Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Trustwave SpiderLabs Uncovers Unique Cybersecurity Risks in Today's Tech Landscape. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Massive US Voters and Consumers Databases Circulate Among Hackers

Voting in the U.S. elections started recently and there is a real concern over interference and disinformation campaigns that might impact their outcome. During investigations around the elections, the Trustwave SpiderLabs team discovered massive databases with detailed information about U.S. voters and consumers offered for sale on several hacker forums. Those databases include a shocking level of detail about citizens including their political affiliation. The sellers of the U.S. voter database claim that it includes 186 million records, and if that is correct, that means it includes information about nearly all voters in the U.S. The information found in the voter database can be used to conduct effective social engineering scams and spread disinformation to potentially impact the elections, particularly in swing states.

The U.S. consumer database is claimed to include 245 million records, which is nearly the entire population of the U.S. Over 400 potential data points are provided about each person. Databases with information about citizens in other countries are also offered, such as ones for Canada, U.K., Ireland, and South Africa. Based on Bitcoin transaction information also obtained by Trustwave SpiderLabs during the investigation, the cybercriminal group made a fortune worth $100 million USD in the last five months alone. Interestingly, at least some of the data stems from publicly available government resources and hackers happily mention that in forum discussions. Other parts of the data were likely obtained from various data leaks.

US Voter Database for Sale

Cybercriminals have figured out ways to monetize the upcoming elections using information from data leaks and publicly available sources and are actively shopping them for profit. We found the following post from the end of September 2020. The author was selling a database that includes the names, addresses, age, gender, and political affiliation of 186 million voters in the US:

Image001Figure 1: Data about 186 million US voters on sale

The post claims that a third of the records also include phone numbers. Twenty sample records were included in the post. Note the last column with the political affiliation of those voters. Recently, the thread about this database was entirely removed from the forum. Most likely the forum administrator did that to avoid unnecessary attention from researchers and law enforcement agencies. However, we established contact with the seller who said the voter database is still available to purchase.

Image002Figure 2: The thread about US voter database was deleted

RaidForums.com, the website where the voter and consumer databases were found, is widely known in certain circles as a place where members can obtain leaked and hacked data. As expected, this forum involves vetting before new members can see complete information and communicate with other members. Databases found here may be given for free or sold. Databases are typically sold for a few hundred dollars, up to a thousand dollars, payable in bitcoins. This specific post did not mention the price but asks interested members to PM (send him a private message) to find out.  

GreenMoon2019 (see Figure 1) is not the only cybercriminal who offers U.S. voter information however, he is the only one offering it for nearly the entire U.S. population that we have seen. Other cybercriminals offer detailed information about U.S. voters in certain states. Sometimes that data is harvested directly from government web sites. In the following example, cybercriminals mention data that is available on the ncsbe.gov site, which is run by the North Carolina State Board of Elections. The fields which are listed in the following post are taken directly from files that are available on that government site:

Image003Figure 3: Data from NCSBE being mentioned on the darkweb

Other posts on RaidForums.com also mentioned the data which is publicly available on the domain of North Carolina State Board of Elections.

Image004Image005Figure 4: NCSBE site offering data

Anyone can download detailed Voter History Data and Voter Registration Data from the NCSBE.gov site or connect to its FTP site:

Image006Figure 5: Sample files on NCSBE FTP site

This data can be useful for all sorts of scams and in particular, can be useful to target voters based on their voting history. Given that North Carolina is a swing state in the current election, that threat is even more significant. Having all this information those adept at disinformation campaigns can impact voters by crafting social engineering attacks that leverage that data. No surprise, that hackers feel lucky that this data was made publicly available, as can be seen in the following post:

Image008Figure 7: Forum members discussing publicly available data

We reported our concerns to the NCSBE about cybercriminals discussing this data and got the response that the FTP site contains only public records. The fact that public records were used to help create the voter database does not make it any less dangerous than illegally obtained records from data breaches. In fact, to a cybercriminal (who generally likes to take the least path of resistance) it is probably more enticing since the records will be more accurate and up to date.

In the right hands, this voter and consumer information can easily be used for geo-targeted disinformation campaigns over social media, email phishing, and text and phone scams. The world is concerned about the spread of disinformation to sway public opinion – yet sensitive information on citizens is widely available. If corporations are the only ones held to strict regulations when it comes to data privacy disinformation campaigns and social engineering will be difficult if not impossible to address.

