A KrebsOnSecurity series on how easy big-three credit bureau Equifax makes it to get detailed salary history data on tens of millions of Americans apparently inspired a deeper dive on the subject by Fast Company, which examined how this Equifax division has been one of the company’s best investments. In this post, I’ll show you how to opt out of yet another Equifax service that makes money at the expense of your privacy.

My original report showed how the salary history for tens of millions of employees at some of the world’s largest corporations was available to anyone armed with an employee’s Social Security number and date of birth — information that was stolen on 145.5 million Americans in the recent breach at Equifax.

Equifax took down their salary portal — a service from the company’s Workforce Solutions division known as The Work Number (formerly “TALX“) — just a few hours after my story went live on Oct. 8. The company explained that the site was being disabled for routine maintenance, but Equifax didn’t fully reopen the portal until Nov. 2, following the addition of unspecified “security improvements.”

Fast Company writer Joel Winston’s story examines how some 70,000 companies — including Amazon, AT&T, Facebook, Microsoft, Oracle, Twitter and Wal-Mart — actually pay Equifax to collect, organize, and re-sell their employees’ personal income information and work history.

“A typical employee at Facebook (which also owns Instagram and WhatsApp) may require verification of his employment through TALX when he leases an apartment, updates his immigration status, applies for a loan or public aid, or applies for a new job,” Winston writes. “If his new prospective employer is among the 70,000 approved entities in Equifax’s verifier network with a “permissible purpose,” that company can purchase his employment and income information for about $20.”

While this may sound like a nice and legitimate use of salary data, the point of my original report was that this salary data is also available to anyone who has the Social Security number and date of birth on virtually any person who once worked at a company that uses this Equifax service.

In May 2017, KrebsOnSecurity broke the story of how this same Equifax Workforce portal was abused for an entire year by identity thieves involved in tax refund fraud with the Internal Revenue Service. Fraudsters used SSN and DOB data to reset the 4-digit PINs given to customer employees as a password, and then steal W-2 tax data after successfully answering personal questions about those employees.

Curiously, Equifax claims they have no evidence that anyone was harmed as a result of the year-long pattern of tax fraud related to how easy it was to coax salary and payroll data out of its systems.

“We do not know of any specific fraud incidents linked with the Work Number,” Equifax spokeswoman Marisa Salcines told Fast Company.

This statement sounds suspiciously like what big-three credit bureau Experian told lawmakers in 2014 after they were hauled up to Capitol Hill to explain another breach that was scooped by KrebsOnSecurity: That a Vietnamese man who ran an identity theft service which catered to tax refund fraudsters had access for nine months to more than 200 million consumer records maintained by Experian.

Experian’s suits told lawmakers that no consumers were harmed even as the U.S. Secret Service was busy arresting customers of this identity theft service — nearly all of whom were involved in tax refund fraud and other forms of consumer ID theft.

Loyal readers here will know I have long urged consumers to opt out of letting the big credit bureaus resell your credit file to potential lenders (and, by proxy, to ID thieves), by placing a freeze on their credit files with the Equifax, Experian, Trans Union and Innovis.

In the wake of the Equifax breach, one thing I’ve heard from so many readers that was a big factor in their decision to finally freeze their credit was that the bureaus would no longer be able to profit by selling their credit files.

As it happens, it is possible to opt out of having your salary data sold through Equifax. According to Equifax, this involves placing a free “freeze” on your file with the Work Number. These instructions on how to do that come verbatim from Equifax:

To place a security freeze on your The Work Number employment report, send
your request via mail to:

TALX Corporation
ATTN: Employment Data Report Dept 19-10
11432 Lackland Road
St. Louis, Missouri 63146

Or, you may contact us on the web at http://www.theworknumber.com or call 800-996-7566.

It’s not clear what may be the potential consequences of freezing your file with The Work Number. Fast Company explains the service and its giant database “helps streamline various processes for employers and other agencies, and it helps employees too, Equifax wrote in an emailed statement. The Work Number provides prospective landlords a way to verify an applicant’s income, for instance, or makes it cheaper for human resources departments to examine an applicant’s background.”

Here’s Equifax explaining why consumers might want to leave their files alone:

“Without the Work Number, a lender, property manager or pre-employment screener will call an employer and explain why they need to check on an employee or former employee’s employment or income. That individual has no control over who picks up the phone, whether the right information is actually given out, or if his or her privacy will be respected.”

