RSA Admin

Tales From the Darkside: US Identity Generator

Blog Post created by RSA Admin Employee on Feb 19, 2013

RSA Firstwatch shines a spotlight in the darker corners of the Internet to better understand Internet Fraud and Criminal trends online.  When possible, RSA Firstwatch members will use this space to share information about some of our findings.

 

A Chinese generated website offers it's users a unique service-  to instantly generate a false United States Citizen identity- complete with banking credentials, work history, education background, and even a blood type- based on scraped personal information from other websites, geo-IP location, and stolen credit card numbers.  But the site does say that it shouldn't be used for criminal purposes- despite the fact that we detected it from known criminals farming identities. The page screenshot has been translated from the Han Chinese language:

 

54770

And with a click of the button, you can even generate a new identity for yourself from your own hometown based off of your local IP address.  In addition, there is a driver's license number generator that the website's author assures will work for at least a dozen states.

 

Don't worry about the seemingly personal information-  The social security number is fake and only guaranteed to match the issuing state, and the telephone number is unused from the region.  The banking site is randomly generated from the local region, and the routing numbers for those banks are not exactly a secret either.  The credit card numbers are supposedly valid, which is why they are blanked out, but it is more likely that only the first four digits match the issuing bank- again, something that is not a secret.  The usernames, email addresses and websites are all generated based on random transforms of the real person's first name and last name-  information real people publish to sketchy websites, such as dating, recipe sharing, message boards, and gaming sites.

 

Here is one of those real people whose user information appeared in one of my samples. The backend bot of this identity generator cribbed it from her online dating profile, creating matches for age, name, location and zipcode.

 

54774

The online personals ad leaks personal information such as a username, job title, location, zip code and age.  It provides just enough of a web-based background personal biography, that anyone performing research of one of these generated false identities might believe that a real person is behind it.

 

So what could you do with a fake generated identity?  While the ID Generator sites says it should be used to protect online identity by providing a layer of anonymity, the opportunites for fraud abounds.  Could someone get a Payday loan with just this amount of information?  Apply for housing?  Purchase a cellphone?  Get a plane ticket? 

 

The bottom line is that criminals are combining real peoples' information with falsified additional details to perpetrate fraud both online and in the real world.  So think again before you post your own personal information online.

Outcomes