-
A single cyber-criminal has posted an enormous amount of personal information online, purportedly taken from a global real estate directory service.
-
This data breach has affected millions of individuals in three major English-speaking countries and shows how widespread and globalized the current processes of data theft are becoming.
-
Posted sample records indicate that the hacker exfiltrated over 26 million personal data from the real estate directory, posing diverse threats to affected individuals and firms.
The apparent perpetrator, who goes by the name “Nano666,” offers over 26 million records for sale on darknet, sourced from the United States, the United Kingdom, and Australia.
The seller listed the data on a well-known dark web marketplace, a common platform for selling stolen information. To entice buyers, the seller shared sample contents to prove he actually possessed the data.
The Nature of the Compromised Dataset
According to the threat actor’s listing, the compromised database contains extensive personal details, including the following:
- First and last names
- Email addresses
- Phone numbers
- Specific geographic location data
- Phone type and connection status
- Email quality indicators
- Deal and status metadata
More concerning are the included metadata fields, such as “deal and status metadata,” “email quality indicators,” and “phone type and connection status,” which suggest the data originated from a customer relationship management (CRM) or marketing platform within the real estate industry.
The breakdown of the advertised records is vast:
- The United States: Approximately 10 Million Records
- The United Kingdom: Approximately 1.5 Million Records
- Australia: Approximately 1 Million Records
This geographical spread indicates the targeted service or company operated in multiple countries, a common feature of large-scale online directory and listing platforms.
How Cybercriminals Can Use This Data
This type of database is a ‘goldmine’ for cybercriminals. While a contact list alone may be useful, cybercriminals will also use the data to conduct highly-targeted and persuasive attacks on unsuspecting individuals.
According to recommendations from experts in the field of cyber security, the sales of such extensive and detailed personal information will result in an upswing in many types of criminal activity, including:
Advanced Phishing and Smishing Campaigns
Advanced phishing (email) and smishing (text) campaigns target specific individuals using detailed information, such as their name, location, and evidence of home purchases, sales, or rentals.
Cybercriminals typically send victims messages that appear to come from legitimate email addresses or phone numbers of real estate agents and companies. The trick is to make them click on an infected link or give out sensitive information such as credit card numbers or banking information to the criminal.
The detailed personal information in this dataset is precisely what fuels such large-scale, convincing campaigns, as seen in the recent massive phishing attack that targeted Canadian finance and led to the data of 750,000 being sold on the dark web.
Identity Theft and Financial Fraud
The bad actor can use the data in a person’s profile as part of the overall process of creating a new identity based on the other information collected through various means (identity theft). Cybercriminals could also use such personal information to apply for a credit card or loan, commit tax fraud, or hack into other accounts.
Targeted Vishing (Voice Phishing)
The criminals can conduct targeted “vishing” (voice phishing) attacks, using information from the previous bullet to call victims. They impersonate an agent from their bank, the government, or a lawyer associated with the sale of the victim’s home to obtain sensitive information (such as social security numbers, bank accounts, etc.) from victims over the phone.
The Growing Trend of Aggregated Data Breaches
This incident signals a notable trend in cybercrime: the data aggregators are the targets. Companies that compile large directories – be it for real estate, professional networking, social media or consumer services – are high-value targets. This pattern is evident in other major breaches, including a recent global security alert where Instagram phone numbers and user data were advertised on the dark web.
The structured, thorough, and unambiguous nature of this dataset is what makes it so much more valuable to the criminal underground than an unstructured or informal compilation of e-mail addresses.
At the time of this writing, the specific real estate directory organization that is the source of this data is unknown. Victim organizations may take several days or weeks to verify a breach, and law enforcement or cybersecurity researchers may alert them to the attack.
Protective Measures for Affected Persons
People who have used property websites may need to exercise extreme caution now that they are aware of this incident, which possibly could affect them.
- Be on the lookout for unexpected communications, notifying you to act immediately, to make payment, or to supply sensitive/private information about yourself or your finances.
- Ensure that each of your online accounts has a strong password, and has a unique password for each account. You should also enable MFA for as many of your accounts as possible.
- Continuously monitor/track your financial activity and your credit report in order to identify any unauthorized transactions.
- If appropriate, you may wish to consider using a reputable dark web monitoring provider that allows you to assess whether or not your personal email addresses appear within any publicly exposed data dumps.
The advertisement by “Nano666” is a window into the sprawling, industrialized trade in personal data. It demonstrates that in today’s digital ecosystem, our information is only as secure as the weakest link in the chain of companies that collect and store it.
