Info@NationalCyberSecurity
Info@NationalCyberSecurity

A Hacker Faked His Own Death–Then Claimed To Have Sold Marriott Customer Data To Russians, FBI Says | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


A hacker told the FBI earlier this year that he sold access to the personal data of Marriott hotel customers on a Russian forum, according to a search warrant obtained by Forbes. He also hacked into a number of U.S. state death certificate registration agencies in an effort to fake his own demise, Department of Justice investigators alleged.

The defendant, Jesse Kipf from Somerset, Kentucky, was charged last month with hacking into employee accounts at two Marriott contractors earlier this year: Canadian hotel internet service provider GuestTek and online marketing specialist Milestone. With access to their internal networks, Kipf said he was able to view Marriott personal customer information and evidence indicates he sold access to the data on a Russia-based online forum known as Exploit.in, investigators claimed.

Neither Marriott nor its contractors publicly disclosed the breaches. Marriott spokesperson Liza Ravenscroft said the company’s own systems were not hacked and that it understood “there was no impact to customer data.” Neither GuestTek nor Milestone had responded to requests for comment at the time of publication.

The Department of Justice unsealed an indictment against Kipf earlier this month, charging him with identity theft and hacking into GuestTek, Milestone and death certificate systems operated by the states of Arizona, Hawaii and Vermont. His lawyer hadn’t responded to requests for comment at the time of publication.

The DOJ didn’t specify what Marriott customer data was affected by the breaches, though it claimed Kipf had previously sold social security numbers and identifying information online. Marriott has been the victim of a number of major breaches in recent years, the most significant in 2018 when data on as many as 500 million customers was compromised.

Kipf was caught after he used his personal IP address to access the Hawaii state health department’s computer systems in January, on which he had registered his own death certificate, according to the warrant. It’s alleged he also sold access to the Hawaii department’s system on Exploit.in.

Kipf was arrested in July. The DOJ said that in an interview Kipf admitted to hacking into the death records systems across Arizona, Connecticut, Hawaii, Tennessee and Vermont, claiming in all cases but Hawaii he was testing how easily the servers could be breached.

However, Vermont officials later told the FBI that it had a death record for Kimf, created in May 2023. A spokesperson with Vermont’s health department told Forbes they believed no data was accessed.

The DOJ didn’t say how Kipf used his access to other health departments’ internal systems. Arizona’s agency declined to comment. The other state departments responsible for death records hadn’t responded to requests for comment at the time of publication. Hawaii had previously publicly confirmed a breach.

In the same DOJ interview, Kipf said he had been unemployed for five years and had been selling personal information to people across the world, including in Algeria, Ukraine and Russia. He said that in months prior to being interviewed, he had accessed Marriott’s customer relationship management system and sold the access to Russians, though he didn’t provide any more detail on their identities, according to the warrant.

He then claimed to have had “access to all the Marriott hotels around the world, their websites and backends,” saying Indian developers hired by the hospitality giant “have horrible habits and reuse the same passwords.” Marriott later told the FBI that they had seen an IP address the authorities linked to Kipf “attempting to access, visit and extract data from Marriott internet domains and internal servers from February 9 2023 to May 22 2023,” a total of 1,423 times.

“We investigated this matter earlier this year prior to being contacted by the FBI and then fully cooperated with the FBI’s inquiry,” Marriott spokesperson Ravenscroft said in an emailed statement. “Based on our investigation and engagement with the vendors, there was no breach of Marriott’s systems and we understand that there was no impact to Marriott customer information.” She added: “Any claims that Marriott data or systems were compromised is false.”

“Kipf obtained a GuestTek project manager’s username and password, which had administrator and global access to all of GuestTek’s current and past customers.”

Department of Justice

The DOJ presented no evidence that Marriott’s own servers were hacked. One victim, though, was GuestTek, which provides communications services to a number of Marriott hotels across the world, the DOJ said. In February, the FBI believes that Kipf obtained a GuestTek project manager’s username and password, which “had administrator and global access to all of GuestTek’s current and past customers,” according to the warrant.

Later, in June, an IP address associated with Kipf was used to gain access to two employee accounts at Milestone, a marketing company that has helped Marriott run a number of its websites. The FBI said two Milestone developer usernames and passwords were compromised, both based in India. That gave the hacker access to the backend systems managing the customer interface for booking Marriott services, according to the search warrant.

The breaches may also affect more hotel chains than Marriott. In a filing earlier this month, the Department of Justice noted that GuestTek and Milestone had various customers in the hospitality industry and that “some of the networks the defendant breached contained personal information of those major hotel chains’ customers.” The department added that its investigation had revealed “potentially thousands of individuals whose personal identifying information may have been accessible to Kipf or his customers.”

In February, around the same time as the GuestTek breach, a person using the online moniker “FreeRadical” was offering “network admin access to 3.9k worldwide hotels” on exploit.in, the DOJ said. Later the same persona, which the FBI believes to be Kipf, was found selling over 1,000 social security numbers of Americans under the age of 18 and over 150,000 social security numbers of other U.S. citizens. That same FreeRadical moniker had been used in January to sell access to American death registration systems and had posted a redacted death certificate document as proof of a breach. The Hawaii health department was later able to identify the unredacted version of that document, finding it was Kipf’s own death certificate.

After being released on bail, the FBI suspects he continued hacking. The agency says the same IP address from previous hacks was used to breach Origin Physical Therapy, which provides healthcare to 40 million women. (Origin hadn’t responded to a request for comment at the time of publication.) The FBI says he allegedly used that access to send “political and extremely offensive language” to customers of the healthcare company. One of Kipf’s other online monikers was also seen offering a “large volume of California USA credit cards” on a hacker forum, the FBI alleged.

After police searched Kipf’s home, they found 22 driver’s licences across myriad states, from Kentucky to Idaho, all with his photo. Federal investigators also discovered he’d bought five Canadian Gold Maple Leaf Coins, worth over $2,000 each. It’s not clear how or why Kipf attempted to fake his own death, though evading law enforcement is one possible explanation.

——————————————————–


Click Here For The Original Story From This Source.

National Cyber Security

FREE
VIEW