Neither does the consumer have any control over to whom Equifax gives this data. I for one am taking my chances and freezing my salary data at Equifax. I’ll let you know how it goes.

Before you opt out, you may wish to see which lenders, credit agencies and other entities may have received or attempted to pull your Work Number salary history.

To request a free Employment Data Report, you’ll need to fill out a form at the Work Number website, or make a request by mail, or through a toll-free phone number (1-866-222-5880).

A New Mexico man is facing federal hacking charges for allegedly using the now defunct attack-for-hire service vDOS to launch damaging digital assaults aimed at knocking his former employer’s Web site offline. Prosecutors were able to bring the case in part because vDOS got massively hacked last year, and its customer database of payments and targets leaked to this author and to the FBI.

Prosecutors in Minnesota have charged John Kelsey Gammell, 46, with using vDOS and other online attack services to hurl a year’s worth of attack traffic at the Web sites associated with Washburn Computer Group, a Minnesota-based company where Gammell used to work.

vDOS existed for nearly four years, and was known as one of the most powerful and effective pay-to-play tools for launching distributed denial-of-service (DDoS) attacks. The vDOS owners used a variety of methods to power their service, including at least one massive botnet consisting of tens of thousands of hacking Internet of Things (IoT) devices, such compromised Internet routers and security cameras. vDOS also was used in numerous DDoS attacks against this site.

Investigators allege that although Gammell used various methods to hide his identity, email addresses traced back to him were found in the hacked user and target databases from vDOS.

More importantly, prosecutors say, someone began taunting Washburn via Yahoo and Gmail messages while the attacks were underway, asking how everything was going at the company and whether the IT department needed any help.

“Also attached to this second email was an image of a mouse laughing,” the Justice Department indictment (PDF) alleges. “Grand jury subpoenas for subscriber information were subsequently served on Google…and Yahoo. Analysis of the results showed information connecting both accounts to an individual named John Gammell. Both email addresses were created using the cell phone number 612-205-8609.”

The complaint notes that the government subpoenaed AT&T for subscriber information and traced that back to Gammell as well, but phone number also is currently listed as the recovery number for a Facebook account tied to John K. Gammell.

That Facebook account features numerous references to the hacker collective known as Anonymous. This is notable because according to the government Gammell used two different accounts at vDOS: One named “AnonCunnilingus” and another called “anonrooster.” The email addresses this user supplied when signing up at vDOS (jkgammell@gmail.com and jkgammell@icloud.com) include other addresses quite clearly tied to multiple accounts for John K. Gammell.

Below is a snippet from a customer service ticket that the AnonCunnilingus account filed in Aug. 2015

“Dear Colleagues, this is Mr. Cunnilingus. You underestimate your capabilities. Contrary to your statement of “Notice!” It appears from our review that you are trying to stress test a DDoS protected host, vDOS stresser is not capable of taking DDoS protected hosts down which means you will not be able to drop this hosting using vDOS stresser…As they do not have my consent to use my internet, after their site being down for two days, they changed their IP and used rackspace DDoS mitigation and must now be removed from cyberspace. Verified by downbyeveryone. We will do much business. Thank you for your outstanding product We Are Anonymous USA.”

Gammell has pleaded not guilty to the charges. He has not responded to requests for comment. The indictment states that Gammell allegedly attacked at least a half-dozen other companies over a year-long period between mid-2015 and July 2016, including several banks and two other companies at which he either previously worked or with whom he’d interviewed for a job.

In late July 2016, an anonymous security researcher reached out to KrebsOnSecurity to share a copy of the vDOS databases. The databases showed that vDOS made more than $600,000 in just two of the four years it was in operation, helping to launch more than 150,000 DDoS attacks.

Since then, two alleged co-owners of vDOS — two 19-year-old Israeli men —  have been arrested and charged with operating an attack-for-hire service. Aside from Gammell’s case, I am not aware of any other public cases involving the prosecution of people who allegedly used vDOS to conduct attacks.

But that will hopefully change soon, as there are countless clues about the identities of other high-volume vDOS users and their targets. Identifying the perpetrators in those cases should not be difficult because at some point vDOS stopped allowing users to log in to the service using a VPN, meaning many users likely logged into vDOS using an Internet address that can be traced back to them either via a home Internet or wireless account.

