New puzzle for the cops: cybercriminals buy personal data in bulk
“Dear customer, your account with xxxx has been suspended. Please complete your KYC (know your customer) with this link…”; “Dear user, please update your KYC for your account with this link/number…”; “Dear customer, you have earned reward points worth Rs 5000 in your account xxx…”
These are just some of the mass messages received on thousands of phones every day, sent by scammers waiting for people to click on phishing links and share personal information. But what has exacerbated the headache for law enforcement lately is the proliferation of websites that sell people’s names and numbers in bulk, senior Delhi police officers told The Indian Express. The agents added that the scammers have become proficient at creating similar websites of banks, telecom providers or brands to steal information and siphon off money – between a few thousand and several hundred thousand dollars. – vulnerable people.
In March, the Delhi Police’s Cyber Cell arrested 23 people for sending such messages daily and ‘tricked’ people into visiting fake websites under the guise of updating KYC information – otherwise they “lose” their account at a major public sector bank.
Once a person parted with their personal information online, the money would quickly disappear from their account.
A senior public sector bank official, who did not wish to be named, said: “Last year we had over 500 complaints in November-December. We had to send out alerts on social media, newspapers and on our app. Fraudsters continued to send mass messages asking people to update their KYC or else they would lose their account. We have also reported the matter to the Delhi Police and the Home Ministry. It is very serious. These people pose as bank officials and cheat customers out of hundreds of thousands of rupees. We would never send such messages to our customers.
KPS Malhotra, DCP (Cyber Cell), explained how it works: “The men sent messages en masse with links that allegedly lead to a fake public sector bank app page. The account holder would provide personal information on the fake online banking page and the accused would take that information, log into the original account and siphon money from there.
“It was a pan-Indian network; we had over 100 complaints with us. More than 51 of them were in Delhi. The defendants were arrested at different locations,” the DCP added.
In fact, many FIRs often file hundreds of complaints – last year, for example, Dwarka’s Cyber Cell recorded eight KYC fraud cases, each involving over 500 complainants from across the country.
In the March case, the police found many victims lost up to Rs 1 lakh. According to the police, these gangs operate from different cities in the country – which poses problems of competence for the investigators – and have several modules to manage different tasks.
For example, some men are tasked with creating phishing links, mass texting, and creating bank accounts to transfer the money to, while others work to obtain data on their targets. .
According to Cyber Cell, obtaining victim data is key to the operation. An ACP level officer told The Indian Express that the defendants buy it from websites where the personal details of thousands of people are sold in bulk for as low as Rs 600 and up to Rs 7,000.
The Indian Express connected to some of these websites and saw how easily one could buy data – names, phone numbers and even addresses. The data is differentiated into different categories for “marketing purposes”.
The categories include ‘Students looking for a job’, ‘Seniors’, ‘Delhi-NCR doctors’ and ‘Delhi-NCR car owners’, which allows fraudsters to focus more easily on the group they wanted to target.
The data is available in the form of different files, it is enough to create an account on the sites and to buy it.
A team led by CPA Raman Lamba discovered that the defendants obtained numbers from these websites and regularly sent mass messages.
“They mainly target senior citizens, retired civil servants and frequent buyers. The data of these people is readily available on websites,” an officer said. The Indian Express contacted one of the websites and asked about the data being sold online.
The company, which declined to be named, claimed that details such as name, email ids and phone numbers could be shared and sold as these are categorized as ‘data’. general”. However, data such as credit card details and medical records cannot be shared online as they are “sensitive/personal”.
“There are no laws protecting the sale of general data. Data can be categorized and sold online for marketing purposes. Many brands want their “target audience/customers” and need such data. This data selling business was started to provide data for marketing purposes, but cyber criminals can also use it for illegal purposes… Data is only shared for promotional activities… It is the responsibility of the user,” the company spokesperson said.
Asked how the websites collected this data in the first place, the spokesperson said: “As there are a lot of companies that sell data, so they buy data from each other as needed. However, the original source of the data is unknown. But as far as I know, some data such as B2B company data, doctor data, chemist data is collected from web directory sites where name, address and contact numbers are openly available. And other data can be sold by the companies themselves – for example, I opened an account (with a broker) for trading, and after a few days I start to receive calls from different companies for purposes commercial, so we can believe that the data is obviously sold by the company itself, and when that data is used by those companies, it comes into the open market to be resold by small, medium-sized sellers.
In the event that a fake banking app was created, the accused would send mass messages to thousands of people every day and then wait for people to click on the link.
An officer said that when victims clicked on the link, they were directed to the fake/phishing website, while the accused opened the original website. As the person typed in their username and password, the accused would see it in real time, the officer said.
At this point, an OTP or one-time password would be required for login.
Buy now | Our best subscription plan now has a special price
“Since the OTP is a crucial part of the login, the accused would also put an OTP link on the fake site. As soon as the victim types the received OTP on his mobile number, the accused would use it on the original website and would have access to the account,” the officer said.
Moreover, the accused would send more OTPs to continue withdrawing money from the account. On the victim’s mobile/laptop screen, she would see the KYC formalities being completed and the site asking for yet another OTP to complete the process.
“As the victim thinks he is completing his KYC process or registration for reward points, the accused is simply stealing OTPs and withdrawing money from his account,” the officer added.
In one specific case, the defendants were arrested with more than Rs 2 crore. “They started the operation during the pandemic; in fact, many gangs did. We received more than 25 complaints with the same modus operandi. Most of the complainants were 45 and older. One of the complainants, a retired DU professor, was defrauded of Rs 1.7-2 lakh. It was the highest amount.