Green Card Lottery agency exposes applicants’ data


Thousands of applicants for the Diversity Immigrant Visa Program, widely known as Green Card Lottery, got their private data leaked by the US GREEN CARD OFFICE LIMITED (USGCO), a limited liability company registered in the UK that helps to prepare the documents, the Cybernews research team has found.

A database containing information on about 202,000 unique accounts, along with an additional 147,000 related “secondary users,” was placed in plain text in an open directory on usgreencardoffice[.]com. The database dump was left without any protections and was accessible to web crawlers, scrapers, or any website visitors.

Cybernews researchers discovered the directory on November 16th after search engines indexed the open directory in their search results. The database dump file inside appeared to be from the year 2018.

ADVERTISEMENT

The leaked private information of Diversity Immigrant Visa program applicants included email addresses, passwords in deprecated MD5 hashes, full names, genders, places and dates of birth, phone numbers, marital status, education, and number of children.

Secondary users included wives, husbands, and children of the main accounts. The leak exposed their names, genders, marital status, date of birth, place of birth, and education level.

Open directory

“This leak is alarming and extends beyond inconvenience. It affects more than 350 thousand people, some of whom may be vulnerable due to their immigration status. Bad actors could exploit leaked contacts and crack the passwords stored using an outdated hashing algorithm from 1991. Social engineering attacks are also likely,” the report by the Cybernews research team reads.

Individuals living with temporary permits in the US are especially vulnerable. Bad actors, knowing about attempts to obtain permanent residence visas, combined with a falsified sense of urgency, may try extorting or blackmailing their targets in spear-phishing attacks, pretending to be immigration officers or others. Numerous scams and attempts to defraud individuals in similar situations have occurred in the past.

The MD5 hashing algorithm has not been recommended for cryptographic functions such as hashing passwords since at least 1996 due to its susceptibility to vulnerabilities. Modern graphics cards can check hundreds of millions of such hashes per second.

Following responsible disclosure procedures, the Cybernews research team sent a notification on the issue to the USGCO on November 21st, 2023. Soon after, private information was no longer accessible on the web server.

Cybernews reached out to the USGCO for additional comments. However, the company’s officials did not respond with a public statement.

ADVERTISEMENT

How could private data end up in the public directory?

Malicious actors may be involved in accessing the USGCO’s personal information. Among other files in the open directory of the USGCO’s website, usgreencardoffice[.]com, Cybernews researchers discovered a reverse shell file that indicates compromise. Web shells are often used to take over, deface, or compromise websites.

“A PHP script, called “navigation-s1O0f7.php” appeared to be a reverse web shell used by malicious actors to extract information and transfer files from the server. This file was hidden and masqueraded as a Divi theme for WordPress – the website itself was not running on WordPress”, researchers noted.

In this case, the shell file was uploaded to the server on August 1st, 2023.

“It is unclear whether any other information was compromised or accessed. However, judging by its publicly visible upload date, hackers have had more than enough time to expand the attack laterally, compromise computers or servers, or even use the infrastructure for other activities, such as DDoS attacks or crypto mining,” researchers said.

The Cybernews research team was unable to identify who uploaded the PHP script to the web server and did not find any ties to any threat actors based on only publicly available information.

Directory access may have been left public unintentionally due to a server misconfiguration.

The service is not an official US government authority

Despite sounding official, the US GREEN CARD OFFICE LIMITED is unrelated to US authorities or official services. This limited liability firm is registered in the UK and describes itself as a “USA Immigration Advisory Company.” On its website, the company promotes services of registering users for the US Green Card Lottery.

A Green Card, officially called a Permanent Resident Card, allows people to live and work permanently in the US.

ADVERTISEMENT

Green Card applicants are usually advised to use free official government resources to ensure accurate and legitimate information. The US Citizenship and Immigration Services (USCIS) website uscis.gov provides application forms and information on processes and requirements. More information on Green Cards through the Diversity Immigrant Visa Program is provided here.

Many other similar third-party service providers online offer guidance, legal advice, and help to fill out the form for the additional fees.

“The incident highlights the responsibility of the companies not only in protecting their users but also safeguarding public trust in official online services,” Cybernews researchers write.

The USGCO’s filings are public and reveal that the firm had a turnover of £180,000 in 2022, with a profit of £98,000.

What should compromised website owners do?

When private information gets exposed through breaches or by accident, companies, according to UK law, must notify the Information Commissioner’s Office no later than 72 hours after becoming aware of it.

It is essential to contain the leak and ensure proper web server configuration, disabling access to private directories and files. Only authorized users should have access to the resources based on their roles. Regular testing, audits, and monitoring could help detect incidents and breaches promptly.

“Administrators should use the latest hashing algorithms for password keeping. Finally, it is important to communicate with the customers who may be in danger due to the leak,” researchers suggest.

The Cybernews research team believes the US GREEN CARD OFFICE LIMITED should take down the compromised server and investigate whether the attacker got in, what they could access, and what unauthorized changes were made. That would help to identify the scope of the breach and contain it.

ADVERTISEMENT