Hotel cybersecurity training - Identity theft, from ENISA, DoJ, FBI

Identity theft, from ENISA

What is identity theft?

Identity theft or identify fraud is the illicit use of a victim’s personal identifiable information (PII) by an impostor to impersonate that person and gain a financial advantage and other benefits.

According to an annual security report, at least 900 international cases of identity theft or identity-related crimes were detected.

The most significant incidents reported were:

- the exposure of nearly 106 million American and Canadian bank customers’ personal information from the Capital One data breach incident in March 2019.

- the exposure of 170 million usernames and passwords used by digital game developer Zynga in September 2019.

- the stealing of 20 million accounts from the British audio streaming service Mixcloud.

- the compromise of 600,000 drivers and 57 million users personal information from Uber’s data breach incident in November 2019.

- and the theft of 9 million personal records from EasyJet customers including identity cards and credit cards.

The trend of identity theft is reflected to a great part in data breaches, which, compared with 2018, saw a record number of 3.800 publicly disclosed cases, 4,1 billion records exposed and an increase of 54% in the number of breaches reported.

The identity theft threat.

In 2019, some malicious actors behind major incidents from the past years were brought to justice. In June, the New York Police Department, in collaboration with the FBI, brought to justice the members of the ‘Fraud Ring’, who operated inside and outside the United States and managed in 2012 to steal credentials from iPhones worth of US $1million (ca. €846.000) in a large-scale identity theft operation. Until the group was stopped, the total amount stolen reached US $19 million (ca. €16 million).

A month later, the ‘Equifax settlement’ was publicly announced. Equifax was forced to agree to compensate the United States Federal Trade Commission, the Consumer Financial Protection Bureau, 48 states, District of Columbia and Puerto Rico over its 2017 data breach at the cost of at least US $575 million (ca. €487 million).

Because of that data breach, which was ruled as ‘entirely preventable’, nearly 148 million American addresses and social security numbers were leaked.

At the end of the year, Brazil fined Facebook in US $1,6 million (ca. €1,35 million) on behalf of Brazilian citizens for the Cambridge Analytica data leak.

Brand impersonation attacks.

Consistent with the trend in 2018, certain brands are preferred in impersonation attacks because of their strong reputation. Although these brands - such as Microsoft (44%) and Amazon (17%) - continue to lead in the rankings of 2019 brand impersonation attacks, new additions such as the United States Internal Revenue Service (IRS) are notable.

The sensitive information included in the Wage and Tax Statement (W-2) has always been appealing to impostors, who used an IRS impersonation in 10% of identity deception-based e-mails in this reporting year. As a result, valid W2 forms and standard US Individual Tax Return (1040) forms are available on the dark web at a cost ranging between US $1 and US $52.

This material, combined with the Social Security Numbers (SSN) and birth dates, which are also available, allows any inexperienced hacker willing to invest an amount of US $1,000 (ca. €846) to legally access a United Statesbased bank account, file a false tax return, claim a refund and cash-out an investment that has doubled or tripled.

According to the IRS Criminal Investigation, more than 10.000 individual tax returns with claims for refund of more than US $83 million (ca. €70 million) were potentially fraudulent.

SIM-Swapping identities.

This technique has been used since 2016, targeting cryptocurrency holders. However, in 2019 the same technique was used against highprofile individuals or accounts with the intention of stealing the victim’s identity.

A number of victims of SIM-swapping were recorded, such as Jack Dorsey (Twitter’s CEO), Jessica Alba (actor), Shane Dawson (actor), Amanda Cerny (actor, twice a victim), Matthew Smith (actor, four times victim) and King Bach (artist).

SIM-swapping was also used massively in two cases; at Mozambique’s largest bank, where up to US $50.000 (ca. €42.300) were stolen from high profile business accounts, and in Brazil where 5.000 victims, mainly politicians, ministers and governors had their accounts hacked by an organized gang.

Gift cards used as a business e-mail compromise (BEC) trojan horse.

BEC attacks caused losses of billions of euros in 2019. In such incidents, the attackers impersonate a trusted individual, usually within the company, and the victim is tricked into making a financial transaction or divulging sensitive information, personal or corporate.

