Experian sends scam links via Email, putting millions at risk

Ighor July
13 min readJun 19, 2024

--

What if I told you that identity protection services might actually be helping thieves steal our information? This alarming reality seems to be unfolding, putting millions at risk.

Hello everyone, my name is Ihor July, and I am a cybersecurity expert and reverse engineer from Ukraine. I recently decided to try the AAA Experian ProtectMyID service and it has led me to another critical story that I need to share with you.

This article contains sensitive information based on my personal experiences and investigations, presented to inform and encourage vigilance.

Understanding Experian and AAA’s role

Experian is a global information services company that provides data and analytical tools to businesses and consumers, mainly focusing on credit reporting. It is one of the largest credit bureaus, alongside Equifax and TransUnion. In the U.S., Experian represents 245 million credit-active consumers nationwide.

ProtectMyID is part of the suite of services provided by the Experian company. Since its establishment in 1995, it has focused on helping consumers manage and protect their personal information.

AAA membership offers roadside assistance, travel discounts, trip planning, and insurance services. Members also receive ProtectMyID by Experian as a complimentary service, enhancing their financial security. AAA provides services to more than 64 million members, according to their executive leadership team information. This means a significant portion of the population potentially utilizes ProtectMyID.

A closer look at security alerts and deceptive practices

In a digital world where data breaches seem to be a regular occurrence, I’ve become accustomed to receiving security alerts. Like many others relying on identity protection services, I’ve seen plenty of these notifications, often referencing past breaches. However, one alert from April 22, 2024, stood out — not because it was unique, but precisely because it wasn’t. It was part of a pattern that could indicate an attempt at deception.

Among the numerous alerts I’ve received from AAA Experian ProtectMyID, many were outdated — a common enough occurrence as companies catch up with past breaches. However, one alert in particular raised serious red flags.

In my personal experience, upon receiving an alert email from Experian, I immediately noticed something amiss — the inclusion of a clickable link. This stood out to me as a deviation from typical security alerts, which are usually more cautious with direct links. To verify the authenticity of the email, I compared it with standard practices and checked the source of the email. Upon not recognizing the domain provided in the clickable link, I conducted a detailed verification process. I checked the email headers to confirm it originated from Experian’s official servers and logged into the official aaa.protectmyid.com page directly via a web browser, bypassing the email link, where I found the same alert listed in my account. This confirmed that the email was indeed from ProtectMyID, but the inclusion of a clickable link raised significant security concerns.

I assumed that the alert link from Experian’s ProtectMyID would be clickable only in the Mac Mail app, but I verified that it remained clickable even when accessed through the Gmail website, indicating it is clickable across all platforms.

For over a decade, I have been using a password manager and meticulously recording every domain where I’m registered, ensuring all my passwords are unique — a practice I strongly advise everyone to adopt. In this well-documented list, I could not find any record of the domain mentioned in the alert email. This difference raises concerns about whether the alert was genuine and the possible misuse of identity protection services for scamming.

This raises serious concerns about the security practices in place, as unprotected links can pose a significant security risk, potentially exposing users to scam domains. Users often click on domains provided in security alerts with the aim to quickly verify breaches and change their passwords. Including a link in an alert may lead more users to click it, especially if they are worried about their data’s safety. If the link is part of a scam, this natural inclination to react quickly can lead users directly into the scammer’s trap, exposing them to further risks such as malware or phishing.

In exploring the practices of various identity theft protection services, I noticed a difference in how they handle alert notifications compared to Experian. Unlike Experian, which provided a plain clickable link within the alert, the other services I tried opted for more secure communication methods. These services either directed me to manually enter the website address into a browser or provided a non-clickable URL in the alert. This approach significantly reduces the risk of inadvertently clicking on malicious links and offers an added layer of protection against phishing and scam activities.

Ecoin Official - revealed as a fake investment scheme

Since the domain creation on April 28, 2019, according to WHOIS records, it hosted a suspicious investment website that received numerous negative feedbacks and scam reports, as visible on Trustpilot.

Moreover, upon visiting the mentioned domain on April 22, 2024, it became evident that the site had no actual content of its own. Instead, it served merely as a gateway, redirecting visitors directly to a specific post on the Telegram channel.

This setup further suggests that the purpose of the domain might be solely to generate traffic to other platforms, leveraging the credibility of security alerts to mislead users. This insight was critical in understanding the scale and potential impact of this issue. According to the domain’s history on archive.org the link to the Telegram channel was added at least since February 5, 2024.

The actual Telegram post dates back to November 16, 2023. This means that the substantial view count of nearly half a million was reached within approximately the last 5 months, highlighting a significant and rapid increase in traffic to the Telegram post shortly after the domain began redirecting users there.

