Without leaving the room: scammers take out loans using data from leaked databases
An 18-year-old hacker who took out loans on other people from different regions has been detained in Dagestan. The investigation believes that he used databases of Russians bought on the darknet. "Izvestia" found out how fraudsters use databases and how to protect themselves from this.
On databases and social networks
In Dagestan detained an 18-year-old hacker, who set up a scheme of registration of microcredits for citizens across the country. Employees of the department for combating illegal use of information and communication technologies of the Department of the Ministry of Internal Affairs of Russia for Khanty-Mansi Autonomous Okrug - Yugra came to the republic for him, the department said.
The police found out that the suspect bought a database on the Internet containing passwords, logins and personal data of at least 100 people from different cities. Then he found people in social networks and searched for information about them in open sources. After that, the hacker selected passwords (usually they were simple) and under the guise of the victims went to the "Gosusgoservices" portal, where he issued loans. Then he transferred money to his account, which is what he was caught on.
- At the moment it is known about four residents of Ugra and six citizens of other regions of Russia, who suffered from the actions of the hacker. The total damage amounted to about 100 thousand rubles, - reported in the press service of the UMVD in Khanty-Mansi Autonomous Okrug - Yugra.
They noted that thehacker chose people with accounts without two-factor authentication and minimal credit load as his victims. Now operatives are checking the Dagestani for involvement in other crimes - there may be more victims.
The young man was prosecuted for fraud and unauthorized access to computer information. Now he faces imprisonment for up to 10 years with a large fine and corrective labor.
Sources of data
As Dmitry Ovchinnikov, head of the Laboratory for Strategic Development of Cybersecurity Products at the analytical center Gazinformservice, explained to Izvestia, data on a person's identity can be obtained from various sources. First of all, these are databases that contain partial information - for example, a database on inheritance cases, merged databases of online stores and delivery services. There are also consolidated databases compiled from several official ones. They can be bought on the darknet for relatively little money.
- Usually such databases contain SNILS, passport data, phone numbers and other personal information. Having bought access, the fraudster begins to select a victim. Information gathering can be continued, for example, in social networks. From there, you can learn a lot of information to get a clue to guess the password - a child's name, a pet's name, and more. Then you can try to hack access to "Gosusluga" by brute-force password and SNILS number," says Ovchinnikov.
If a person has not used "Gosuslugi" for a long time, it may not be configured to log in with confirmation, which hasbecome mandatory since 2023. Such accounts are usually easy to hack - it is enough SNILS or phone number, which will not even receive a notification of login. Once on the portal, the fraudster can change this number in the personal account and start issuing loans to the user and then withdraw the money to their accounts.
- Another scenario is to hack the email to which the account in "Gosuslugi" is linked. And try to enter the account through the legitimate procedure of account recovery with confirmation through sending to the mail," adds the Izvestia interlocutor.
Because, he concludes, the procedure carried out by the hacker from Dagestan is simple, it does not require technical knowledge. It is made even easier by people who use simple passwords (for example, date of birth), "throw" accounts on "Gosuslugi" or place too much information about themselves in social networks.
Scammers' schemes
As Maxim Alexandrov, an expert of software products of the company "Security Code", explains, the leaked databases can be used by fraudsters in different ways. Knowing even a fraction of information, such as full name and passport number, they can more thoroughly prepare their legend and pretend to be a telecom operator or a bank employee, as well as a representative of government agencies or law enforcement agencies. This helps to inspire more trust and reduce a person's suspicion.
- The data can also be used when communicating with the victim's loved ones. For example, attackers create a fake account and then, having studied social networks, write to the victim's friends and relatives. In both cases, they have the same goal - to trick out sensitive data, such as one-time codes for various services," he says.
Of particular interest to criminals are scans of important documents, such as a passport. It can be found in social networks or messengers, if you log into an account using a leaked login and password. Correspondence may contain copies of documents of both the owner himself and his friends and acquaintances. Therefore, it is important not to send such files to anyone - as well as just the data of documents.
- Gathering bit by bit data from the leaked databases, criminals make a complete "portrait" of a person, and then use the information at their discretion - both for phishing schemes and for obtaining loans, - says Alexandrov.
Loan processing
According to Maxim Alexandrov, sometimes only the data from the leaked databases is enough to apply for a microloan. It happens that it requires only full name, series and number of passport, phone number. Therefore, fraudsters more often turn to MFIs than to banks, which not only carefully check the identity, but also require additional information, such as income certificates.
- But even for a loan in MFIs, attackers need to have a certain technical level - for example, to create a fake passport, if we are talking about an offline visit to the office, - says the interlocutor of "Izvestiya".
At the same time, he notes, the success of the scam often depends on whether the fraudsters have their own person in any financial organization. Another factor is how thoroughly identity verification is carried out there. Some people ask for identity verification remotely, so with passport data, SNILS and other information about a person, fraudsters can easily issue loans for small amounts.
There are also more sophisticated schemes - for example, with the use of artificial intelligence technology. If a financial organization conducts an online verification, the attackers use dipfakes, "live" substituting the video stream and imposing a "mask" of the person they pretend to be.
- Successful forgery is also possible when visiting a financial organization in person - by making a fake passport. It happens that fraudsters with the help of AI-technologies create such a photo, which simultaneously resembles both the user-victim and the attacker, and the quality of passport forgery is characterized by a high level. Even large banks can be defrauded with their help," concludes Alexandrov.
Tips for those caught in the database
Today, every Russian can check whether his data is in the leaked databases on the Internet. For this purpose, the National Coordination Center for Computer Incidents (NCCI) has launched a service where all information on leaks collected from open sources is available. At the same time, the service itself does not store any data - it only allows you to find the requested information. If you find your data in the database, Dmitry Alexandrov advises you to immediately change all passwords on sensitive services (it is important to use complex combinations and two-factor authentication), as well as check your credit history.
- This can be done in three ways: through Gosuservices, through a specific bank or by requesting a credit history from a credit history bureau (BKI)," says Mr. Alexandrov.
In the event that you already have a loan, lawyer Sean Betrozov recommends, first, to contact the bank or MFO, which issued the loan, and declare in writing that there was a mistake or fraudulent action. Next, you need to file a fraud report with the police.
- The police will give you a notification voucher for accepting the statement - you may need this document in the future to protect your interests in court. It is also necessary to contact the bank where the account is opened, in which the client will be able not only to execute a ban on the issuance of credit online, but also to set limits on the amount of transfers through the application, - says the lawyer.
To combat such situations in the State Duma adopted a law that will take effect from March 1, 2025 and will allow citizens to issue a self-ban on loans in all credit institutions by filing an application through a single portal of public services.
Victim's rights
According to attorney Shawn Betrozov, in most cases people learn about fraudulent loans by accident - for example, when they receive a call from the bank with a reminder of overdue payments or when trying to take out their own loan. Therefore, it is necessary to regularly check your credit history - this will not only help to detect the problem in time, but also to react to it faster.
- You are not obliged to pay off a loan that you did not apply for. Credit organizations usually start demanding money, but with a competent approach to the case and evidence of fraud, debts can be disputed," says Betrozov.
In this case, he adds, it is important to keep all correspondence, documents and checks that can confirm the words of the victim. Sometimes the case can go to court - and then you will need the help of a lawyer. Court practice shows that in most cases the court sides with the victim of fraud if there is enough evidence.
Fraud with the registration of loans on citizens - a real threat that can affect everyone. But, knowing the main ways of defense and the algorithm of actions when faced with such a situation, you can lower the risk thresholds and even avoid financial losses, concludes the interlocutor of "Izvestia".
