Where is the truth and where is the lie: we understand fake databases and reveal fakes

[Father]

Data has become a valuable new resource, and its leaks occur with the same frequency as on an old worn-out oil pipeline. To date, the drain of various databases (DB) has affected almost every resident of Russia. But do scammers always tell the truth, or are their databases a hoax?

Today, in this article, we will reveal methods for creating fake databases, find out how fake databases differ from real ones, and also talk about their possible use and goals.

How fake databases are created and how they differ from real ones​

There are only two ways to create a fake database:

1. Compilation of information that has already been made freely available. Cybercriminals can form a large base out of several smaller ones. They use open sources, social networks, data leaks, and other public information. And data leaks happen all the time. Everyone remembers Yandex plums.Food, Russian Post and from the latter — Alfa Bank. After the leak, the data is made publicly available and clever cybercriminals take advantage of it.
2. Generating information. The generator of full names, passport numbers or SNILS can be easily written by any third-year student from a specialized department. Yes, and there are enough freely available tools for creating databases based on fictional information about people (for example, Random Data Tool, Factory_Bot_Rails, etc.).

Therefore, those who want to mislead everyone do not have any problems with creating fake databases. This is easy to do. But it is almost impossible to determine the reliability of the database without special analysis. After all, in most cases, sellers indicate only the file name and a small description to it. But there are a number of signs that experts may suspect and identify a fake.

Artem Brudanin
Head of Cybersecurity at RTM Group

There is no specific and precise indication that fake data is detected. However, experts often use combinations of the following attributes:

• metadata (hidden information about file creation date, authors, modification time, scanner or camera model, etc.);
• content of images, graphs, photos, and captions;
• names of organizations, physical locations, specific persons/full names — the relationship of these entities with each other;
• presence of mentions in the media, comments;
• impact and leak targets;
• document quality;
• checking duplicates in registered leaks;
• structure of file objects and their properties.

If specialists have doubts about the authenticity of the database and there is such a possibility, then more detailed studies and checks are carried out. For example, checking data against real sources, analyzing the database structure, and verifying its integrity and reliability.

How to analyze fake databases​

To perform the analysis, the database must be at least freely available. In this case, specialists use automated software tools to analyze the database. For example, search for changes in images using mathematical processing algorithms, search for metadata using exiftool, FOCA, or analogs.

Konstantin Shulenin
Security Code Network Threat Expert

Most modern information systems, whether they are sites created using a CMS (site management system), or large corporate portals with many modules and integrations, have a very complex database structure. It includes many tables, relationships, and dependencies between them. For example, the popular CMS "1C-Bitrix: Site Management" in one of the editions has about 800 tables in the database structure already "out of the box".
When generating data for fake databases, it is very easy to make a mistake, because only product developers know at what point and what data the project database is filled with. For example, attackers can fill in the "Last Authorization Date" field for a fake user, but then when analyzing the table that stores information about users logging in, it turns out that this date does not match. If the tables lack attributes such as dates, timestamps, metadata, and other related attributes that can be used for verification, or the data is too uniform or, conversely, too "perfect", then this is also a reason to think about the reality of the database. Therefore, experts can use the analysis of data in tables and relationships between them to distinguish real databases from fake ones.

In addition to using automated software tools, experts pay attention to the discrepancy between information and reality and implausible data. For example, non-existent addresses, names, negative age values, or huge amounts of orders for all records.

Dmitry Gorlyansky
Head of Technical Sales Support Department of "Garda Technologies" (part of the "Garda" group of companies)

It is difficult to determine the authenticity of the database, since the fake database offered for sale is a "thing in itself", without context — where this data is taken from, how it is collected. We only have the description given by the seller of such a database, and sometimes only the file name at all.
Traditionally, three methods of data authentication are used: context (data matching), alternative data, and fact-checking.
In the case of fake databases, the first method is practically eliminated, but you can partially use the other two. For example, if the database contains the "email" field, you can try to take several addresses and check their reality (by trying to register on the mail server under this email address). If the database has a territorial affiliation in the description, you can check several addresses for their reality using the same Yandex. Maps. You can pay attention to phone numbers and check their territorial affiliation.

Experts also pay attention to whether there is a link between individual data and a correlation between tables or records. If they are missing, it may indicate that the database was created without a real data source.

Why and who needs fake databases​

The generated databases are necessary for developers to test applications-check functionality, performance, and security. This allows them to check their products without the risk of confidential information being leaked.

Sergey Dobrushsky
Director of Product Development at CyberPeak

From a legitimate point of view, the main purpose of using fake databases is legitimate depersonalization for transmission to internal development, testing departments, or contractors. The key thing in this case is that the database structure, relationships of tables, fields, functions, and stored procedures should not be broken.

