Bot Threats
July 29, 2023

How Bots obtain Fullz.

What is “fullz”?

The term "fullz" is the slang term for a complete or ‘full” set of personal information about an individual, often used for fraudulent purposes. The full set of stolen ID fullz package is typically made up of the following:
  • Victim’s full name
  • Victim’s address
  • Date of birth
  • Victim’s social security number (or equivalent international ID e.g. passport ID number)
  • Contact details, email, mobile number and even email password.
  • Credit or Debit Card information, and any associated bank account details, name of bank, sort-code, etc, used for transactions

Personal information has become a valuable asset, sought after by both legitimate businesses and criminals. While obtaining fullz is illegal and unethical, understanding the role of bots in acquired fullz can help businesses protect websites, mobile apps and APIs from identity theft and cybercrime. This blog article aims to shed light on the methods automated bots use to obtain fullz and provide essential tips for safeguarding company personal data on the internet.

1. Why Fullz?

Fullz are packages of stolen personal information usually including stolen credit card details, obtained by criminals who then bulk sell these stolen packages. Criminals use the fullz data to commit various fraudulent activities, such as opening new bank accounts, making unauthorized purchases, and committing other fraud such as applying for new loans, credit cards, using the Fullz ID details. Armed with the “fullz” - criminals can then use this data to appear legitimate and gain access to even more lucratiive and high value fraud, such asfraudulent mortgages, investments and other serious fraud.

2. The Dark Web and Fullz

The dark web is a hidden part of the internet that requires specific software to access. It serves as a marketplace for illicit goods and services, including fullz. Criminals use cryptocurrencies for anonymous transactions on the dark web, making it challenging for law enforcement to trace their activities.

Criminals often use malicious bots to gain access to fullz data, and then use the dark web to sell the fullz data onto another criminal network, who uses the fullz as leverage to commit other criminal and fraudulent activity.

Pricing for fullz data just depends on how current the data is, which vertical market segment it covers. Typically fullz are priced per thousand - starting at a few hundred dollars to several thousand dollars for a stolen credit card or debit card fullz with a nice limit or balance. The fullz for a stolen credit card, is obviously the most valuable. This combines the general fullz data with:

  • Cardholder’s name
  • Billing address
  • CVV code
  • Credit card number
  • Expiry (and issue date where applicable)

Fullz cards can either be the credit fullz with the associated credit limit or debit fullz with a confirmed balance.

3. Data Breaches: A Goldmine for Fullz

Data breaches occur when hackers gain unauthorized access to databases containing valuable personal information. These breaches can expose millions of records at once, making it a lucrative source of fullz for cybercriminals. Many data breaches exposing millions of fullz are already widely available. Visiting the site https://haveibeenpwned.com/ is a sobering experience.

The site aggregates hundreds of millions of passwords from hacked sites, so you can see if your email has been part of a data breach. Just one example, in November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums.

The data consisted of 226M unique emails with password combinations. Many of these passwords still haven’t been changed. Malicious bots using brute force attacks using these combinations still yields good results, and major new data spills are occurring every month.

4. Preventing Scraping for Fullz data

Scrapers are often used to collect basic personal information the hackers can then use as part of more sophisticated fraudulent criminal activity.

Scraping business websites gives the criminals a list of employees, locations, full name, job titles, Linkedin URLs, perhaps even the ability to scrape or deduce an email address. This is just the starting point. Armed with the up-to-data basic employment record, the criminals can cross-reference against know breach data, and start to develop the complete fullz set.

Why do they do this? Quite simply by targeting a work force, you know you can target a large group of salaried workers, with higher disposable incomes.Targeting a large enough group means that the law of averages means the criminals can succeed

Critically many users make the fatal mistake of using their ‘internet’ password to login to their business accounts. This is often the root cause of so many account take-overs for the business.

4. Preventing Fullz Attacks

Protecting your business websites and APIs from fullz attacks is a constant challenge and requires proactive measures and vigilance.

We can split the problem into two parts.

First, securing your business IP and assets so they can’t be just scraped, or are open to account take over attempts by malicious bots. Criminals work at large scale. If they can’t easily scrape your entire domain, using bots it’s not worth the hassle of doing this manually, and they don’t bother to proceed further. They will go elsewhere.

Second, working on educating your users on how to keep their Personal Identifiable Information secure.

Clearly, educating the user base and constantly refreshing their cybersecurity skills is much harder to achieve. Writing office Post-It notes and sticking them on the screen with the log-in passwords is still a popular sport. Given, you are going to fail to achieve 100% user compliance, how can we concentrate on securing our company PII in the first place?

Here are some essential tips to prevent the consequences of any user lapse from having consequences:

4.1 Zero Trust at the Edge of Network

It all starts from bots scraping your business web pages and login paths unchecked. Stop the malicious bots from crawling and they can’t gain access to company employees IDs, logins and other basic data. See how to implement zero trust at the edge of network.Zero Trust Bot Protection at the Edge

4.2 Monitor your login paths for account take over (ATO) attempts

with automated tools that look for Bot attacks on your login paths. Implement a policy to change user passwords with strong protection at frequent intervals. This ensures they can’t use their own “internet favourite’ password or their birthday. Monitor this behaviour on the login paths.

Gaining access to an actual account means the criminals can often obtain way more personal data. For example, the account might include billing and home address details, transaction history, contact details etc. If you are not automating the monitoring these login paths its next to impossible to pick this up manually. See details of preventing bot ATO attacks.

4.3 Take particular care of your about us company pages:

with details of the company staff and management. Bot management software can stop all automated bot access to these pages, preventing them from being scraped. Check to see no personal company emails are exposed.

4.4 Customer Credit Card and Customer PII,

the really high value fullz is the full credit card, and needless to say the criminals are going to be highly motivated to obtain billing information. Protecting the login paths is the first point of entry, but ensuring any customer data is encrypted at Rest and in transit greatly minimises the risks.


Photo by Stephen Phillips - Hostreviews.co.uk on Unsplash

Check more blogs

Get updates on the content