Brett GOllumfun Johnson: Merry Christmas, Fraudsters! Equifax Plays Santa for Criminals Worldwide

September 9, 2017

Brett GOllumfun Johnson


This is important, so let’s dispense with the usual chit-chat and start with what you need to do.

Freeze Your Credit.  Don’t place an alert, dont delay, do it now.  Place a credit freeze on your report with all three credit bureaus.  Info: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs

Freeze Your Children’s Credit.  Children are the number one victims of Identity Theft.  The info obtained from the Equifax leak will lead to more kids being victimized.  Refer to the link above, and freeze your kids credit profile.

Monitor and obtain your credit reports every 3 months.  Anything questionable (new address, phone number, account, inquiry, etc.), immediately address.  Have old phone numbers and addresses removed from your credit report.

Monitor all accounts (bank, credit, loan, UTILITY) and look for suspicious activity.  Not only should you look for a suspicious charge, but also look for changes in address, phone number, or other account information.

Think about a monitoring service.  Do NOT sign on for any free monitoring service offered by Equifax.

OK, now I can bitch a bit about Equifax and tell you SOME of what criminals can do because of what Equifax GAVE them.

Equifax recently announced a breach of member data.  Who is a member?  YOU are.  Equifax is one of the three credit bureaus.  If you have credit, you can damn well bet Equifax has a file on you.

The good folks at Equifax announced they had been a victim of a breach.  What was breached?  Well, they claim a potential 143 MILLION records.  Equifax is very concerned about the information.  So concerned they delayed announcing the breach for well over a month, and gave some of their higher ups enough time to sell stock before they announced the hack.  Yay!

What type of Information was obtained?  Names, Addresses (past and present), DOB, SSN, DL#.  Also claimed are a potential 209,000 credit card numbers leaked, and 182,000 Dispute Documents.  Oh yeah…it also affected UK and Canadian citizens.  No idea how much, Equifax didnt care enough about them to detail the damage.  Gotta love the good folks calling the shots at Equifax.

Equifax has been quick to react.  Well, except for delaying the announcement by over a month.  They now have in place a system to tell people if they have been compromised.  Im happy they are doing that.  Well, I was happy.  Then I found out, that anyone and everyone information that is entered into the system comes back as being a victim.  Matter of fact, one can even input completely false information and it will show that non-existant person as being a victim.  Good to see that Equifax is being so thorough.

Equifax is also offering free monitoring services for potential victims.  I like that.  Of course, it is only one year free.  After that its only $20 a month.  The nature of the information released means that people will be victims for many years to come.  If I didnt think so highly of Equifax, I would say they knew this and were trying to make money off the people they allowed to become victims.  Good thing I dont believe that.  One thing is weird, though.  If potential victims sign up for the free monitoring services, they  must agree to give up any legal rights they may have against Equifax.  That doesnt seem quite fair, but Im sure a fine company like Equifax has their reasons.

I really dont like Equifax.  I know they released a seemingly high number and a lot of information.  Im going to say the number and damage listed is LOW.  I think we are going to see more information coming out which details much more harm than what Equifax initially mentioned.

The Equifax breach is the best Christmas Present fraudsters have had for many years.  Fraudsters involved in any type of credit crime, if they have access to the Equifax data, are going to make a LOT of money.

Here are only SOME of the crimes possible with the data and systems Equifax mentions as compromised:

Dispute Documents:  One of the more common crimes right now involves criminals opening new accounts, or ordering replacement cards under victims names.  TO do this they often add an alternate address to the credit report.  One way this is done is by exploiting the dispute system of the credit bureaus.  Very easy, non technical.  Criminal has a fullz (complete identity profile) which Equifax was kind enough to provide, then heads over to the Dispute section.  He uses the Dispute system to add an address or phone number he controls.  Once done, opens new accounts using the recently added address, or orders replacement cards to that address.  Very powerful, very profitable crime.  A mediocre criminal can net an easy $20k-$40k per profile.  If he does 5-10 profile a month?  If this information is on a criminal forum with several thousand members?  You get the idea.

