GRAND RAPIDS, Mich. — The Michigan Attorney General says the recent Meijer mPerks fraud highlights the use of the dark web for stealing information to gain access to money or points we have in various accounts.
Court documents explain that Nicholas Mui of Grand Haven operated websites selling stolen log-in information from several retailers, including Meijer, on the dark web.
He admitted he has been committing these crimes since 2019.
"The dark web is actually larger, many times larger than the surface web," said Dr. Greg Gogolin, the Director for Cyber Security and Data Science at Ferris State University.
Gogolin explains that the nature of the dark web makes it ideal for selling stolen data.
"One of the challenges of the dark web is sites can come up and down really quick, a day, hours, things like that," he said. "So if someone wants to sell something, and not be tracked, that's a very useful place to go because if the site has gone down, they're not necessarily indexed, then it is hard for traces to be found."
Court documents say Mui made thousands in cash and cryptocurrency. With search warrants, police found nearly $278,000 worth of cryptocurrency in his possession and about $30,000 in cash.
The Attorney General said the information he bought on the dark web was from previous data breaches. After acquiring that data he was able to match up the information to Meijer login accounts since many people will use the same username and password for multiple platforms.
"The purpose for retailers to generate rewards programs, is to use it for marketing, personalized marketing," said Gogolin. He also explained that the targeted marketing involved in rewards programs and email phishing have much in common, with criminals taking notice.
"[Retailers] specifically sell to someone, or target someone, that might meet a certain criteria, but if you think about it, that's exactly what phishing entails," he said. "It is targeted marketing. So the retailers are actually making it easier for individuals using phishing, because they have created the datasets and the patterns that someone conducting a phishing attack can take advantage of."
Gogolin also added that rewards programs can contain a vast amount of information.
"In addition to just the benefit of having the customer information like we mentioned, understanding people's patterns, when they shop, where they shop, what they purchase, and in something like Meijer, it's even tied to pharmaceutical," he said. "So if you perhaps get something at the pharmacy, you may get rewards for that as well, so then it kind of ties into not only customer information, but medical information."
When it comes to protecting customer information, Gogolin said the companies need to make it a priority.
"If all of a sudden their mPerks data is being used at a store hundreds of miles away, that they've never been in, and perhaps they've been in a different store 20 minutes ago, that's a big red flag. So that type of monitoring, there's maybe a responsibility for the companies to do that. And a lot of them are not."
►Make it easy to keep up to date with more stories like this. Download the 13 ON YOUR SIDE app now.
Have a news tip? Email news@13onyourside.com, visit our Facebook page or Twitter. Subscribe to our YouTube channel.
Watch 13 ON YOUR SIDE for free on Roku, Amazon Fire TV Stick, Apple TV and on your phone.