Information about voters in various US states are offered also on some darkweb forums as can be seen here:

Image009Figure 8: State-level voter DBs offered on the underground

Unsurprisingly, certain forum members are concerned about increased surveillance and attention by reporters, law enforcement agencies, and other white hats. To minimize risks on their end, some recently suggested to stop registration to their forums until the US elections are over:

Image010Figure 9: Underground forum actor suggests to close registration temporarily

More about GreenMoon2019 the Main Actor Selling These Databases

GreenMoon2019 is the actor who offered the database about U.S. voters, however, there are several other huge databases that this cybercriminal maintains and sells. He is an English-speaking forum member and registered there since the beginning of 2019. His reputation score on that forum, 799, is high and the comments he received from other forum members are almost always positive (29 out of 30 comments) as seen below in Figure 10.

Image011

Image012

Figure 10: The reputation report for GreenMoon2019

GreenMoon2019 has the GOD award which can be acquired for 50 Euros. It provides many benefits such as the ability to exchange up to 10,000 private messages (PM), send attachments of up to 600MB, and win 120 credits (useful on that forum).

Image013Figure 11: Forum’s award list

Other reputable forum members praise GreenMoon2019 and promise other members that “they would get what they pay for”:

Image014Figure 12: Positive comments about GreenMoon by other forum members

 

The Gigantic US Consumers Database

GreenMoon2019 started advertising the database about US Consumers last year:

Image015Figure 13: An earlier offering of the US Consumer file

This summer he shared detailed information about that US Consumer database. According to the following post, it includes 245 million records (!), that is nearly the entire population of the US. The size of the database once unzipped is 437 GB:

Image016Figure 14: A more recent US Consumer database offering

This file includes over 400 data points about each person and recently GreenMoon2019 added 6 more data points, probably after obtaining some other leaked data that was merged in. Here are the first columns in this database:

Image017Figure 15: Example of data contained in the US consumer database

We managed to obtain a sample file of one million records from this actor. We checked the data against various public legit sites and social media networks, and the data was found consistently accurate. It includes information about citizens such as:

  • Full name
  • Physical address
  • Phone number
  • Email address
  • Number of children and their ages
  • Gender
  • Age
  • Marital status
  • Ethnic group
  • Their home value and purchase date
  • Their mortgage amount and lender name
  • A very long list of potential interest areas

Not all fields are populated. Some have data almost fully filled out while others are only scarcely populated. It is so detailed, that this file looks like a professional profiling database prepared by a government organization or enterprise.

Other Databases Offered By GreenMoon2019

The GreenMoon2019 offers a variety of databases full of personal information:

Image018Figure 16: List of available databases, fields quantity, prices, and sample locations

Several of these databases cover US citizens but also cover people living in other countries such as the UK, Ireland, Canada,  and South Africa.

Revenues of Main Actors

We managed to obtain details of one of the bitcoin wallets that can be used to pay to GreenMoon2019 for those databases. Money that is collected in that wallet was transferred to a bigger wallet. Hundreds of other wallets transferred amount into that main wallet. Many of the transfers were in hundreds of dollars or a bit more, much like showing in the price list above.  This main wallet was created in May and already received bitcoins in the value of over 100 million USD. GreenMoon2019 probably is part of a group of cybercriminals that draw amazing revenues from selling these databases and potentially other services and deliverables.

Image019Figure 17: Worth of BTC transferred through the main wallet

Summary

In our investigation of criminal activities surrounding the U.S. elections, we uncovered massive amounts of information on U.S. voters up for sale along with other databases detailing individual consumers. This information can be used for social engineering and disinformation campaigns before, during, and after elections to help sway opinions toward one party or another.

As we have shown these activities are extremely profitable and there is a real demand for these databases. We have also shown that cybercriminals are most likely mixing illegally obtained data from leaks with publicly available information on citizens and correlating them to create super databases with detailed information on almost every U.S. citizen and citizens of other major countries.

Latest SpiderLabs Blogs

Why We Should Probably Stop Visually Verifying Checksums

Hello there! Thanks for stopping by. Let me get straight into it and start things off with what a checksum is to be inclusive of all audiences here, from Wikipedia [1]:

Read More

Agent Tesla's New Ride: The Rise of a Novel Loader

Malware loaders, critical for deploying malware, enable threat actors to deliver and execute malicious payloads, facilitating criminal activities like data theft and ransomware. Utilizing advanced...

Read More

Evaluating Your Security Posture: Security Assessment Basics

This is Part 4 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here.

Read More