500 million Facebook users’ personal information including phone numbers has been scrapped from Facebook website and published to the dark web.¹ Back in January, a user of a low-level cybercriminal forum was discovered selling access to a database of phone numbers belonging to Facebook users, and conveniently letting customers look up those numbers by using an automated Telegram bot.² Alon Gal, the chief technology officer of the cybercrime intelligence firm Hudson Rock, discovered the trough of leaked data, which has since been published to dark web free of charge, whereas previously the bot was charging to match the account lookup to tie to a phone number.
The leaked data initially functioned as a database for hackers to query users’ facebook accounts and matching telephone numbers. The information tied to a phone number is exactly the information needed by fraudsters to begin to social engineer contact center agents and take over customer accounts.
From a security point of view, this tool is easily put to use in either smishing attacks and/or bypassing knowledge based authentication questions. And the ease of access for this new bot means that even unsophisticated cybercriminals or hackers can obtain the information. It provides the ability for fraudsters to easily spoof a phone number and have pages of personal data at-the-ready to help fraudsters face any scrutiny from a call center agent about their identity.
To negate the massive amount of data available for fraudsters to use social engineering to bypass controls, security professionals should push to leverage technology to help establish identity, instead of the mere possession of the correct answers. Simple ANI validation and matching can thwart low-level or inexperienced cybercriminals looking to cash in on the free data.
¹Aaron, Business Insider, https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4, April 3, 2021, insider.com
²Joseph, Motherboard Tech by Vice, https://www.vice.com/en/article/xgz7bd/facebook-phone-numbers-bot-telegram, January 25th, 2021 vice.com