According to a review of the vDOS database, both accounts allegedly tied to Gammell were banned by vDOS administrators — either because he shared his vDOS username and password with another person, or because he logged on to the accounts with a VPN. Here’s a copy of a notice vDOS sent to AnonCunnilingus on July 28, 2015:

“Dear AnonCunnilingus , We have recently reviewed your account activity, and determined that you are in violation of vDos’s Terms of Service, It appears from our review that you have shared your account (or accessed vDos stresser from several locations and platforms) which is against our Terms of Services. Please refer to the following logs and terms:\n- AnonCunnilingus logged in using the following IPs: 64.145.76.110 (US), 85.10.210.199 (XX) date: 06-08-2015 18:05\n\n- 8) You are not allowed to access vDos stresser using a VPN/VPS/Proxy/RDP/Server Tunnelling and such.\n- 3) You may not share your account, if you will, your account will be closed without a warning or a refund!”

What’s most likely limiting prosecutors from pursuing more vDOS users is a lack of DDoS victims coming forward. In an advisory issued last month, the FBI urged DDoS victims to report the attacks.

The FBI requests DDoS victims contact their local FBI field office and/or file a complaint with the Internet Crime Complaint Center (IC3), regardless of dollar loss or timing of incident. Field office contacts can be identified at www.fbi.gov/contact-us/field. IC3 complaints should be filed at www.ic3.govwith the following details (if applicable):

• Traffic protocol used by the DDoS (DNS, NTP, SYN flood, etc)
  • Attempt to preserve netflow and/or packet capture of the attack
• Any extortion/threats pertaining to the DDoS attack
  • Save any such correspondence in its original, unforwarded format
• Victim information
• Overall losses associated with the DDoS attack
• If a ransom associated with the attack was paid, provide transaction details, the subject’s email address, and/or crypto currency wallet address
• Victim impact statement (e.g., impacted services/operations)
• IP addresses used in the DDoS attack

Related reading:

How Not to DDoS Your Former Employer

In May 2013 KrebsOnSecurity wrote about Ragebooter, a service that paying customers can use to launch powerful distributed denial-of-service (DDoS) attacks capable of knocking individuals and Web sites offline. The owner of Ragebooter subsequently was convicted in 2016 of possessing child pornography, but his business somehow lived on while he was in prison. Now just weeks after Poland made probation, a mobile version of the attack-for-hire service has gone up for sale on the Google Play store.

In the story Ragebooter: ‘Legit’ DDoS Service, or Fed Backdoor, I profiled then 19-year-old Justin D. Poland from Memphis — who admitted to installing code on his Ragebooter service that allowed FBI investigators to snoop on his customers.

Last February, Poland was convicted of one felony count of possession of child pornography, after investigators reportedly found 2,600 child pornography images on one of his computers. Before his trial was over, Poland skipped town but his bondsman later located him at his mother’s house. He was sentenced to two years in jail.

Poland did not respond to multiple requests for comment, but on his Facebook account Poland said the images belonged to his former roommate — David Starliper — who’d allegedly used Poland’s computer. Starliper also was convicted of possessing child pornography and sentenced to two years in prison.

In September 2017, Poland began posting on his Facebook account that he had made parole and was getting ready to be released from prison. On Oct. 6, the first version of the Android edition of Ragebooter was put on sale at Google’s Play Store.

Poland’s Facebook page says he is the owner of ragebooter[dot]com, ragebooter[dot]net, and another site called vmdeploy[net]. The advertisement for Ragebooter’s new mobile app on Google Play says the developer’s email address is contact@rageservices[dot]net. The registration details for rageservices[dot]net are hidden, but the Web site lists some useful contact details.

One of them is a phone number registered in Memphis — 901-219-3644 — that is tied to a Facebook account for an Alex Slovak in Memphis. The other domain Poland mentions on his Facebook page — vmdeploy[dot]net — was registered to an Alex Czech from Memphis. It seems likely that Alex has been running Ragebooter while Poland was in prison. Mr. Slovak/Czech did not respond to requests for comment, but it is clear from his Facebook page that he is friends with Poland’s family.

Rageservices[dot]net advertises itself as a store for custom programming and Web site development. Its content is identical to a site called QuantumServices. A small purchase through the rageservices[dot]net site for a simple program generated a response from Quantum Services and an email from quantumservicesweb@gmail.com. The person responding at that email address declined to give his or her name, but said they were not Justin Poland.

