Trustwave: Data Comes From Public Sources, Leaks
The reputation report for GreenMoon2019’s account on RaidForums.com (Source: Trustwave)
Voter information on as many as 186 million Americans was being offered for sale in an online forum, according to a Trustwave report. The information apparently came from public sources as well as data leaks, Trustwave’s SpiderLabs unit says.
“We have downloaded a sample set of 1 million records and performed confirmation checks on the data and from what we can tell it is accurate,” says Karl Sigler, senior security research manager, at SpiderLabs at Trustwave. “There is no way to verify all purported 186 million records the cybercriminal is offering, but this particular cybercriminal has a high reputation score and is backed by other cybercriminals vouching for the quality of what he sells.”
The list that had been offered for sale on a forum called RaidForums.com is maintained by a threat actor with the moniker GreenMoon2019. It contains names, addresses, ages, genders, political affiliations and in some cases phone numbers. This same actor is also maintaining a list of U.S. consumers data that supposedly has 245 million records, Trustwave says.
Trustwave describes RaidForums.com as a purveyor of leaked and hacked data. Databases are typically offered for free or sold for a less than $1,000, payable in bitcoins. But no price was listed for the voter list. Instead, interested parties were requested to send a private message to the account owner.
Trustwave says the thread about this voter database was recently removed from the forum. “Most likely, the forum administrator did that to avoid unnecessary attention from researchers and law enforcement agencies,” the researchers say. “However, we established contact with the seller who said the voter database is still available to purchase.”
GreenMoon2019 is an English-speaker who has been a member of RaidForums.com since 2019, Trustwave reports.
The threat actor has been updating this voter database for at least a year, apparently using data leaks as well as publicly available information, the researchers say.
Sigler says someone with basic database management skills could easily correlate data across multiple databases using open-source tools.
Trustwave says it has tracked GreenMoon2019 completing sales of databases.
“We obtained his Bitcoin wallet history, which shows several transactions that match the prices he is soliciting for the databases, so at the very least, other cybercriminals have these databases and are most likely using them,” Sigler says.
James McQuiggan, security awareness advocate at KnowBe4, believes the massive list of voter information would be attractive to fraudsters interested in waging phishing campaigns.
“With this information available to cybercriminals, there could be an immense number of phishing or socially engineered emails sent to the American public,” he says.
Federal agencies have issued a steady stream of alerts warning voters of attempts to spread disinformation and discredit the election results. On Thursday, the FBI said Iran has obtained Americans’ voter registration data and is using it in an attempt to push misinformation before the Nov. 3 presidential election (see: US Alleges Iran Sent Threatening Emails to Democrats).
In late September, warnings about potential disinformation campaigns designed to manipulate public opinion, discredit the electoral process and undermine confidence in U.S. democratic institutions were issued by the FBI and Department of Homeland Security (see: FBI, CISA Again Warn of Election Disinformation Campaigns this month).