But this use of the database is rather an exception to the rule. More often, scammers become creators and users, and the databases themselves are used for criminal purposes. Below we will consider the most obvious ones.

Making a profit​

Money, one way or another, is the main motive of any criminal, because the price for a database can reach several million rubles. The cost directly depends on the completeness of confidential information. For example, a database with phone numbers, full names and cities of residence can be purchased from $200, a database of individuals of the Russian Federation-from $100. Prices depend on the number of rows in the database or the completeness of information. For example, a database containing your passport number, email, phone numbers, and home addresses may be charged $ 1-2 per line.

And there are quite a lot of people who want to buy a database. Most often, these are low-level scammers — inexperienced carders, hackers, and others who want to gain access to illegally collected information for phishing or phone fraud. But there are also quite respectable buyers — microfinance organizations, commercial banks, insurance companies, advertising "engines" that use targeting, etc. They use the purchased databases for marketing, cold calls, spam mailings, getting information about competitors, and so on.

Sergey Polunin
Head of the Security Group for infrastructure IT solutions at Gazinformservis

The most popular scenario for using fake databases is commercial. That is, you are putting up for sale a supposedly merged database of some notable company. Plum causes interest and there are those who want to buy it. It is clear that trading is carried out on closed platforms and then there is no one to make claims on the quality of the goods. However, until it becomes clear that the database does not contain reliable information, given the number of applicants, attackers may have time to sell several copies of fake databases.

Another way to make money is to receive money from people whose data is allegedly located in the merged database. For example, during the pandemic, a fake database of citizens who bought fake certificates of vaccination and PCR appeared on shadow Internet resources. One of the scammers ' ways to earn money was to offer services to remove information about citizens who "bought" certificates from the database.

And often scammers sell an existing old database again on the darknet or closed TG channels under the guise of a new one.

Spreading disinformation​

Cybercriminals may have customers who benefit from spreading misinformation in order to gain some kind of public response. For example, in 2023, fraudsters spread information about Jakob Sliv of the Public Services database to discredit state information systems. In the darknet, about 20 leaks appeared, allegedly related to the personal data of Russians. But none of them were real.

Sergey Sablin
Axoft Business Development Manager

Most fake databases are created for the purpose of spreading disinformation for political or economic pressure. One of the most recent examples is the publication of fake mobilization lists in September 2022.
Also, there are often cases of stuffing about hacking of an organization or structure in the information field, which carries serious reputational and financial risks for these companies, but in fact the "merged" databases contain publicly available or "garbage" information that has no value.
Let's not forget that the goal of many attackers is to earn money. Generated fake databases, such as bank users, are sold online and find their customers.
In addition, there are many cases where malicious programs, such as viruses, Trojans, or adware, have been embedded in fake databases.

Publishing offers for the sale of such databases can be considered as attempts to create an information guide. Hype can also help hackers increase their income.

Impact on reputation​

Fake databases are often used to create and distribute false information in order to create a negative news background around the company. The goal is to ruin the company's reputation and image.

Alexander Moiseev
Leading information security consultant AKTIV. CONSULTING

Often, creating a fake database is a deliberate blow to the reputation of the company from which the data allegedly leaked. This is particularly sensitive for organizations in the financial industry and healthcare. Even when it turns out that the data of this "leak" is collected from open sources, an unpleasant aftertaste remains for existing and potential customers.

A database drain always negatively affects the company's reputation. Although in Russia the issue of image risks is not as acute as in the West. In fact, even after large-scale database leaks at SDEK, TELE2, Russian Post, Yandex. For example, Alfa-Bank and other Russian companies, customers have not turned their backs on them. They made a lot of noise and were embarrassed, but they continued to use their cell phones, order food, and send packages. But this is from the point of view of ordinary customers of users.

If you look more broadly, the leak negatively affects the investment attractiveness of the company. In addition, there are large customers who will not be happy with the fact that their personal data is shared. For example, banks have VIP clients whose deposits make up the lion's share of the credit institution's capital. And if such customers leave, taking the money with them, the bank will suffer serious losses.

Conclusion​

The personal data operators themselves are partly to blame for the appearance of fake databases. Currently, companies face a fixed and relatively small fine for leaking information — for legal entities from 60 thousand to 100 thousand rubles. Without fear of punishment, data is not properly monitored, and leaks occur even in the largest companies. Therefore, when scammers upload a fake database from a well-known bank or logistics company, no one is surprised.

We hope that the introduction of turnover penalties, which will be introduced in the near future, will change the situation and affect the reduction of leaks. This means that there will be significantly fewer fake databases.