Upon exploring the final destination of the links from the Telegram post, I encountered web services hosted on Russian domains, typically used for web analytics. While such counters are common tools for any website interested in tracking visitor statistics, their presence may suggest a potential Russian origin or involvement in the operation of the scam.

In the context of this scam, it could imply that the individuals behind these deceptive tactics are likely operating out of Russia, or at least using Russian digital infrastructure. This leads to a plausible hypothesis that the scam could be orchestrated by Russian-speaking individuals, leveraging tools and services familiar to their digital ecosystem.

The channel post was edited as recently that today, illustrating that the scammers retain the ability to modify the content at any time. This adaptability allows them to test different scam messages and tailor their deceptive tactics to different audiences, significantly enhancing the effectiveness of their scheme and maximizing the potential for exploitation.

To track the history of a domain, I use archive.org to view past versions of websites and check for changes. According to archive.org, at least from April 23, 2023, to August 5, 2023, it redirected to a malicious zip file containing an executable, hosted on Discord. These files can contain malware that might infect a computer with viruses or software that steals personal information or encrypts files for ransom.

The contents of the Setup.zip file, which was downloaded from a redirect I found on archive.org, have been identified by virustotal.com to contain the Trojan-Downloader.Java.Agent.

According to my analysis and VirusTotal reports, the Trojan-Downloader.Java.Agent found in the Setup.zip file included a built-in Java Runtime Environment (JRE). By packaging its own JRE, the malware ensures it can run its malicious operations on any system, regardless of the existing software setup, thereby increasing its effectiveness and reach. This setup makes it especially dangerous as it can operate undetected and initiate its malicious activities immediately upon execution.

I ran it on an isolated VM, and it turned out to be an endless loading of likely fake installer with background activities.

As of my inspection on April 30, 2024, the ecoinofficial.org domain, which was previously linked to a Telegram channel, redirected to the exeo.app website via the link shortener, cuty.io. Exeo.app redirects the browser to ads for unwanted browser extensions, surveys, adult sites, online web games, fake software updates, and unwanted programs.

Further changes were observed in the redirection behavior of the ecoinofficial.org domain. This time, the domain redirected to a different Telegram channel, specifically to the URL

Shortly after this redirection was implemented, the Telegram post linked from this URL was labeled as a scam. This quick identification of fraudulent activity underscores the ongoing use of ecoinofficial.org in schemes intended to deceive users. This pattern of redirecting to various questionable Telegram channels highlights the need for ongoing vigilance and underscores the domain’s role in perpetuating potential scams.

Analysis of the fake password leak database and its potential impact

Considering that no one would logically trust a database containing future dates, it suggests that the fake password leak database could have appeared on Experian servers at some point after the initial signs of the alleged fake password leak, which were noted in the alert on November 9, 2021.

Based on the data, the Telegram channel’s promotion via the domain from at least November 16, 2023, until April 25, 2024, and the tallying of 428K views, we can infer a significant level of user engagement. An average of approximately 80K clicks to the domain per month suggests a high click-through rate, which, when exploited, could be a lucrative strategy for scammers. However, after April 30, 2024, the domain started redirecting to another Telegram channel, and by June 17, 2024, the post on the first channel has accumulated 443K views. This indicates that after the link was removed, the domain received only 10K views per month, a significant drop from the previous 80K views per month. Likely, the remaining 70K views per month were generated from Experian email redirects, highlighting the significant impact of these emails on the domain’s traffic.

If we assume that Experian was affected by the fake password leak database around January 1, 2022, and the scam site continued to accumulate views, the potential reach of the scam could have extended to around 1.5 million views over the active months of the scam.

Considering the redirect to a malicious zip file containing an executable hosted on Discord was active from April 23, 2023, to August 5, 2023, we can extrapolate the potential impact. If we follow the previous estimate of ~70K clicks per month, over the roughly 3.5 months that the virus-laden zip file was linked, this could translate to approximately 245K potential exposures to the virus.

The estimates I’ve provided are based solely on one specific domain, highlighting a considerable potential impact. However, it’s important to recognize that this domain may be just one element of what could be a much larger database exploited by scammers. I do not have details on how many other domains might be included in the database that Experian used, which means the overall impact on users could be significantly higher if multiple domains are involved. Additionally, scammers could be exploiting other companies beyond Experian. While we don’t know the full extent of Experian’s exposure, the practice of sending clickable scam links directly to its users could potentially make Experian one of the largest targets.

Potential risks and implications

This scale of traffic implies that the scammers could be capturing a large audience, putting an alarming number of users at risk of exposure to their malicious activities. With such a volume of potential victims, the impact of this scheme could be substantial, both in terms of potential financial loss for individuals and the broader implications for online security and data protection services.

