Researchers at Kaspersky have come across an interesting phishing site that’s posing as a data leak protection service set up by the US government. The site purports to be compensating victims of data breaches, offering cash “to residents of all countries around the world.” The website is well-designed and looks like an official government site, despite some grammatical irregularities and the mention of a non-existent “US Trading Commission.”
Users are invited to enter their names and phone numbers to see if they’re entitled to receive compensation. The site warns that entering false information is illegal, but the researchers found that the output will be the same regardless of what it entered.
“It turns out that the website accepts any information, even complete gobbledegook,” the researchers write. “For example, we inquired about the personal data of a citizen named fghfgh fghfgh. The site pondered for a while, seemingly connecting to a database of information about leaks…and lo and behold, found that our fictional character with an unpronounceable name had indeed had their data leaked. Moreover, it turned out that someone had already used their photos, videos, and contact information, and so fghfgh was entitled to compensation in excess of $2,500!”
After this, the victim is asked to provide their payment card information and their Social Security number (SSN) in order to receive their money. Non-US citizens can check a box that says “I’am don’t have SSN” and they’ll be taken to a page where they can purchase a temporary SSN for just nine dollars. The scam ends after the victim has either provided their SSN and payment information, or after they’ve forked over the nine dollars.
It’s worth noting that there are some legitimate sites that allow people to test if their data has been breached, notably Troy Hunt’s Have I Been Pwned. However, this incident demonstrates the importance of scrutinizing and researching a site before entering sensitive information. In this case, if such a site were actually set up by the US government, it could easily be verified by a quick Google search. New-school security awareness training can give your employees a sense of skepticism so they can avoid falling for these schemes.
Kaspersky has the story: https://www.kaspersky.com/blog/data-leak-compensation-scam/32057/