Figures posted to the home page of ragebooter[dot]net claim the service has been used to conduct more than 310,000 DDoS attacks. Memberships are sold in packages ranging from $3 per day to $300 a year for an “enterprise” plan. Ragebooter[dot]net includes a notice at the top of the site indicating that rageservices[dot]net is indeed affiliated with Ragebooter.

If Poland still is running Ragebooter, he may well be violating the terms of his parole. According to the FBI, the use of DDoS-for-hire services like Ragebooter is illegal.

In October the FBI released an advisory warning that the use of booter services — also called “stressers” — is punishable under the Computer Fraud and Abuse Act, and may result in arrest and criminal prosecution.

“Booter and stresser services are a form of DDoS-for-hire— advertised in forum communications and available on Dark Web marketplaces— offering malicious actors the ability to anonymously attack any Internet-connected target. These services are obtained through a monetary transaction, usually in the form of online payment services and virtual currency. Criminal actors running booter and stresser services sell access to DDoS botnets, a network of malware-infected computers exploited to make a victim server or network resource unavailable by overloading the device with massive amounts of fake or illegitimate traffic.”

There was a time when I was content to let my bank authenticate me over the phone by asking for some personal identifiers (SSN/DOB) that are broadly for sale in the cybercrime underground. At some point, however, I decided this wasn’t acceptable for institutions that held significant chunks of our money, and I began taking our business away from those that wouldn’t let me add a simple verbal passphrase that needed to be uttered before any account details could be discussed over the phone.

Most financial institutions will let customers add verbal passwords or personal identification numbers (PINs) that are separate from any other PIN or online banking password you might use, although few will advertise this.

Even so, many institutions don’t properly train their customer support staff (or have high turnover in that department). This can allow clever and insistent crooks to coax customer service reps into validating the call with just the SSN and/or date of birth, or requiring the correct answers to so-called knowledge-based authentication (KBA) questions.

As noted in several stories here previously, identity thieves can reliably work around KBA because it involves answering  questions about things like previous loans, addresses and co-residents — information that can often be gleaned from online services or social media.

A few years ago, I began testing financial institutions that held our personal assets. I was pleasantly surprised to discover that most of them were happy to add a PIN or pass phrase to the account. But many of the customer service personnel at those institutions failed in their responses when I called in and said I didn’t remember the phrase and was there any other way they could verify that I was me?

Ultimately, I ended up moving our investments to an institution that consistently adhered to my requirements. Namely, that failing to provide the pass phrase required an in-person visit to a bank branch to continue the transaction, at which time ID would be requested. Their customer service folks consistently asked the right questions, and weren’t interested in being much helpful otherwise (I’m not going to name the institution for obvious reasons).

Not sure whether your financial institution supports verbal passwords? Ask them. If they agree to set one up for you, take a moment or two over the next few days to call in and see if you can get the customer service folks at that institution to talk about your account without hearing that password.

While a great many people are willing to trade security for more convenience, it’s nice when those of us who are paranoid can opt-in for more security. A great, recent example of this is Google‘s optional “advanced protection” feature, which makes it much harder for password thieves to hack into your Gmail, Drive or other Google properties — even if the attackers already know your password.

“The opt-in, ultra-secure mode is intended for truly high-risk users, including those who face the threat of state-sponsored, highly resourced cyberespionage,” writes Andy Greenberg for Wired. “Think politicians and officials, high net-worth individuals, activists, dissidents, and journalists.”

Greenberg continues:

“As such, it’s a strict and unforgiving system, designed to reinforce every possible weak link that hackers could use to hijack your account. Logging in from a desktop will require a special USB key, while accessing your data from a mobile device will similarly require a Bluetooth dongle. All non-Google services and apps will be exiled from reaching into your Gmail or Google Drive. Google’s malware scanners will use a more intensive process to quarantine and analyze incoming documents. And if you forget your password, or lose your hardware login keys, you’ll have to jump through more hoops than ever to regain access, the better to foil any intruders who would abuse that process to circumvent all of Google’s other safeguards.”

Gartner fraud analyst Avivah Litan says she has long relied on verbal passwords for her most important accounts.

“I think a verbal password is a good step and definitely adds more security than does KBA built on top of heavily compromised credit bureau and life history data,” Litan said. Plus it’s free and convenient.  It’s of course not perfect and consumers should try to use verbal passwords that are unique for them and which they don’t use for online passwords —  in case the latter have been compromised by hackers.”