In more than half of BEC attacks, the victim was lured into purchasing a gift card. During the purchase process, sensitive information such as bank account credentials was intercepted.

The victim was also forced to send the gift card to the attacker, as an anonymous, irreversible and direct cash-out option. The average amount stolen per gift card reached US $1.500 (ca. €1.269).


- 20% of identity deception attacks used compromised accounts.

- 30% of the attacks targeting C-level executives accounts were compromised using display name deception.

- 65% of BEC attacks lured victims to purchase gift cards.

- €3,32 million average cost of a data breach.

- 95% of the responders to a Eurobarometer survey saw identity theft as a serious crime.

Digital doppelgangers.

The anti-fraud technique ‘digital masks’ was exposed when more than 60.000 stolen digital identities appeared as a trading product on the darknet marketplace Genesis in April 2019. These doppelgangers were readily available to purchase at US $5 - $200 each.

The owner of a doppelganger can more easily mimic a real user in an online shop or payment service, especially if this is combined with stolen logins and passwords.

Apart from purchasing digital doppelgangers, new tools to assist the potential impersonator have appeared, such as the Tenebris browser, which embeds a generator allowing the unique fingerprints and digital masks to be developed.

In recent years, skimmers, dumpster divers, hackers, administrator impersonators and phishers have been identified as the main groups behind the identity theft attacks.

That list expanded in 2019 with the addition of vishers and smishers. Vishers phish via phone calls. Unlike telephone impersonators, vishers pretend to represent a well-known organisation and offer to assist the victim with a service, for example managing computer software, finances or a tax refund. Smishers send false SMS messages and, if the receiver replies, their device is directly hijacked or redirected to a phishing website.

The figure below shows the top data types lost in 2019, where e-mail data accounts for the highest number of records lost or stolen. These numbers reveals the seriousness of the situation when considering that e-mails may contain personal, corporate and governmental sensitive information.


- THE CLOUD AS AN ATTACK INTERFACE FOR CUSTOMERS’ DATA. In the reporting year, Amazon CloudFront, a content delivery network (CDN), was compromised. The websites hosted or linked to libraries on Amazon’s infrastructure were exposed, revealing externally loaded content, including credit card data.

- PHISHING URL. The common malware URL techniques16 of domain squatting, domain shadowing and URL shorteners were used once again in 2019. In the last quarter of 2019, it was noted that 26% of the malicious domains used a secure certificate and one in three of those certificates was SSL. This trick interfered with the judgement of visitor’s who used to rely on the padlock icon in their browsers as a sign of security.

- W2 SCAM. Another attack that targets companies and organisations’ records to access sensitive information is the W2 scam. The scam starts by spoofing an executive member of the finance or human resources department to obtain employees’ records. These records are then used for identity theft. The scam is named after the American W2 tax form used to report employee’s wages. This social engineering scam, although old (first reported in 2016 by IRS), has been consistently rising by 10% every year in recent years.

- NIMCY. In 2019, a spear-phishing tool, Nimcy was introduced by the group responsible for the Zebrocy malware family. It was developed using the Nim (formerly Nimrod) programming language, created by the same group of hackers. This new downloader and backdoor was used to steal login credentials, keystrokes, communications and files from diplomats, defence officials and ministry staff in the foreign affairs sector. The attackers seemed to focus on Central Asian governments, with a preference for Pakistan and India.

- MOBILE THREATS. A rise in malicious mobile apps was noticed in 2019 and continued in 2020. Even widely used and trusted platforms such as Google Play were hosting apps aiming to steal credentials (e.g. Acesse SantaMobile, Modulo ID). However, the number of downloads was extremely low, showing that the potential victims were not fooled.

- TROJAN-BANKER.ANDROIDOS.SVPENG.AK The eighth most popular mobile trojan and most popular mobile banking trojan, responsible for 1,75% and 16,85% of unique attacks respectively, mostly target victims’ bank credentials and two-factor authorization codes. The majority of this trojan’s victims are located in Russia, making it the top country in terms of share of users attacked by mobile banking trojans.