Scammers often create phishing emails designed to deceive recipients into clicking on malicious links or divulging personal information. These emails typically have suspicious sender addresses or warning signs that make them likely to be automatically flagged and sent to spam folders. However, when such phishing attempts are disguised within legitimate communications from trusted sources like Experian, the usual red flags may not trigger the same level of scrutiny.

In this particular case, the involvement of Experian, a trusted identity protection service, plays a crucial role in the effectiveness of the scam. Since the alert comes from Experian, it bypasses the usual email filters that would typically identify and block suspicious emails. As a result, malicious links contained within these seemingly legitimate alerts are more likely to reach and be acted upon by millions of users. This inadvertently aids scammers in delivering their malicious links to a large audience, significantly increasing the risk and impact of potential scams.

Conclusion and next steps

It appears that the scammers may have implemented a sophisticated strategy to exploit identity theft protection services. They likely purchased a database of email addresses, then manipulated it by replacing legitimate site domains with those of scam sites. After injecting these fraudulent domains, they sold the altered database to identity theft protection services. This deceit not only jeopardizes the credibility of the alerts provided by these services but also inadvertently assists the scammers in directing traffic to their nefarious operations.

Such actions suggest that the services, which are designed to alert users to potential identity theft, are unwittingly helping scammers by displaying these scam domain links to users. This could lead to significant financial losses for individuals who trust these alerts and visit the links, assuming they are legitimate by mistake. The situation underscores the need for these services to enhance their data verification processes to prevent the distribution of false information and protect users effectively.

It’s important to examine not just the breaches but also the alerts we get. Companies must stop sending clickable links in alert emails and are responsible for verifying the links they send to users to prevent such scams. By adopting safer practices, such as directing users to manually navigate to their website or using a secure verification process, the likelihood of clicking on malicious links is greatly reduced.

As example, this Chase email alert enhances safety by not including a clickable link, a contrast to Experian’s approach that presented direct links within their alerts.

Clarification of facts and estimates

Please note that the assertions in this article are based on my personal experience and publicly available information. The estimates provided are approximate and subject to verification. It is also possible that other identity protection services beyond my awareness could be affected, and Experian’s disclosed information may represent only a portion of the overall impact. Using estimated views to gauge the impact of a scam doesn’t precisely reveal how many people were actually scammed. Since the domain could redirect users to various websites depending on their location, this variability could affect the accuracy of our estimates. We can only analyze the states of the domain when they were captured in snapshots by archive.org, not the transitions or changes that occurred between these snapshots. However, we can expect that about 1% to 4% of the people who viewed the scam might have fallen for it. This estimate is based on typical response rates seen in similar situations.

Communicating with Experian

I reached out to Experian’s support team on April 26 to report this issue. However, by May 6, having received no response, I followed up only to discover that my ticket had been closed without any notification. It was deemed invalid, and I was told that they couldn’t handle the request. I was provided with the contact details of a supervisor. On May 6, I promptly sent all the documented details of the security issue to the supervisor, hoping for a more informed and substantive response, but none was received. After reaching out publicly on Twitter on Jun 6, 2024, Experian suggested sending a direct message, which I did. They acknowledged my message and claimed to have forwarded it to a supervisor.

However, I received no confirmation that they reviewed my report, were working on it, or had decided not to fix the issue.

Decision to write the article

After multiple unsuccessful attempts to resolve the issue with Experian, I decided to publish this article. My goal is to bring attention to the critical security flaws I discovered, with the hope that Experian and other companies will take these threats seriously. This article aims to highlight the potential risks and motivate companies to address and prevent similar scam schemes, thereby protecting millions of users from identity theft and fraud. By raising awareness, I seek to drive improvements in security practices across the industry.

Clarification of facts and estimates

To clarify, receiving an email from Experian ProtectMyID with a clickable link to a scam domain is a confirmed fact, as is the domain history and information about scam redirects. All other statements and conclusions in this article are based on my personal calculations and assumptions.

Proof

Any email added to an Experian ProtectMyID account will be monitored for dark web leaks, no verifications or email codes needed. Add my email ighorjuly@gmail.com to your ProtectMyID, and within a week, they will send you lots of alerts, including one with a clickable scam link. https://aaa.protectmyid.com/login

Stay alert, stay safe, and let’s support each other in maintaining the security we so heavily depend on.

Make sure to subscribe ighor.medium.com for more intriguing updates! Also, check out my YouTube channel for more cybersecurity investigations youtube.com/@IGHOR

--

--

Ighor July

Ukrainian 🇺🇦 Cybersecurity expert, C++ developer and Reverse Engineer