The smorgasbord of mortgage deal documents exposed in the First American data leak is a potential feast for scammers carrying out escrow fraud to rob homebuyers of their cash.
On Friday, real estate insurance giant First American Financial Corp confirmed that a “design defect” made it possible for anyone with a web browser to access highly sensitive information of its customers.
These digital documents included bank account numbers and statements, social security numbers, mortgage and tax records, drivers licence images and wire transaction receipts.
This amounted to around 885 million files and dated back to 2003, according to independent cybersecurity journalist Brian Krebs, who first reported the breach.
To access these documents, a scammer need only know the URL for one valid document at the firstam.com website. To access other records, all they had to do was modify the number in the URL in either direction to jump forward or backwards in time.
“At first glance, it appears that this vulnerability is an Insecure Direct Object Reference (IDOR) because the developer who found the vulnerability stated that he was retrieving different documents by simply changing the document number,” explained Jon Bottarini, hacker and lead federal technical programs manager at bug bounty firm HackerOne.
“Modifying the document number in his link by numbers in either direction yielded other peoples’ records before or after the same date and time.”
Dave Farrow, senior director of Information Security at cybersecurity firm Barracuda Networks told Forbes that “No end user compromise is necessary. The hacker has simply identified an authorisation error in the website and walked through the front door.”
How criminals could exploit the First American data leak
At this stage, there is no evidence that data leaked on the First American website has been misused. A spokesperson for First American told Krebs on Security that it shut down external access to the application upon learning of the data leak.
“We are currently evaluating what effect if any, this had on the security of customer information. We will have no further comment until our internal review is completed,” the spokesperson said.
The First American data leak is certainly no Equifax scenario, in which cybercriminals actively targeted the credit agency and stole hundreds of millions of customer data to sell on the dark web.
However, it is possible that the data, which sat exposed for an incredible 16 years, could have been harvested by bots slowly over time and used to carry out escrow fraud.
Normally, this type of fraud would involve a criminal stealing the login credentials of a real estate lawyer and emailing clients in the process of buying a home. The fraudster then asks for a wire transfer relating to the deal, leaving victims without their cash and without their home.
Verdict first reported this type of fraud, also known as the ‘homeless homebuyer’, in September 2018.
Escrow fraud “highly possible”
The First American data leak could – in theory – provide an an-all-you-can-eat buffet of potential victims to cybercriminals knowledgeable of the security flaw. It would also mean fraudsters wouldn’t need to hack the real estate lawyer to pull of the scam. Instead, they could simply use display name deception to impersonate the lawyer using a bogus email address.
“If a scammer had access and decided to exploit this vulnerability, in particular, it would save a ton of time and effort and make this scam very easy to pull off because they would have all the personal identifiable information (PII) necessary without having to hack into each individual title company,” said Bottarini.
“Once the fraudster has this information, it is quite easy to spoof the title company’s site and send instructions to the end user to wire money needed to close on a property, usually to the fraudster’s account.”
He added that it is “highly possible that some of the recent scams regarding escrow fraud could be related to this breach in particular”, given First American’s large customer base.
Until First American completes its investigations, it will remain unknown whether cybercriminals did take advantage of the flaw. In many cases, the true extent of the damage related to a breach can remain unknown for years, and it is quite likely this will be the case in this instance. But the flaw does highlight the importance of companies checking for bugs that could give criminals the opportunity.
“It’s important for companies, especially those dealing with mounds of sensitive personal data, need to have a public-facing way to report bugs and vulnerabilities,” added HackerOne CEO Marten Mickos.
“As a society, we must agree and mandate that anyone providing a digital product or service must have a proper way of receiving bug reports and fixing the problems.”