- FORMJACKING. Formjacking was extremely common in 2018 but the number of attacks seemed to decrease considerably in the first quarter of 2019. However, starting in May with the attack an American healthcare provider and the theft of login credentials, the number of attacks continued to rise throughout the rest of the year. In that month an all-time high number of 1,1 million detections was recorded. The five countries with the most formjacking detections in 2019 were the United States (51,8%), Australia (8,1%), India (5,7%), the United Kingdom (4,1%) and Brazil (3,5%). The Megacart hacker group is strongly associated with most of the development of formjacking tools and the attacks on British Airways, Newegg, Feedify and Ticketmaster.

Proposed actions.

- Avoid using the password manager provided by the browser. If one is needed, use an offline protected password manager.

- Authenticate any sender of a request to transfer money by telephone or in person.

- Do not share sensitive information such as patient records in handwritten notes to prevent their loss or misplacement. Digital files are better for data with a short lifetime and then they should be completely destroyed.

- Use ‘threat hunting’ within your company to strengthen security plans. Threat hunting is conducted by skilled members of the security operation centre (SOC) team to proactively identify vulnerabilities and prevent threats exploiting them.

- Use policies such as velocity-based rules to mitigate identity fraud, especially for payment card transactions. The machine data of valid transactions can provide sufficient information for optimal policy definition.

- Use single-sign-on (SSO) authentication method, when available, which allows a user to access several applications with the same set of digital credentials. Its use is highly recommended to minimise the number of user accounts and stored credentials.

- Install end-point protection by means of anti-virus programs but also block execution of files appropriately (e.g. block execution in the temp folder).

- Multi-factor authentication is a security measure to overcome password hacking or loss and to ensure the success of the authentication process with multiple keys. Introducing adaptive Multifactor authentication optimise the authentication process based on the user’s behaviour and on the associated context.

- Check URLs that are sent by e-mail or randomly visited based on their IP address, the ASN associated with the IP, the owner of the domain and the relation between this domain and others, before any further steps are taken.

- Organisations using cloud services should have strong cloud security operations and preferably use an architecture of on-premises storage, private cloud storage and public cloud storage simultaneously to protect their customer’s personal information.

- Enforce the use of strong and updated encryption methods such as TLS 1.3 (using ephemeral keys) for sensitive data to prevents hacking.

- Adequately protect all identity documents and copies (physical or digital) against unauthorised access.

- Do not disclose identity information to unsolicited recipients and requests by phone or e-mail or in person should not be answered.

- Enforce the use of password protected devices, ensuring good quality of credentials, and secure methods for their storage.

- Ensure good quality of credentials and secure methods for their storage in all used media.

- Pay close attention when using public Wi-Fi networks, as fraudsters hack or mimic them. If one is used, avoid accessing sensitive applications and data. Use a trusted VPN service to connect to public Wi-Fi networks.

- Check transactions documented by bank statements or received receipts regularly for irregularities.

- Install content filtering to filter out unwanted attachments, mails with malicious content, spam and unwanted network traffic.

- Enforce the use of data loss prevention (DLP) solutions.

Identity theft, from the U.S. Department of Justice (DoJ)

What Are Identity Theft and Identity Fraud?

Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in some way that involves fraud or deception, typically for economic gain.

What Are The Most Common Ways That Identity Theft or Fraud Can Happen to You?

- In public places, for example, criminals may engage in "shoulder surfing"– watching you from a nearby location as you punch in your telephone calling card number or credit card number – or listen in on your conversation if you give your credit-card number over the telephone.

- If you receive applications for "pre-approved" credit cards in the mail, but discard them without tearing up the enclosed materials, criminals may retrieve them and try to activate the cards for their use without your knowledge. Also, if your mail is delivered to a place where others have ready access to it, criminals may simply intercept and redirect your mail to another location.

- Many people respond to "spam"– unsolicited E-mail – that promises them some benefit but requests identifying data, without realizing that in many cases, the requester has no intention of keeping his promise. In some cases, criminals reportedly have used computer technology to steal large amounts of personal data.

With enough identifying information about an individual, a criminal can take over that individual's identity to conduct a wide range of crimes. For example:

- False applications for loans and credit cards,

- Fraudulent withdrawals from bank accounts,

- Fraudulent use of telephone calling cards or online accounts, or

- Obtaining other goods or privileges which the criminal might be denied if he were to use his real name

What Can You Do If You've Become a Victim of Identity Theft?

