How data breach victims are being hacked again? New attack vector

A study by ethical hacking experts from security firm Kaspersky details a new way to deceive thousands of Internet users by taking advantage of the recent news about data breaches and million-dollar fines that responsible companies receive from data protection authorities.

During a recent investigation into data collection policies, experts found a website called Personal Data Protection Fund, allegedly owned by US Federal Trade Commission (FTC).

The legitimate-looking website claims the existence of a fund for victims of data breaches worldwide, supposedly created thanks to the fines that companies receive. In addition, visitors are invited to register for compensation for these incidents.

According to ethical hacking experts, the site offers users a feature to verify whether users’ personal information has been compromised in any recent incidents. For this, users must enter their full name, phone number and username on some social media platforms to the website.

Unsurprisingly, this is a new variant of scam that tries to take advantage of users concerned about their online data security. To confirm this assumption, Kaspersky researchers entered to the website the data of a citizen named fghfgh fghfgh. After entering this fake data, the website showed a surprise response: The data of the non-existent citizen fghfgh fghfgh was “leaked”. Not only that, but the website claimed that, because the fake victim’s personal files were exposed, fghfgh fghfgh was able to demand a $2.5k USD compensation.

Unlike other scams in which criminals go directly behind the victim’s credit card details, this website mentions that compensation cannot be sent unless the victim enters their social security number, a nine digit key issued for every American citizen that is used for virtually any procedure.

The operators of this scam considered all possible scenarios, as they even add to the form a box with the option “I don’t have a social security number”, mention the experts in ethical hacking. In this case, the website offers visitors to buy a temporary social security number for only $9 USD.

If the victim decides to purchase a temporary social security number, they will be redirected to a payment formulary. If users do this from a Russian IP address, this payment form appears in Russian and the purchase price is specified in rubles. This is ridiculous… Why would a US government agency request payments in some foreign currency? The platform is dedicated to data collection, in addition to stealing minimal amounts, although considerable figures become given if the potential reach of the website.

Although this scam is obvious in the eyes of users familiar with the issue, thousands of people with little knowledge are exposed to fraudsters. As a precautionary measure, International Institute of Cyber Security (IICS) ethical hacking experts recommend ignoring such money offerings. Consulting legitimate sites, such as Have I Been Pwned, is also a good security measure for users concerned about their personal data.