Someone is auctioning on underground forums a database allegedly containing personal information of 92 million Brazilian citizens. They claim that every record is real and unique.
The seller also advertises a search service focused on Brazilians, saying that they can dig up details about an individual starting from minimum initial data.
Highest bidder gets the data
The auction is present on multiple restricted-access underground markets where registration is possible based on an invitation from someone in the community or by paying a fee. TOP ARTICLES2/5READ MOREGoogle Chrome to Gradually Start Blocking Mixed Content by Default
[92 Million unique] records of almost every [Brazilian] citizen on sale in Underground forums. The actor also offers service to find records about any individual with small initial information living in Brazil.#intelhunt #brazil #threatdiscovery #breached6:35 AM – Sep 27, 2019Twitter Ads info and privacySee Breach Radar’s other Tweets
A post on one of the forums seen by BleepingComputer informs that the database is 16GB large, in SQL format. The starting price for the auction is $15,000 with a step up bid of $1,000.
According to the seller, registered as X4Crow, the records are separated per province and include names, dates of birth, and taxpayer ID (CPF – Cadastro de Pessoas Físicas) of individuals. The database also has taxpayer details about legal entities, or the CNPJ (Cadastro Nacional da Pessoa Jurídica), it is stated in the post.
BleepingComputer received a sample of the database and was able to verify that the information on individuals is accurate and also included the mother’s name, and gender. We used the CPF lookup service on the Brazilian Federal Revenue website, which also provides the year of death in the case of deceased persons.
Although the origin of the cache is not revealed in the seller’s announcement, BleepingComputer was told that it is a government database. X4Crow says that it contains 92 million unique records that cover “almost all Brazilian citizens.”
This is highly unlikely since Brazil’s population in 2010 had over 190 million people and estimates for 2019 increase that number to more than 210 million. The availability of taxpayer numbers, though, suggests that the records belong to employed citizens.
Multiple statistics estimate that there are around 93 million Brazilians employed, adding weight to this theory.
Search service available
From the information we received, the seller may not have received a single bid. However, they also count on making money from another service that promises to return rich information on Brazilian citizens starting from just a few details.
Using input as little as a full name, taxpayer ID, or phone number, X4Crow claims to be able to retrieve data available in national identification documents (ID card, driver’s license).
Apart from this, the seller claims that the report may include phone numbers (mobile and landline), old addresses, email address, profession, education level, possible relatives, neighbors, license plates, and vehicle(s).
There is no guarantee that all the details will be retrieved for all individuals but the report may provide, on average, 80% of the specifics listed above.
On a freely accessible forum, X4Crow said that they can also get data on any company and its corporate structure. The price for fetching all this is $150, although they offered occasional discounts of $50.
This service may rely only partially on the database they want to sell, an independent security consultant told BleepingComputer. They likely have other data sets to scour for the information.
Not a stranger to cybercrime
Although they don’t seem to have long track in the field, X4Crow definitely has enough knowledge of cybercriminal activity to clue others in on how they can solve an issue.
From discussions we’ve seen X4Crow engage in, they appear to be well informed about various types of operations. They offered possible solutions/advice to problems described by fellow forum members. Some of the topics referred to lateral movement in a LAN and phishing.
One of their profiles lists services that include programming, penetration testing, and malware-related advice and support. Selling databases is not among their skill set, which requires knowing what the market wants and providing it for the right price, typically a fixed one, not an auction.