive’s code from continuing to mine Monero on a hacked site. Once a key was invalidated, Coinhive would simply cut out the middleman and proceed to keep 100 percent of the cryptocurrency mined by sites tied to that account from then on.

In response to that investigation, Coinhive made structural changes to its platform to ensure it was no longer profiting from this shady practice.

Troy Mursch is chief research officer at Bad Packets LLC, a company that has closely chronicled a number of high-profile Web sites that were hacked and seeded with Coinhive mining code over the years. Mursch said that after those changes by Coinhive, the mining service became far less attractive to cybercriminals.

“After that, it was not exactly enticing for miscreants to use their platform,” Mursch said. “Most of those guys just took their business elsewhere to other mining pools that don’t charge anywhere near such high fees.”

As Coinhive noted in the statement about its closure, a severe and widespread drop in the value of most major crytpocurrencies weighed heavily on its decision. At the time of my March 2018 piece on Coinhive, Monero was trading at an all-time high of USD $342 per coin, according to charts maintained by coinmarketcap.com. Today, a single Monero is worth less than $50.

In the announcement about its pending closure, Coinhive said the mining service would cease to operate on March 8, 2019, but that users would still be able to access their earnings dashboards until the end of April. However, Coinhive noted that only those users who had earned above the company’s minimum payout threshold would be able to cash out their earnings.

Mursch said it is likely that a great many people using Coinhive — legitimately on their own sites or otherwise — are going to lose some money as a result. That’s because Coinhive’s minimum payout is .05 Monero, which equals roughly USD $2.35.

“That means Coinhive is going to keep all the virtually currency from user accounts that have mined something below that threshold,” he said. “Maybe that’s just a few dollars or a few pennies here or there, but that’s kind of been their business model all along. They have made a lot of money through their platform.”

KrebsOnSecurity’s March 2018 Coinhive story traced the origins of the mining service back to Dominic Szablewski, a programmer who founded the German-language image board pr0gramm[.]com (not safe for work). The story noted that Coinhive began as a money-making experiment that was first debuted on the pr0gramm Web site.

The Coinhive story prompted an unusual fundraising campaign from the pr0gramm[.]com user community, which expressed alarm over the publication of details related to the service’s founders (even though all of the details included in that piece were drawn from publicly-searchable records). In an expression of solidarity to protest that publication, the pr0gramm board members collectively donated hundreds of thousands of euros to various charities that support curing cancer (Krebs is translated in German to “cancer” or “crab.”)

After that piece ran, Coinhive added to its Web site the contact information for Badges2Go UG, a limited liability company established in 2017 and headed by a Slyvia Klein from Frankfurt who is also head of an entity called Blockchain Future. Klein did not respond to requests for comment.

A Russian court has handed down lengthy prison terms for two men convicted on treason charges for allegedly sharing information about Russian cybercriminals with U.S. law enforcement officials. The men — a former Russian cyber intelligence official and an executive at Russian security firm Kaspersky Lab — were reportedly prosecuted for their part in an investigation into Pavel Vrublevsky, a convicted cybercriminal who ran one of the world’s biggest spam networks and was a major focus of my 2014 book, Spam Nation.

Sergei Mikhailov, formerly deputy chief of Russia’s top anti-cybercrime unit, was sentenced today to 22 years in prison. The court also levied a 14-year sentence against Ruslan Stoyanov, a senior employee at Kaspersky Lab. Both men maintained their innocence throughout the trial.

Following their dramatic arrests in 2016, many news media outlets reported that the men were suspected of having tipped off American intelligence officials about those responsible for Russian hacking activities tied to the 2016 U.S. presidential election.

That’s because two others arrested for treason at the same time — Mikhailov subordinates Georgi Fomchenkov and Dmitry Dokuchaev — were reported by Russian media to have helped the FBI investigate Russian servers linked to the 2016 hacking of the Democratic National Committee. The case against Fomchenkov and Dokuchaev has not yet gone to trial.

What exactly was revealed during the trial of Mikhailov and Stoyanov is not clear, as the details surrounding it were classified. But according to information first reported by KrebsOnSecurity in January 2017, the most likely explanation for their prosecution stemmed from a long-running grudge held by Pavel Vrublevsky, a Russian businessman who ran a payment firm called ChronoPay and for years paid most of the world’s top spammers and virus writers to pump malware and hundreds of billions of junk emails into U.S. inboxes.

In 2013, Vrublevsky was convicted of hiring his most-trusted spammer and malware writer to launch a crippling distributed denial-of-service (DDoS) attack against one of his company’s chief competitors.

Prior to Vrublevsky’s conviction, massive amounts of files and emails were taken from Vrublevsky’s company and shared with this author. Those included spreadsheets chock full of bank account details tied to some of the world’s most active cybercriminals, and to a vast network of shell corporations created by Vrublevsky and his co-workers to help launder the proceeds from their various online pharmacy, spam and fake antivirus operations.

In a telephone interview with this author in 2011, Vrublevsky said he was convinced that Mikhailov was taking information gathered by Russian government cybercrime investigators and feeding it to U.S. law enforcement and intelligence agencies. Vrublevsky told me then that if ever he could prove for certain Mikhailov was involved in leaking incriminating data on ChronoPay, he would have someone “tear him a new asshole.”

An email that Vrublevsky wrote to a ChronoPay employee in 2010 eerily presages the arrests of Mikhailov and Stoyanov, voicing Vrublevsky’s suspicion that the two were closely involved in leaking ChronoPay emails and documents that were seized by Mikhailov’s own division. A copy of that email is shown in Russian in the screen shot below. A translated version of the message text is available here (PDF).

Predictably, Vrublevsky has taken to gloating on Facebook about today’s prison’s sentences, calling them “good news.” He told the Associated Press that Mikhailov had abused his position at the FSB to go after Internet entrepreneurs like him and “turn them into cybercriminals,” thus “whipping up cyber hysteria around the world.”

This is a rather rich quote, as Vrublevsky was already a well-known and established cybercriminal long before Mikhailov came into his life. Also, I would not put it past Vrublevsky to have somehow greased the wheels of this prosecution.

As I noted in Spam Nation, emails leaked from ChronoPay suggest that Vrublevsky funneled as much as $1 million to corrupt Russian political leaders for the purpose of initiating a criminal investigation into Igor Gusev, a former co-founder of ChronoPay who went on to create a pharmacy spam operation that closely rivaled Vrublevsky’s own pharmacy spam operation — Rx Promotion.