Attacks/Breaches
6/22/2012
10:57 AM
50%
50%

Hackers Cite 'Idiot Tax,' Release Loan Records

Rex Mundi hacker group publishes thousands of records containing personal loan application data after payday lender AmeriCash Advance refuses $20,000 hush money request.

Earlier this month, payday loan lending company AmeriCash Advance received a ransom demand: Pay up, or see your loan-lending database get released to the Internet.

"We offered AmeriCash Advance not to publish those records, for the applicants' sake, if they paid us USD $20,000. They didn't. Hence the fact that you are now reading this data," read a statement released by hacking group Rex Mundi (which is Latin for "king of the world"). That statement was included in a 2.4-MB text file uploaded this week to file-sharing websites.

The text file data dump contains about 13,500 records, many of which include full names, email addresses, loan status, the loan amount requested by the applicant, and the amount of money earned by the affiliate company or provider who referred the applicant to AmeriCash Advance. Some records also include loan application notes that sport biographical details.

All of the records also include a field for the applicant's social security number. While all but the last four digits of the social security number are starred out, many companies--such as credit card providers--only use these four digits to help verify a phone caller's identity. Accordingly, this information could be useful to identity thieves.

Despite the warning from Rex Mundi that it would release the customer database, AmeriCash Advance said that it refused to work with extortionists. "We will not cave in to blackmail, and are cooperating fully with the authorities to protect our customers and bring these criminals to justice," according to a statement AmeriCash Advance provided to CNET.

[ Privacy Rights Clearinghouse has logged 266 breaches so far this year. Which are the worst? See 6 Biggest Breaches Of 2012. ]

Unusual for a hacker outfit, Rex Mundi sports a Bible verse--"Non nobis, Domine, non nobis, sed nomini tuo da gloriam" (translation: "Not to us, not to us, O Lord, But to your name give glory")--as its tagline, and claims to hail from Belgium. The group first surfaced on Twitter May 1.

In addition, while Rex Mundi labeled its ransom demand an "idiot tax," the group has worked to differentiate itself from hacktivist groups such as Anonymous that are only interested in leaking data in pursuit of a social agenda. "We <3 hacktivists like @AnonymousPress. However, we're in it for the money, which is also pretty awesome," according to a tweet from the group. "How we miss the good old days of LulzSec."

Why target AmeriCash Advance? Perhaps because the company offers payday loans--loans that must be repaid at the borrower's next payday--and cash advances. Under state laws, payday loans are legal in 37 states, which all cap maximum loan limits at either $500 or $1,500. In the case of AmeriCash Advance, its annual percentage rates reportedly range from 353% to 1,368%.

According to AmeriCash Advance, the first ransom demand surfaced not via email or Twitter, but its fax machine. "On June 12, AmeriCash Advance received a fax, telling us that part of our website had been hacked. The letter went on to demand initial payment of $15,000 from us," it said.

The company also explained how attackers had managed to grab its applicant database: "The section of the system that the criminals hacked into was the automatic e-mail responder section, the part of the system that sends an auto-reply to an applicant that their application has been received," the statement said. "We have notified those who have been affected and warned them to be vigilant. We are continuing to work closely with the authorities to identify the criminals."

But Rex Mundi disagreed with AmeriCash Advance's technical explanation of how the information had been obtained. "Tst, tst ... AmeriCash Advance, we didn't 'hack' into your system. The page was open to any1 & listed in your robots.txt," the group said via Twitter, which suggests that whoever designed the AmeriCash Advance website had purposefully left the file unsecured--to make it easier for affiliates to access--while leaving a request to Web crawlers to not index the page. "Oh, and it wasn't an email responder system, it was a page generating reports 4 yr affiliates. Get your facts straight," according to Rex Mundi.

AmeriCash Advance didn't immediately respond to a request for comment about whether it planned to offer identity theft protection services to the thousands of people affected by the breach. But as a recent report from the Consumer Federation of America noted, such services often do nothing to stop identity theft involving social security numbers.

Given the number of social security numbers that have been exposed in data breaches, some security experts are asking if it isn't time to rethink social security numbers. One approach--practiced in Spain--involves using national identity cards that contain a cryptographic chip. Anyone who wants to use the social security number as part of a transaction must first get the cardholder to digitally authenticate the transaction by using correctly entering the chip's PIN code to verify the identity.

The stakes have never been higher in the fight for control of corporate and consumer devices between malicious code and the anti-malware software designed to detect and stop it. The Malware War report covers the key methods malware writers use to thwart analysis and evade detection. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GBARRINGTON196
50%
50%
GBARRINGTON196,
User Rank: Apprentice
6/24/2012 | 10:55:14 AM
re: Hackers Cite 'Idiot Tax,' Release Loan Records
I wonder how often other businesses have just knuckled under. I don't imagine the typical payday load customer is very sophisticated, so the commercial backlash to Americash is likely to be small. And the absolute economic value of these peoples identity is much smaller than those with fat bank accounts and a stack of credit cards. Though I suspect they may be useful as identities for malfeasance of other sorts.

I like the social security card suggestion, of using some sort of smart card as a companion to the number. But we could make it much more difficult for thieves if we just made it illegal for businesses to use SSN as an identifier.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Why Hackers Are in Such High Demand, and How They're Affecting Business Culture
Jaime Blasco, Vice President and Chief Scientist at AlienVault,  12/14/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Santa: "How about a unicorn coming out of a monitor instead?"
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.