Get to know the place where personal data is being traded

Malaysia-centric databases appearing online is not a new phenomenon.

Every day, millions of lines of data with personal identifiable information (PII) are being written automatically due to the digitalisation of commerce and government.

Inevitably, some PII databases will end up being sold, traded, or “dumped” – meaning shared for free – on the internet.

The latest PII alleged leak to have caught the attention of the authorities is an attempt to sell alleged National Registration Department (NRD) records.

The discovery was made by Adnan Shukor, known as @xanda on Twitter, and his findings were reported by popular tech blog lowyat.net yesterday (Sept28).

Adnan stumbled on an advertisement posted on raidforums.com, where forum user Nudubota claims to be in possession of four million entries of “fresh citizen data” originating from the NRD.

Nudubota’s ad claimed the database was “leaked from hasil.gov.my through the MyIdentity API” and contained records of those born from 1979 up to 1998, and is 31.8GB in size.

A sample of the data, provided in JSON format, showed the following fields: name, email, mobile number, permanent address, mailing address, MyKad number, race, religion, and a photograph encoded in Base64.

Nudubota’s asking price was 0.2 bitcoins – a cryptocurrency that provides some degree of anonymity if one meticulously follows the rules.

Raidforums.com describes itself as a database sharing and marketplace forum. A cursory search revealed that Nudubota is just one of many users advertising purported Malaysia-centric datasets.

Some of those purported datasets include customer records for a logistics company with verifiable air waybill numbers and customer data of a major Penang-based gold exchange.

Others claimed to be selling employment records of a major local conglomerate, driving licence records held by an e-hailing company, and insurance policyholders, among others.

The most recent advertisement was for 15.8GB worth of data, ostensibly company records held by the Companies Commission of Malaysia. This advertisement was also posted by Nudubota.

Nudubota is offering this database for 0.3 bitcoins to individuals. However, Nudubota claims they will stop selling the database if they are paid one bitcoin (approximately RM180,000) by the owner of http://www.ssm-einfo.my.

Open to abuse

The advertisers will typically include a small sample of their databases to entice buyers. Unlike conventional e-commerce, there is no buyer protection by trading databases on raidforums.com.

Hackers who leak, sell, or trade databases on raidforums.com target companies and entities from all over the world.

They offer all sorts of databases from Facebook user details to voter databases and even adult website usernames and passwords.

Malaysia-centric databases appearing on the internet is not a new phenomenon. In April, Malaysiakini reported 11 million Malaysian phone numbers linked to Facebook accounts were being shared.

A Kuala Lumpur-based cybersecurity consultant, who wished to be known only as CJ, explained there is a market for such databases among businesses that require cold-calling, such as the insurance and multi-level-marketing industry.

A database with age, gender, and spending habits is also important for telemarketers who are dealing with loans, he said.

“It is the backbone for classic phishing scams where a phone call begins with: ‘I am from this agency and you have case number 123. Your MyKad number is XYZ and you are currently staying at this address’,” said CJ.

“Then there are those ‘mudah cuci’ messages through WhatsApp with an accompanying link to gambling websites.”

Another example of database abuse is the mysppl.com website, which charges a fee to look up an individual’s MyKad, email, address, and company information.

Although mysppl.com has blocked incoming traffic from Malaysia, it is easily accessible by switching to a foreign IP address.

While stolen databases are easily accessible by those with malicious intent, the owner and operator of raidforums.com, who goes by the name Omnipotent, believes their website and the databases on it are doing a public good.

Educating the public

In January, Omnipotent spoke to cybersecurity website The Record. Omnipotent said raidforums.com was started in 2015 to coordinate “Twitch raids” – a mostly innocuous pastime.

But eventually, raidforums.com became popular with database sharing, which Omnipotent condones if it is being done for free.

The purpose, said Omnipotent, was to educate people on how to defend themselves from phishing attempts and the importance of online security.

“I personally believe in letting this data be public and in essence allowing any person to view how they were affected and protect themselves by changing emails, changing passwords, and taking precautions in the future.

“This is what our ‘databases’ section was made for: sharing to the community and by extension to the public any and all data you have free of charge,” said Omnipotent, who other forum users regard as “supreme leader”.

Omnipotent said although there are forum users advertising leaked databases for sale, there’s no way to determine if the advertiser possesses the data they claim to be trading.

It also can’t be determined if the data was obtained legally or illegally.

However, Omnipotent said raidforums.com will comply with requests from the authorities to remove “samples” of PII that they host.

Omnipotent said, despite that, PII was still being traded online every day, be it on the dark web or by major technology companies.

“My personal goal with the website at the current moment is making data free, in essence taking away money from people who are illegally selling and buying this data for all the wrong reasons,” said Omnipotent.

“Therefore any attention we draw to ourselves will just further this goal.”

By : ANDREW ONG – MALAYSIAKINI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s