Hot Topics
Analytics & Intelligence Cloud Security Cyberlaw Cybersecurity Data Security Featured Governance, Risk & Compliance Identity & Access Incident Response Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threats & Breaches 

DoJ, FBI, IRS Make Empty Boast: SSNDOB ‘Seized’

by Richi Jennings on June 9, 2022

A collection of law enforcement agencies are gloating over their “seizure” of the notorious SSNDOB marketplace, which traded in stolen personal information. But the action seems too little, too late.

Why has it taken them so long to do something? SSNDOB has been active for at least nine years. But all the feds did was seize the domains—not the actual site. And not the actual perps. So what’s to stop these scrotes reappearing under other domains?

Not a lot. In today’s SB Blogwatch, we count our tax dollars at work.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Did Kurtzman plagiarize (again)?

Just a Speedbump on the Road to Crime

What’s the craic? Lawrence Abrams reports—“US seizes SSNDOB market for selling personal info of 24 million people”:

$22 million in Bitcoin
The operation was conducted by the FBI, the Internal Revenue Service, and the Department of Justice, with significant help from the Cyprus Police. Four domains hosting the SSNDOB marketplace have been seized as part of this operation: “ssndob.ws,” “ssndob.vip,” “ssndob.club,” and “blackjob.biz,” [which were] acting as mirrors of each other.

The marketplace allowed cybercriminals to purchase “Social Security number, date of birth and full info of people” using bitcoin. … While the website also sold the dates of birth for people in the United Kingdom, it was primarily used to sell the personal information of US citizens for as little as $0.50.

Chainalysis explains that they tracked $22 million in Bitcoin being paid to SSNDOB since April 2015. Some of these transactions were quite large, worth $100,000 … indicating that some cybercriminals were buying data in bulk. However, one of the most interesting details … discovered was a connection between SSNDOB and Joker’s Stash, which shut down in January 2021 … facing increased pressure from law enforcement.

What else? Turn to Carly Page—“FBI seizes notorious marketplace”:

Servers in various countries
SSNDOB listed the personal information for approximately 24 million individuals in the United States, including names, dates of birth, SSNs and credit card numbers and generated more than $19 million in revenue, according to the DOJ. [It] is believed to have been active since at least 2013.

The operators of SSDOB are said to have employed various techniques to … thwart detection of their activities, including … maintaining servers in various countries. [This] marks the continued ramping up of efforts by law enforcement to disrupt malicious cyber activity. Last week, Europol announced the shut down of FluBot, an Android trojan that steals online banking information, while the DOJ said it seized three domains used … to trade stolen personal information and facilitate distributed denial-of-service (DDoS) attacks.

All together now: SSNs aren’t auth tokens! Sadly, that genie is out of the bottle, as njvack explains:

The “Security” in “Social Security Number” doesn’t refer to … computer security, but to the financial security provided by the United States’ Social Security program. US taxpayers pay in to this program throughout their working lives, and once they hit retirement age, are guaranteed a monthly payout until death.

If you have one of these numbers, you should keep it more private than your street address, as (for better or worse) it is used by many financial institutions to help validate your identity. Regardless, as the program started in 1935, the designers weren’t thinking about modern information security.

In a similar vein, here’s Yet Another Anonymous coward:

Dear American businesses and bits of government. If you are going to use SSN as a unique identifier (which you are explicitly told not to do) please don’t assume it is somehow a secret private key that proves the holder is that person.

And SoftTalker cheers the seizure, but with a catch:

Great, good to shut it down, but how long until its replacement springs up? It probably already has.

Instead of going through all this effort and expense to track the sellers of this information, it would be better to make “names, dates of birth, SSNs, and credit card numbers” valueless on their own. I’m not sure what the alternative looks like, but possession of this kind of personal information about someone should not be useful or valuable.

Wait. Pause. How does this fix the problem? ricardoRI sees a glorified speedbump:

What does [“seize”] really mean? No mention of the location of the servers, so I don’t believe the cops actually went somewhere and physically seized them. Told some domain registrars to cancel/forward to the FBI?

Did they actually visit the registrars in person to really impress (like handcuffs) no more stupid **** like this? Did the cops actually get the whole data set including automated offsite backups? All the credentials these criminals used?

To me this sounds like a vague PR piece claiming victory despite failure. Will all the sites be back up next week as ssndob1.ws, ssndob1.vip, ssndob1.club, etc.? Why did it take nine years to accomplish apparently nothing?

A fair question. Not answered by str3wer:

It’s not the first time they just put a random seized photo on a domain then do a press release. Take for example Joker’s Stash: After seizing one of their proxies they made a press release saying that after years of hard work they took it down. After two hours it came back online on the same domain.

Unsurprisingly, bill_mcgonigle sounds slightly cynical:

What would make you think this is meant to benefit anybody other than the bureaucrats at these agencies? Because the bureaucrats said so? That’s not how this works.

Meanwhile, settle down, while fidodogbreath tells us a story:

[My SSN] was my student ID number in college. We were encouraged to write it on textbooks and the like to prove positive ownership if an item was lost or stolen. So if someone finds one of my old textbooks, they can take out a mortgage in my name.

And Finally:

To seek out strange new inspiration

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: U.S. federal government (public domain)

Recent Articles By Author
More from Richi Jennings
Richi Jennings , , , , , , , , ,

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 605 posts and counting.See all posts by richi