Verbal passwords should not be confused with voice biometrics, a technology some financial institutions are now adopting that can help authenticate customers while profiling and blocking fraudsters who repeatedly call in to customer service representatives. Even if your institution offers voice biometrics, adding a verbal password/passphrase is still a good idea.

Julie Conroy, research director at market research firm Aite Group, said financial institutions are still very concerned about putting up too many hurdles for good customers, so many are treading lightly on verbal passwords.

“Many FIs are moving in the direction of not just asking for the password, but also behind the scenes they are performing analysis of the call characteristics as well as the consumer’s voice print,” Conroy said.

Have you asked your financial institution(s) to add a unique verbal password/passphrase for your most important accounts? If so, sound off about your experience in the comments below.

For the second time in as many years, hackers have compromised Verticalscope.com, a Canadian company that manages hundreds of popular Web discussion forums totaling more than 45 million user accounts. Evidence of the breach was discovered just before someone began using that illicit access as a commercial for a new paid search service that indexes consumer information exposed in corporate data breaches.

Toronto-based Verticalscope runs a network of sites that cater to automotive, pets, sports and technology markets. Verticalscope acknowledged in June 2016 that a hacking incident led to the siphoning of 45 million user accounts. Now, it appears the company may have been hit again, this time in a breach involving at least 2.7 million user accounts.

On Thursday, KrebsOnSecurity was contacted by Alex Holden, a security researcher and founder of Hold Security. Holden saw evidence of hackers selling access to Verticalscope.com and to a host of other sites operated by the company.

Holden said at first he suspected someone was merely trying to resell data stolen in the 2016 breach. But that was before he contacted one of the hackers selling the data and was given screen shots indicating that Verticalscope.com and several other properties were in fact compromised with a backdoor known as a “Web shell.”

With a Web shell installed on a site, anyone can remotely administer the site, upload and delete content at will, or dump entire databases of information — such as usernames, passwords, email addresses and Internet addresses associated with each account.

Holden said the intruders obfuscated certain details in the screenshots that gave away exactly where the Web shells were hidden on Verticalscope.com, but that they forgot to blur out a few critical details — allowing him to locate at least two backdoors on Veriticalscope’s Web site. He also was able to do the same with a second screen shot the hackers shared which showed a similar backdoor shell on Toyotanation.com, one of Verticalscope’s most-visited forums.

Reached for comment about the claims, Verticalscope said the company had detected an intrusion on six of its Web sites, including Toyotanation.com.

“The intrusion granted access to each individual website files,” reads a statement shared Verticalscope. “Out of an abundance of caution, we have removed the file manager, expired all passwords on the 6 websites in question, added the malicious file pattern and attack vector to our detection tools, and taken additional steps to lock down access.”

Verticalscope said the other forums impacted included Jeepforum.com — the company’s second most-popular site; and watchuseek.com, a forum for wristwatch enthusiasts.

Verticalscope admitted a breach in 2016 after their forum users’ data was outed in a blog post on Leakedsource.com, a now-defunct service that sold access to username and password details stolen in some of history’s largest data breaches.

An Internet search on one of the compromised Verticalscope domains leads to a series of now-deleted Pastebin posts suggesting that the individual(s) responsible for this hack may be trying to use it to advertise a legally dicey new online service called LuiDB.

Similar to Leakedsource, LuiDB allows registered users to search for account details associated with any data element compromised in a breach — such as login, password, email, first/last name and Internet address. The first search is free, but viewing results requires purchasing a subscription for between $5 and $400 in Bitcoin.

People who re-use passwords across multiple Web sites tend to be those hardest-hit by these breaches, and by these dodgy password lookup services. It may not seem like a big deal if someone chooses to re-use the same password across a range of sites that don’t ask for or store your personal data, such as discussion forums. The problem is that this encourages poor password habits, and for many folks this eventually results in using that forum password at more important sites that do store sensitive data.

In practice, there’s no reason people should ever re-use the same password. Password managers can help users pick and remember unique, strong passwords for all sites that require a login; all the user needs to do is remember a single “master password” to unlock all the others. Old schoolers like Yours Truly tend to stick to local password managers like Keepass (or even PwdSafe), although many folks I admire in the security industry rely heavily on cloud-based password managers like LastPass and Dashlane.

While few online discussion forums offer two-factor or multi-factor authentication (requiring you to log in using a password and a one-time code, e.g.), a great many services do offer this very effective security measure. Check out twofactorauth.org to see if there are online services you use that could be furthered hardened by turning on two-factor authentication.