In-Depth: 1.37 Billion User Identities Leaked, Taking Down One of the Biggest Spam Empires
On Friday, a security researcher sent the digital security industry into a frenzy when he tweeted that he will be sharing a story of nearly 1.4 billion identity leaks on Monday. Chris Vickery, a security researcher at MacKeeper, has now shared the details of what could probably be the biggest leak ever.
Vickery describes the leak as a “tangible threat to online privacy and security,” as the database included nearly 1.4 billion email accounts, IP addresses and “often” physical addresses. Wondering how it happened? Because one of the biggest spam groups forgot to password-protect their backups…
Today’s data leak is so large that when Vickery initially reported that he has gained access to this leaked database of nearly 1.4 billion records, the Indian government issued a statement denying that it was the source. The country’s federal ID system is one of the few databases in the world containing more than a billion individuals.
1.4 billion identity leak story incoming Monday morning.
Thanks go to @SteveD3 (and someone else) for cooperating on investigation.
— Chris Vickery (@VickerySec) March 3, 2017
RCM, the spam king that was
Vickery spotted a suspicious collection of files back in January that he discovered wasn’t password-protected. “Someone had forgotten to put a password on this repository and, as a result, one of the biggest spam empires is now falling,” Vickery said in a blog post on MacKeeper.
These files accidentally expose the operations of River City Media (RCM), led by known spammers Alvin Slocombe and Matt Ferris. RCM calls itself a legitimate marketing firm, however it boasts of sending over a billion emails every day. The repository that Vickery stumbled upon exposes the operations of the notorious spamming organization.
While we may like to believe that only a few people fall for basic social engineering tricks that spammers use on adult entertainment websites or sites that offer pirated products, today’s leak reveals how a mega spam company managed to hoard up data of over a billion people.
1.37 billion identities stolen using affiliate programs, free offers
Today’s revelation exposes a spam company that was able to gather data of over 1.4 billion people. This information includes email addresses, full names, IP addresses, and often even physical addresses RCM wasn’t alone in this data collection spree. “There is evidence that similar organizations have contributed to this collection,” Vickery wrote. “An active market exists for trafficking in these types of lists for illegitimate purposes.”
Teaser screenshot of that DB's summary data: pic.twitter.com/PEnpJbDZRt
— Chris Vickery (@VickerySec) March 4, 2017
The leaked files that the group forgot to protect with a password represent the backbone of RCM operations. But, how did they manage to collect such a huge trove of information?
“Well-informed individuals did not choose to sign up for bulk advertisements over a billion times,” Vickery said. The security researcher believes that the “most likely scenario” is that the group used a combination of techniques, including co-registration.
Co-registration is “when you click on the “Submit” or “I agree” box next to all the small text on a website. Without knowing it, you have potentially agreed your personal details can be shared with affiliates of the site.”
RCM also accumulated this huge list via offers for things such as free gifts, credit checks, sweepstakes, and education opportunities.
River City Media is disguised as a marketing firm that does offer some legit services, including email and SMS campaigns. Recorded campaigns that today’s RCM data breach exposed include some popular brands like Nike, Gillette, Victoria’s Secret, Covergirl, and AT&T, among others. These clients didn’t avail RCM’s services directly. Research revealed that the group sourced many campaigns from a number of marketing firms.
One of the largest marketing firms associated with RCM based on today’s leaks is Amobee. According to leaked documents, the marketing firm paid RCM $72,395 in November and $33,979 in December, last year. We have reached out to Amobee for a comment on today’s exposure and will update this story if we receive any response.
Who else has access to this data?
Since Vickery happened to “stumble upon” this unprotected database, it wouldn’t be surprising if someone else had already spotted and stored the data. When asked, Vickery told Wccftech that he hasn’t “seen any copies” on the dark web, where these data sets are mostly sold by criminals.
Authorities were, however, forwarded copies of this database. The security researcher has also sent details of abusive scripts and techniques that the group was using to Microsoft, Apple, and other companies. “Law enforcement have also been notified and, while we are prohibited from saying too much, they are indeed interested in the matter,” Vickery added.
It is unclear if the database containing details of over 1.4 billion users was sold online, but it won’t be unlikely for RCM to sell this precious data now that it has already been exposed. RCM or other spammers – they mostly rely on the fact that we trust popular services who then forward our data to affiliates. “You are never told who the affiliates are and groups like River City Media capitalize on that aspect,” Vickery wrote.
One line of the leaked chat logs explains it all very succinctly: “The key is sincerity. Once you can fake that…”
The empire of spam is being taken down, as we speak. Spamhaus, a world leader in supplying realtime threat intelligence to the Internet’s major networks, is blacklisting RCM’s entire infrastructure. But what would happen to that database containing information of nearly 1.4 billion users is what users should really be worried about.