In an earlier post, we discussed the different intentions behind cyber criminals and how their motivations range the gamut from pure intellectual curiosity to financial gain. One type of hacker category is a “Hacktivist.” These types of hackers breach information systems and collect data to prove a point or shine light on a social injustice or political agenda. Anonymous is probably one of the largest international networks of activist and hacktivist entities and most widely known to the public.
When news of the Equifax breach surfaced, those of us following the story assumed the motivation behind harvesting over 143 million personal credit records would certainly be for financial gain, as seen with the subsequent hidden services that appeared shortly thereafter offering the dataset for sale for a mere $2.6 Million USD – not chump change by any means.
Earlier this week (on the 17th and 19th of September), two posts were caught by OWL Vision, the OWL Cybersecurity darknet platform, supposedly containing the first 9,674 entries (the first paste only included 6,642 entries), both a subset of the “A’s,” of the Equifax dataset with the following at the top of their PGP signed message:
Hackers appeared to be ransoming the data for revocation of the DACA, Deferred Action for Childhood Arrivals, immigration policy, putting a whole new spin on the possible mindset and motivation behind the Equifax attack. The #MAGA hashtag, associated with Donald Trump’s campaign slogan, “Make America Great Again,” suggests that the hackers are potentially avid supporters of the Trump agenda and favor ending the Obama-era DACA policy, affecting some 750,000 undocumented youths, also known as the “Dreamers,” who now benefit from the program, which allows them to work and go to school without fear of deportation.
Regardless of the motivation and whether or not the U.S. government will even entertain discussion with the Equihax0r entity, our analysts quickly dug into the list of Social Security Numbers (SSN), full names, and birthdates from the list to determine if these were legitimate entries or whether it was falsified in attempts to garner attention from U.S. policymakers.
Unfortunately, the social network of our darknet analysts is intimate, as no one in the office had friends with surnames starting with “A” they could validate the list against. Without calling up the Social Security Administration (SSA) for help with validating the numbers, analysis of the Area numbers of the SSN list provided a starting point into whether or not the socials were falsified.
For decades, the first three numbers of the U.S. SSN correlates to a particular region of the country, called the Area number; the next two numbers, called the Group number, can be used to determine when a particular block of SSNs was issued; and the Series number is a sequential number assigned to ensure all SSNs are unique. Series number 0000 is invalid.
This approach was valid until 2011 when the SSA introduced “randomization” to protect the integrity of the SSN. According to the SSA’s website, SSN randomization affected the SSN assignment process in the following ways:
- It eliminated the geographical significance of the first three digits of the SSN, referred to as the area number, by no longer allocating the area numbers for assignment to individuals in specific states.
- It eliminated the significance of the highest group number and, as a result, the High Group List is frozen in time and can only be used to see the area and group numbers SSA issued prior to the randomization implementation date.
- Previously unassigned area numbers were introduced for assignment excluding area numbers 000, 666 and 900-999.
However, according to the website usrecordsearch.com, it interestingly states that Area numbers 650-699 and 729-799 are still unassigned and reserved for future use, and Area numbers greater than 799 (800-999) are not valid SSNs.
We initially used this to validate the numbers in the Equihax0r post and immediately found numerous entries within the “Unassigned” blocks mentioned above. Taking into consideration the possibility of a data entry error, i.e. “the fat finger,” the totals indicate that numbers are statistically significantly higher than human error. For example, 21 out of 9,674 entries had the Area number of “686-“ alone.
Spot checking some of the entries against Open Source information proved helpful, in that one woman born in 1944, who has never lived anywhere but Indiana, is listed as having the Area number issued to Massachusetts. Indiana’s Area number block is 303-317 and the sample was listed as 017, which can hardly be construed as an entry error on a number pad or regular line layout.
With this information, combined with the “unassigned” area numbers, our analysts felt confident that the list had to have been randomly generated and is not the actual data from the Equifax servers. However, further analysis, required for due to the potential impacts of dismissing 9,000 plus SSNs found on the deep web, created doubt in the original findings.
A couple of hours later, our analysts managed to verify many of the full names and birthdates from the list against Open Source research, using public information websites such as www.instantcheckmate.com and www.whitepages.com. Several of these had particularly uncommon names that could be verified along with the right birth year. Further research into locations affiliated with their name proved the Area number of their SSNs matched a state with they had been identified as well. This intelligence significantly increased the likelihood the Equihax0r list contained real personally identifiable information (PII).
If the Equihax0r hacker is legitimate, the information posted is from the Equifax database, and his motivation is driven by the DACA policy decision, we may very well see several million records of PIIs surface soon on the darknet.
Rest assured these will be found with ease using OWL Cybersecurity’s OWL Vision darknet engine and stored with the other 100,000 unique SSNs already in our darknet database.
*Footnote: Thank you to our readers for asking questions and challenging our work! As we mentioned in the article, in 2011, the SSA adopted a randomization numbering method where the area numbers are no longer really relevant; however, we used the historical reference (such as that on usrecordsearch.com) for historical SSNs. While we recognize the idea that previously reserved area numbers are likely now in circulation, the DOBs for the area numbers in question were decades before the implementation of the new numbering scheme. We will endeavor to clarify this on our post for future readers and will keep an eye out for the data to surface on the darknet in the meantime.
Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.