This article is more than 1 year old
Who's leaving Amazon S3 buckets open online now? Cybercrooks, US election autodialers
Hundreds of thousands of voter records and contact info spilled
Security biz Kromtech has unearthed two more embarrassing – and potentially dangerous – cases of groups leaving mass data caches unguarded on the public internet.
In the first case, the culprit was an improperly configured AWS S3 bucket owned and operated by Robocent, a political robocalling company based in Virginia Beach, VA.
According to Kromtech head of comms Bob Diachenko, the storage bucket contained 2,594 files, including the audio files to be used in robocalls to voters and spreadsheets containing hundreds of thousands of US voters' contact details.
These records included voters' names, addresses, year of birth, phone number, political affiliation, and demographic info such as ethnicity and education level, all pieces of data that would be valuable to use in a spear phishing or social engineering scam.
Unfortunately, Diachenko said, it gets worse. It appears other sites have already collected and indexed the exposed data.
"What's more disturbing is that company’s self-titled bucket has been indexed by GrayhatWarfare, a searchable database where a current list of 48,623 open S3 buckets can be found," Diachenko explained.
The second case exposed by Kromtech could land a few people behind bars, if convicted, of course.
Millions of scraped public social net profiles left in open AWS S3 boxREAD MORE
Researchers uncovered an exposed mongoDB instance that contained both credit card numbers and payment details. A bit more digging lead the researchers to a dump of Facebook and stolen email account data and info from freemium games that offer in-app purchases through virtual currency.
Eventually, the researchers were able to piece together what was going on. The stolen credit cards were being combined with the lifted data to set up Apple IDs on hundreds of jailbroken iPhones that could then be automated to create user accounts on installations of the free-to-play games. The fake game accounts then purchased in-app currency for the games and were re-sold to other players for cryptocoins or real-world currency.
In other words, the scammers were using fake game accounts on jailbroken phones to launder money from the stolen payment cards via the freemium games, and the criminals operating the scam had left the entire operation wide open to the public by not securing the database.
Kromtech said it had reported all of its findings to the US Department of Justice so that a criminal investigation could be opened. ®