You can buy almost anything on the dark web. The shrouded underbelly of the Internet is most known for its clandestine markets that make a brisk trade in the sale of drugs, weapons, and the details and identities of millions of people.
Yes, selfies. At the start of the year, Israeli dark-web research firm Sixgill noticed a data dump for sale on a largely Russian-language dark web forum. What distinguished this dump from the thousands of others available is that each record was accompanied with a selfie of the user.
“We came across an advertisement in a closed-access forum which is predominantly Russian where someone was selling 100,000 documents for $50,000,” said Sixgill’s Alex Karlinsky, speaking exclusively to TNW. “These documents include their ID or passport, proof of address, and unusually, a selfie.”
So, what’s the point? Selfies, by themselves, have scant use for an adversary. However, combined with other more traditional proofs of information, they could allow an attacker to open bank accounts and access credit under the name of a victim.
Some banks allow customers to open accounts by uploading scans of their ID documents, along with a selfie, in order to verify their identity. This is particularly common as banks try to replace traditional branch services with online alternatives. This is especially true for the swathe of online-only banks that have emerged over the past few years.
According to Sixgill, the person selling the dump also offered it in smaller, more affordable chunks. They also identified another bad actor selling identities in a piecemeal fashion. Just $70 would get you an individual’s ID documents, plus a selfie.
Karlinsky wasn’t able to identify the source of the dump. “The easiest of obtaining a selfie is from phones that have contracted malware,” he said. “The other way would be to maintain a website that keeps private info from people, and/or to hack into such a website.”
The latter scenario seems likely. One common source for document leaks is inadequately-secured cloud storage platforms, like Amazon S3.
Earlier this year, the passports and photo IDs of 119,000 FedEx customers were identified on a publicly-accessible Amazon S3 server. The server was operated by Bongo International, which the courier company acquired in 2014, rebranded to FedEx Cross-Border International in 2015, and ultimately discontinued in 2017.
Researchers from German security firm Kromtech found ID documents from countries all over the world, including the United States, Australia, Canada, and several European countries. These were accompanied with shipping forms listing contact and address information.
There’s no suggestion that the FedEx documents were accessed by a malicious third-party. However, this example highlights how improperly-configured cloud infrastructure can result in profoundly sensitive documents ending up in the wrong hands.
Karlinsky isn’t worried about people posting sepia-toned Instagrams, but strongly recommends that people be more discerning when proving who they are online. Before you hand over your documents and your photograph, he recommends people ask the following questions: “Who are you proving your identity to? Is it worth it?”
“I would go as far to not take selfies of yourself holding your ID,” he added. “I would also refrain from having pictures of your ID on your phone, in case your phone contracts malware.”