Credit Cards:  Certainly fraudsters will use the “reported” 209,000 credit card numbers to buy products.  But they can do so much more.  Instead of using the card immediately, the information is there to completely take over the card, do an ATO.  A card that has been ATO’d can easily yield 80% of its available credit to the fraudster.  And again, new accounts, replacement cards, requests for increased credit limits on those replacement cards, etc.

PII (Personally Identifiable Information):  Oh. My. God.  The only thing not given out to fraudsters was Mother’s Maiden Name.  What does that mean?  It means for the next several years the information from this breach will be used to victimize people.

Some examples:
commit crimes under those identities
Apply for new credit cards
Take over existing credit cards
Request replacement card
Apply for loans:  Home Mortgage, equity, Student, Business, Personal
Set up bank accounts
Use PII to apply for business credit
If Senior citizen, use info to take over social security benefits
Get lots of phones through providers
Use PII to get tax info, file taxes under victim name
Etc., Etc., Etc.

Literally, the sky is the limit.  The type of crime is only limited to the imagination of the criminal.  The criminals who have persistent access to this data are going to make a LOT of money.

And we didnt even mention synthetic fraud.  Well, Equifax didnt really mention it either, just kind of alluded to it.  The breach gives enough data to be able to manipulate information to an extent that is highly favorable for synthetic fraud.  So thanks Equifax, you just made one of the easiest, most profitable frauds even easier.  I would take my hat off to you, but I dont wear hats.

Usually a conclusion comes here, but I started with the conclusion.  At the start, I listed what you needed to do immediately.  I urge you to take the steps listed.  This really is a serious matter.  I cannot overstate how big this is.  For it to come from a credit bureau?  Wow.  If I were still breaking the law I would be an extremely happy camper.

About author   Brett GOllumfun Johnson


Cybercrime, Identity Theft, Hacking, Fraud, Prevention

Former United States Most Wanted, Brett Johnson, referred to by the United States Secret Service as “The Original Internet Godfather” has been a central figure in the cyber crime world for almost 20 years.  Mr. Johnson was instrumental in developing many areas of online fraud still seen in operation today. Johnson founded and was the leader of Counterfeitlibrary.com and Shadowcrew.com.  Brett designed the forum system, review process, and marketplace structure still in use by today’s online criminals.  Working alongside the top cyber criminals of our time, Brett “Gollumfun” Johnson helped design, implement, and refine modern Identity Theft, ATO fraud, Card Not Present fraud, IRS Tax Fraud, and countless other social engineering attacks, breaches, and hacking operations.

Considered one of the best Social Engineers in the world, the United States Secret Service promptly hired Mr. Johnson as a consultant and paid informant upon his capture in February, 2005.  Brett trained USSS Agents and other law enforcement agencies on various aspects of cyber crime and identity theft and assisted in the tracking and identification of online cyber criminals.

 While working for the Secret Service, Mr. Johnson continued to engage in cyber crimes, often from within the same United States Secret Service offices from which he worked.  After nearly a year of working with the Secret Service, Mr. Johnson went on a cross country crime spree, was placed on the United States Most Wanted List, and was captured and sent to prison—where he promptly escaped.

Soon captured again, Brett served a sentence of 7 ½ years in federal prison.  During his time incarcerated he took responsibility for his actions and worked to help others.  Upon his release, Brett Johnson has striven to help others avoid the types of crime he used to commit.  Brett Johnson is one of the leading experts in the world on cyber crime, online fraud, and identity theft.  Brett is unique in that he offers a viewpoint and understanding of those crimes which is unavailable anywhere else on the planet.  Today he uses his vast wealth of knowledge assisting others in staying safe online.

Brett started AnglerPhish Security in 2014 with the goal of using his knowledge as a former cybercriminal to combat the very crimes he once committed.  Today, he works hard to raise internet security awareness by speaking to groups across the world.  Besides being a well respected public speaker, Brett also consults with law enforcement, major financial organizations, tech and security firms, retailers, academic groups, news and media groups, and individuals worldwide.


Categories: Opinion