Flash: New Malicious Tool Advertises Comprehensive Personal Information

Key Findings on New Malicious Tool

• On June 16, 2024, a positive-reputation actor known as “spam_assistant” announced a new tool called Data Fusion in the dark web forum Exploit. According to the advertisement, Data Fusion is capable of providing buyers with a significant amount of both personally identifiable information (PII) pertaining to individuals and organizational tax data.
• Unlike similar deep and dark web (DDW) services offering the sale of PII, Data Fusion is allegedly capable of creating bespoke background reports that summarize the requested data.
• PII such as that advertised by spam_assistant is an integral aspect of many forms of cyberattack. Personal details are used to inform and enhance sophisticated social engineering attacks, such as spear phishing and business email compromise, or to enable fraudulent activity like identity theft and tax-related scams.

• Given the high and continuous demand for sensitive data such as PII, threat actors are almost certain to continue pursuing innovative, automated tools able to draw from an increasingly expansive repository of both publicly available information and illicit data leaks.

New Malicious Tool Advertises Comprehensive Personal Information

On June 16, 2024, a positive-reputation actor known as spam_assistant announced a new tool called Data Fusion in the dark web forum Exploit. According to the advertisement, Data Fusion is capable of providing buyers with a significant amount of both PII pertaining to individuals and organizational tax data. The service is currently available via spam_assistant’s Telegram channel.

• PII is easily monetized in DDW marketplaces due to a consistent demand from threat actors with various motivations. It is usually sold either in the form of a complete data breach or via automated tools able to offer the buyer specific information.

Spam_assistant alleged that they are in possession of data entries numbering in the billions pertaining to “all people in the world.” Three hundred fifty million of these records are purported to be U.S-based, and the actor claims to have various tax data for “more than half” of all U.S. organizations. Data Fusion can allegedly provide buyers with data such as:

• Social Security numbers (SSNs)
• Addresses, ZIP codes, and dates of birth (DOBs)
• Driver’s license numbers
• Taxpayer Identification Numbers (TINs) and Employer Identification Numbers (EINs)

Unlike similar DDW services offering the sale of PII, Data Fusion is allegedly capable of creating bespoke background reports that summarize the requested data. The price of these reports varies depending upon the type of information requested, and—though discounts are available for bulk sales—no subscription-based model is available. As a result, Data Fusion is almost certainly more expensive than other methods of purchasing PII, many of which offer partial results for free.

• Data Fusion also allows resellers to access its Application Programming Interface, where they can advertise the platform’s information. This is almost certainly intended to increase the service’s market reach.

The extent of information offered by Data Fusion is almost certainly exaggerated. Spam_assistant very likely leverages a large and diverse number of data sources,  including those that are publicly available (such as various government resources and historic data breaches, many of which very likely contain incorrect or extant information) and contemporary data breaches (many of which carry a price tag). It is unlikely that comprehensive and accurate information can be provided at the advertised breadth.

• While spam_assistant claims that Data Fusion is an automated service, this is likely only partially true. The tool almost certainly requires a human element able to search for, compile, and supply the requested data.

PII such as that advertised by spam_assistant is an integral aspect of many forms of cyberattack. Personal details are used to inform and enhance sophisticated social engineering attacks, such as spear phishing and business email compromise, or to enable fraudulent activity like identity theft and tax-related scams. PII is also regularly resold in other DDW forums, though—given the comparatively high price of Data Fusion—this is less likely.

Given the high and continuous demand for sensitive data such as PII, threat actors are almost certain to continue pursuing innovative, automated tools able to draw from an increasingly expansive repository of both publicly available information and illicit data leaks.

ZeroFox Recommendations

• Adopt a Zero-Trust cybersecurity architecture based upon a principle of least privilege.
• Implement network segmentation to separate resources by sensitivity and/or function.
• Implement secure password policies with phishing-resistant multi-factor authentication (MFA), complex passwords, and unique credentials.
• Leverage cyber threat intelligence to inform the detection of relevant cyber threats and associated tactics, techniques, and procedures (TTPs).
• Ensure critical, proprietary, or sensitive data is always backed up to secure, off-site, or cloud servers at least once per year—and ideally more frequently.
• Develop a comprehensive incident response strategy.
• Configure email servers to block emails with malicious indicators and deploy authentication protocols to prevent spoofed emails.
• Deploy a holistic patch management process and ensure all IT assets are updated with the latest software updates as quickly as possible.
• Proactively monitor for compromised accounts being brokered in DDW forums.
• Configure ongoing monitoring for Compromised Account Credentials.

Tags: Cybersecurity, Dark Ops, Deep & Dark Web, Threat Intelligence