By Riley Boos
As anti-fraud technology continues to be developed and refined, threat actors are adapting their tactics, techniques, and procedures (TTPs) to continue their fraud operations by combining fake information with real social security numbers (SSNs). A synthetic identity can be used to open a bank account under a false name for money laundering purposes as well as open multiple credit card accounts used for major purchases, ultimately damaging the credit profiles of unsuspecting victims. This form of fraud presents both financial and national security threats.
Synthetic identity fraud has become the fastest growing form of financial crime in the United States, presenting risks to the financial industry and national security.
The process involves the usage of stolen social security numbers (SSN) and fake information such as name, date of birth (DOB), and personal address. The social security number and fake information are used to fabricate an identity that can be used to open new credit card accounts used for fraud, credit score repair, or opening unidentifiable online bank accounts.
DarkWeb services provide fraudulent photo ID and passport scans, driver's license, and utility bill scans to assist threat actors in passing standard identity verification checks. The use of biometrics is a potential solution to synthetic identity fraud and related forms of financial crime, with very few institutions currently utilizing this form of identity verification.
AdvIntel assesses with a high level of confidence that threat actors will continue to utilize synthetic identity fraud given the current verification practices used by financial institutions and related entities.
Fraudulent card-present transactions and ATM cashouts have traditionally been difficult to perform as security cameras can be used to identify the individual swiping the cards. Fraud scheme operators frequently hire others to perform card-present transactions and ATM cashouts with the goal of providing a buffer between themselves and law enforcement. The widespread adoption of COVID-19 face masks has made it easier for threat actors to conceal their identities and evade law enforcement detection. As synthetic identity fraud typically involves the use of multiple credit cards, physical identity obfuscation has become much easier for those making fraudulent in-person transactions.
Traditional identity theft has required the use of a victim’s complete personal information, colloquially known as “fullz,” to open financial accounts and engage in fraud-related activities. A modern form of identity theft referred to as synthetic identity fraud involves the use of a stolen social security number (SSN) and fake personal information which can then be used to open financial accounts, obtain work/residency permits or repair broken credit profiles. Victims of synthetic identity fraud are primarily under the age of 18, as their social security numbers are not likely to be registered within credit reporting databases. Due to a change made by the Social Security Administration (SSA) on June 25, 2011, any social security numbers assigned after the date use randomization and therefore are more likely to be discovered by threat actors.
Synthetic identity fraud is primarily used to open new credit card accounts under a false identity. An application for a credit card is submitted using a real social security number and fake personal details, most often resulting in a denied application due to a lack of credit history. While the application was being processed, the information supplied by the threat actor created a digital trail, marking one of the first steps in the creation of the fake identity. Once the identity has been established and the name and social security number have been associated, it can then be added as an authorized user on legitimate financial accounts used to increase credit score.
Several months or years may pass before the fake identity has a strong credit profile, at which point the fake identity will be used to apply for credit cards without anyone else on the accounts. Small transactions that are paid off each month will eventually raise the spending limit on the card, and in turn, will provide a threat actor the ability to max out and abandon all of the credit card accounts associated with the identity.
Government Accountability Office - GAO[.]gov
When the victim whose social security number was used in the scheme becomes an adult and begins to apply for a job, credit card, or a student loan they will eventually discover that their credit score has been negatively impacted. Financial institutions are unable to recover the funds used for the fraudulent transactions and will not be able to contact the owner associated with the accounts as they do not exist.
A stolen social security number combined with fake personal information provides an individual the ability to obtain an online bank account without needing to verify their identity at a physical location. An undocumented immigrant who did not previously have the ability to open a bank account can do so using the same methods as those involved in synthetic identity fraud schemes.
Listed Requirements for a Major Online Bank
The ability to open a bank account under a false name presents a national security risk as transactions within the banking system are not linked to a legitimate person or entity. Know-your-Customer (KYC) and Anti-Money-Laundering (AML) regulations were initially put in place to monitor suspicious transactions and prevent money laundering but are not sufficient when the information provided is not genuine. Individuals involved in criminal activities are less likely to be detected by law enforcement agencies when using a synthetic identity to create a bank account.
Searches made on AdvIntel’s DarkWeb Intelligence Reporting Platform indicate a wide array of services that assist threat actors in performing synthetic identity theft. Since current verification methods used by financial institutions require a form of photo ID such as a scan of a driver’s license or passport, DarkWeb vendors have risen to meet the demand.
A threat actor operating on a major Russian-speaking cybercriminal forum offers documents that can be used to pass verification checks for online banking. A scan of a passport and identification card are sold for $3 USD, or a total of $5 USD if the person on the document needs to be holding the photo for verification, otherwise known as a selfie.
Identification Service on Top-tier Cybercriminal Forum
Not only do most financial institutions require a photo ID when opening an account, but a utility bill scan is often required as part of the identity verification process. Utilizing AdvIntel’s Andariel DarkWeb Monitoring platform, searches were made for terms associated with synthetic identity fraud such as “SSN,” “DOB,” “Bank,” and “Scan” which returned additional resources that are used by cybercriminals for fraudulent purposes. The personal contact information for an English-speaking threat actor was provided by AdvIntel’s DarkWeb platform as well as a detailed overview of their fraud-related offerings.
Contact Information and Service Details Published by an English-speaking Threat Actor (Image Source: AdvIntel’s Andariel Platform - DarkWeb Collection)
The services offered on the DarkWeb illustrate the existing flaws with standard verification processes. Tailored utility bill scans and high-quality false identification documents can be used to pass identity verification checks, enabling the creation of financial accounts used for fraud.
Services Used for Synthetic Identity Fraud (Image Source: AdvIntel’s Andariel Platform - DarkWeb Collection)
Synthetic identity fraud is utilized for various reasons, most of which involve financial gain. Since many of the victims involved in the scheme were born after 2011, most will not begin to check their credit scores for nearly another decade until it is too late. The potential threats are not limited to financial institutions or individuals with compromised social security numbers. Synthetic identity fraud presents a national security risk, as bank accounts opened using false information can potentially aid the laundering of criminal proceeds while obfuscating the true identity of the bank account owner.
AdvIntel assesses with a high level of confidence that synthetic identity fraud will continue to be utilized as long as current identity verification methods remain in place. Advanced Intelligence alerted the affected institutions regarding the potential active fraud scheme.
Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy, and mitigate any existing or emerging threats.
Riley Boos is a Threat Intelligence Analyst with Advanced Intelligence, LLC, primarily researching the digital fraud ecosystem and is near completion of a B.A. in Digital Communications from Oregon State University.