- Call the companies where you know the fraud occurred. Call the fraud department. Explain that someone stole your identity. Ask them to close or freeze the accounts. Then, no one can add new charges unless you agree. Change logins, passwords, and PINs for your accounts.

- Place a fraud alert and get your credit reports. To place a fraud alert, contact one of the three credit bureaus. 1-888-397-3742, 1-800-680-7289, 1-888-766-0008. A fraud alert is free. It will make it harder for someone to open new accounts in your name. Get your free credit reports from Equifax, Experian, and TransUnion. Go to or call 1-877-322-8228. Review your reports. Make note of any account or transaction you don’t recognize. This will help you report the theft to the FTC and the police.

- Report identity theft to the FTC. Go to or call 1-877-438-4338. Include as many details as possible. Based on the information you enter, will create your Identity Theft Report and personal recovery plan.

- You may choose to file a report with your local police department. Go to your local police office with a copy of your FTC Identity Theft Report, a government-issued ID with a photo, proof of your address (mortgage statement, rental agreement, or utilities bill). Tell the police someone stole your identity and you need to file a report. Ask for a copy of the police report.

What's The Department of Justice Doing About Identity Theft and Fraud?

The Department of Justice prosecutes cases of identity theft and fraud under a variety of federal statutes. In the fall of 1998, for example, Congress passed the Identity Theft and Assumption Deterrence Act. This legislation created a new offense of identity theft, which prohibits "knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." 18 U.S.C. § 1028(a)(7). This offense, in most circumstances, carries a maximum term of 15 years' imprisonment, a fine, and criminal forfeiture of any personal property used or intended to be used to commit the offense.

Schemes to commit identity theft or fraud may also involve violations of other statutes such as identification fraud (18 U.S.C. § 1028), credit card fraud (18 U.S.C. § 1029), computer fraud (18 U.S.C. § 1030), mail fraud (18 U.S.C. § 1341), wire fraud (18 U.S.C. § 1343), or financial institution fraud (18 U.S.C. § 1344). Each of these federal offenses are felonies that carry substantial penalties –¬ in some cases, as high as 30 years' imprisonment, fines, and criminal forfeiture.

Federal prosecutors work with federal investigative agencies such as the Federal Bureau of Investigation, the United States Secret Service, and the United States Postal Inspection Service to prosecute identity theft and fraud cases.

Identity theft, from the FBI

On the Internet: Be Cautious When Connected

Everyday tasks—opening an email attachment, following a link in a text message, making an online purchase—can open you up to online criminals who want to harm your systems or steal from you. Preventing internet-enabled crimes and cyber intrusions requires each of us to be aware and on guard.

Protect Your Systems and Data

- Keep systems and software up to date and install a strong, reputable anti-virus program.

- Create a strong and unique passphrase for each online account you hold and change them regularly. Using the same passphrase across several accounts makes you more vulnerable if one account is breached.

- Do not open any attachments unless you are expecting the file, document, or invoice and have verified the sender’s email address.

Protect Your Connections

- Be careful when connecting to a public Wi-Fi network and do not conduct any sensitive transactions, including purchases, when on a public network.

- Avoid using free charging stations in airports, hotels, or shopping centers. Bad actors have figured out ways to use public USB ports to introduce malware and monitoring software onto devices that access these ports. Carry your own charger and USB cord and use an electrical outlet instead.

Protect Your Money and Information

- Examine the email address in all correspondence and scrutinize website URLs. Scammers often mimic a legitimate site or email address by using a slight variation in spelling. Or an email may look like it came from a legitimate company, but the actual email address is suspicious.

- Do not click the link in an unsolicited text message or email that asks you to update, check, or verify your account information. If you are concerned about the status of your account, go to the company’s website to log into your account or call the phone number listed on the official website to see if something does in fact need your attention.

- Carefully scrutinize all electronic requests for a payment or transfer of funds.

- Be extra suspicious of any message that urges immediate action.

- Make online purchases with a credit card for an extra layer of protection against fraud.

- Do not send money to any person you meet online or allow a person you don’t know well to access your bank account to transfer money in or out.

Cyber Risk GmbH, some of our clients