Data leaks of all sorts regularly crop up in the news, and recently so have fines, some potentially reaching into the billions, slapped on the companies responsible. If companies have to pay for data leaks, surely some of that money goes to the victims, right?
Surprise from the US Trading Commission
Recently, a curious site caught our eye. Seemingly owned by a certain Personal Data Protection Fund, the website’s main page states that the fund was created by the “US Trading Commission.”
At first glance, the site looks reasonably sound, with a restrained design showing a hefty sum on the right. A large banner at the top of the page announces that the fund awards compensation for leaks of personal data — for which citizens of any country in the world can apply.
For those interested, the site offers to check whether your data has ever leaked. For this, you need to specify your surname, first name, phone number, and social media accounts. Above the input form is a warning that entering other people’s data will result in a severe penalty.
However, it turns out that the website accepts any information, even complete gobbledegook. For example, we inquired about the personal data of a citizen named fghfgh fghfgh. The site pondered for a while, seemingly connecting to a database of information about leaks…
…and lo and behold, found that our fictional character with an unpronounceable name had indeed had their data leaked. Moreover, it turned out that someone had already used their photos, videos, and contact information, and so fghfgh was entitled to compensation in excess of $2,500!
Buy a temporary SSN
One might think it would suffice to give a bank card number and wait for the payment to be credited. Not quite. The charitable fund cannot send money without knowing your SSN (social security number), a nine-digit number issued to U.S. citizens as well as permanent and temporary working residents.
This unique number is used for almost everything in the U.S., including paying taxes, applying for a job, renting a home, and so on.
But if you don’t have one, never fear: You can simply check the box next to the line “I’am don’t have SSN” (English grammar doesn’t seem to be the scammers’ strong point).
To get around the problem of not having an SSN, the site offers to sell you a temporary one! In comparison with the amount of compensation dangling in front of your eyes, the $9 price tag is a trifle.
If you do try to complete the transfer without buying an SSN, the site will return an error and demand a temporary number. And if by some chance you happen to specify a valid SSN in the fraudulent form, you will still be asked to buy a temporary one.
Those who decide to purchase a temporary SSN get redirected to a payment form. If you happen to do it from a Russian IP address, this payment form appears in Russian, and the purchase price is specified in rubles. This is strange. Why would a U.S. government agency require payment in a foreign currency?
Residents of other countries are likely to be redirected to a less suspicious English-language form asking for payment in dollars.
Are Russian online scammers going international?
Of course, this is scam. The Personal Data Protection Fund does not exist, and neither does the US Trading Commission, as you might have guessed. The name of the real organization the scammers apparently are trying to impersonate here is Federal Trade Commission, but the FTC does not hand out compensation indiscriminately.
The scammers themselves are most likely Russian speakers, as suggested by the ruble payment form, plus the suspicious similarity of the scheme to other easy money offers that regularly tempt residents of Russia and the CIS.
The e-bait in those schemes varies — giveaways, surveys, secret retirement savings, even a part-time job as a taxi dispatcher — but they tend to be in Russian (as are some of the preceding links), and the bottom line is always the same: the juicy promise of quite a bit of easy money, followed by a demand to pay for an inexpensive service, be it a commission, a “securing” payment, or a temporary SSN.
The present scheme uses the same payment systems as previous ones. This too leaves a familiar trail of Russian cybercriminal breadcrumbs. The only difference with the compensation scam is the wider attack geography. For example, this time victims were located not only in Russia and neighboring countries, but also in Algeria, Egypt, the UAE, and elsewhere.
How to avoid the trap
Such scams are aimed at those hopeful victims who wouldn’t find such an offer suspicious. Therefore, our main tip is to remain vigilant:
- Do not trust. If someone promises a large cash payout for something as trivial as taking part in a survey, it is almost certainly a trick. And if you are asked to pay something to get the funds, you can be doubly sure it’s a swindle.
- Verify. Google the organization to see if it actually exists, and if it does, take a close look at its website. Pay attention to the language: A reputable organization will not publish text full of errors and typos.
- Use trusted resources. If you are concerned about your data’s security, specifically passwords, you can check whether it has been affected by a leak at haveibeenpwned.com. Created by infosec expert Troy Hunt, this data breach search resource provides the most up-to-date information about data leaks.
- Protect yourself. Use a reliable antivirus solution with protection against phishing and online fraud, such as Kaspersky Plus.