Indian Loan Documents Sold Over Cybercrime Forum
Published 18 May 2021
- CloudSEK discovered a post advertising loan documents belonging to Indian citizens
- These documents include KYC documents, salary slips, bank statements, etc.
Share this Threat Intel:
CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a cybercrime forum, advertising loan documents belonging to Indian citizens. The CloudSEK Threat Intelligence Research team has validated the information in this post and has found that the compromised data belongs to Loan Wired, a fintech startup specializing in personal and business loans.
On 02 May 2021, a threat actor shared a post advertising a database of loan documents of Indian citizens. The actor, who joined the forum in June 2018, has been actively selling databases and accesses of various companies across Asia Pacific, Middle East and US region. Through the course of their time on the forum, the actor has garnered a good reputation on the forum.
Information from Source
The threat actor has shared a screenshot of multiple samples in their post, including Aadhar, bank statements of individuals, and files that are part of the leaked database.
Information from HUMINT
CloudSEK Threat Intelligence Researchers were able to confirm that the compromised loan documents were dumped from the website Loanwired(.)com. Loan Wired is a lending platform offering personal loans across India.
Database shared by the actor includes the following documents:
- KYC documents (PAN, Aadhar, customer photographs)
- Salary slip
- Bank statements
- Electricity bills
- Income tax return statement
- GST certificate
Information from Technical Analysis
The dumped database structure indicates that the threat actor gained server access to the website. Which allowed them to access customer records and documents. It is also highly likely that the actor may have established a persistent connection to exfiltrate more data.
Possible Attack Vectors
- Brute-forcing RDP may have allowed the threat actor to take over the server.
- Exploiting common vulnerabilities in VPN like unprotected endpoints, or web application vulnerabilities are some alternate ways by which the threat actor may have exfiltrated the data.
Since the leaked database contains sensitive information such as PII of customers:
- Threat actors can leverage this data to carry out social engineering attacks, scams, and even identify theft.
- The data can also be used for targeted attacks, causing financial loss to the company.
- Use strong passwords
- Enable multi-factor authentication for all online accounts
- Don’t share OTPs with third-parties
- Review online accounts and financial statements periodically
- Regularly update apps and other software