Credential stuffing is when known passwords and usernames are used to try to take over online accounts. Recently an organization had almost 200,000 customer accounts compromised like this.
Learn more about it and what to do to protect yourself.
Category: Cybersecurity
Have you ever wondered what happens when you click on a link from one of thos Amazon text messages that say your account is suspended? Here I run through one of those so you understand what they are doing.
TLDR; They capture anything you put in the form, login info, social security number, credit card, whatever.
Do not try this at home – This was done from a secure computer that is resistant to viruses. Some of these links CAN try to infect your computer or phone.
I was fortunate to to be quoted in this article about the Phishing as a Service group ‘Robin Banks’. Check it out
Categories
Paralyzed By Paranoia
I work in the interesting field of cybersecurity and have for quite some time. Throughout the years, I have found myself increasingly skeptical about people and organizations. It could just be my old age, after all my goal in retirement is to spend my days sitting on my front porch telling kids to get off my lawn, but it could be something else. In this line of work, I hear about scams and see the ugly side of the digital world quite often, and I think it has impacted me.
Recently, my wife and I decided to buy some land. We have been looking for years, but had quit looking due to prices. Then, this opportunity just showed up out of nowhere (well on Facebook Marketplace), and next thing I know, we are making an offer. The people we bought the property from will still be our neighbors and he is a retired real estate pro, so the decision to do the sale without realtors on both sides made sense financially, however I was still nervous about it. His daughter, a current realtor, was kind enough to write up contracts and point us at a good title company, so it wasn’t like we were totally blind here. Over the course of a couple of weeks while we worked through some financial stuff, we spent some weekends doing some clean up at the property with the sellers permission and we got to know each other pretty well. In the back of my mind, I still had this gut-wrenching fear that things would go wrong.
When it was time to close, we met up with the title folk and signed the papers, then we had to transfer funds. Now this was a cash deal, so it was a matter of wiring money from our bank accounts to the title company, however I have heard so many stories about wire transfer fraud, that I was nearly sick with nerves when it came time to do the transfers.
I have no reason not to trust the seller. I looked up his name on the next-door property and the one we were buying, and they were the same (another scam is selling property you don’t own). I’ve seen his ID and I know that he lives in that house, yet I am still nervous almost to the point of paralysis while we wait for the property deed to be recorded and show up officially online (this can take several weeks right now).
So, what is the point of this story? Well, it’s this, it is not bad to be cautious these days as scams are everywhere. There are many that originate on social media and it is important to apply reason when looking at things, however it is important not to let paranoia steal the joy from what should be a happy event. Do your due diligence and remember that deals that seem too good to be true, are.
2 tips for Facebook Marketplace:
- Ads that include an alternate email address to contact, often saying something like ‘This is my parents, which I listed for them’ followed by that other email address, is usually fake. They are simply getting you to communicate off Facebook. Ads that have unrealistic prices, are fake. They want to open a conversation with you and will often attempt to get you to leave a deposit, or will tell you they are sending a code from Google Voice to prove you are ‘not a scammer’. The code is actually from Google Voice, but is being used so they can associate a Google Voice phone number with your cell phone, and use it for scams.
- Ads that have unrealistic prices, are fake. They want to open a conversation with you and will often attempt to get you to leave a deposit, or will tell you they are sending a code from Google Voice to prove you are ‘not a scammer’. The code is actually from Google Voice, but is being used so they can associate a Google Voice phone number with your cell phone, and use it for scams. These also seem to favor lines such as ‘just serviced 3 days ago’ and ‘no rust, no dents, original paint, no accidents and clean title’, almost verbatim across ads
Categories
I Was Quoted in Dark Reading
It’s always cool to be quoted. This time it was about Microsoft 365 users and how they are being targeted by voicemail-themed phishing attacks.
https://www.darkreading.com/remote-workforce/microsoft-office-365-users-raging-spate-attacks
Here is another publication that picked up my quote about Microsoft 365 credential phishing via phishes that appear to be realted to voicemails.
https://www.techrepublic.com/article/targeted-voicemail-phishing-attacks/
Categories
Quoted in Threatpost Today
It’s always cool to be quoted in an article. This one was about an ongoing vishing campaign using voicemail notifications to steal credentials. An old tactic, but very effective.
https://threatpost.com/voicemail-phishing-scam-steals-microsoft-credentials/180005/
I was tired and ready to relax at home after a fun, but long day out with the family. As we rounded the corner onto our street, I noticed a car parked across the street from my house. This was not completely unusual, but the way that they watched us, edged with excitement, was certainly odd. As we pulled into our driveway, I was surprised to see them get out of the car and start walking toward me, obviously unhappy about something. Before I knew what was happening, I was being confronted about a puppy the people claimed to have bought from me. It seems they had been sitting outside my house for over three hours waiting to pick up the puppy after sending me several hundred dollars through Cash App. The problem is, I never had any puppies to sell, and nobody sent me money through Cash App.
This might have been the first time people came to my house expecting to pick up an item they paid hundreds of dollars for, but it would not be the last. From puppies to PlayStation 5s, this scenario has played out over and over again.
Seems like this is farfetched? Unfortunately, it is not. This scenario happened to a friend of mine, and we have been unable to stop it from happening, over and over again. Not only is it a bad situation for the people being scammed, but dangerous for the person whose house they show up at.
How did this happen? This friend’s Facebook account, let’s call them ‘L’ for short, was stolen by scammers, but not in a way you may expect. You see, it seems these cybercriminals used a stolen copy of L’s drivers license, or a stolen photo of it, to get Facebook to hand over the account to them. Even though L is aware and has reported the account theft and subsequent fraud being committed in her name, Facebook will not take the account down or return her rightful access to it. Even with dozens of others reporting this is a stolen account, Facebook leaves it up to steal thousands of dollars from people, while putting L in real physical jeopardy from people who think she is stealing from them. L has a lot of friends and acquaintances, well over 3,000 friends on her Facebook account, has worked in a local church for a long time and is well known for being a wonderful person. These scammers hit the jackpot when they stole her account. This is not a lookalike account either. They have actually stolen her account, making things much more dangerous.
So, how do they get away with this? They are very sly and know how to game the system. I have personally seen posts on her page for the ‘free’ puppies (with a rehoming fee of course, which is where the money comes from) and for PS5s that they bought but cannot keep. They randomly tag a large number of people in these posts, drawing their attention. In all of these past incidents, after scamming as many people as they can, the posts are taken down in a day or so, removing any trace of the previous activity, but pop up a few weeks later to begin the scam again. If anyone attempts to make a comment in the post warning about the scam, the scammers delete the comment and block the person. Because this person is well known, she is tagged in quite a few posts from other people, making it look like her timeline is remaining active. This has been ongoing for nearly six months.
When it comes to ripping off the buyers, they know what they are doing as well. Buyers are rushed into making a decision, worried that the puppies would be claimed by someone else. They are told to pay through Cash App, which is non-refundable or cancelable, and they have even offered the picture of L’s drivers license as proof that it really is her. The scammers will offer to hold a puppy for a deposit via Cash App, asking for the balance in cash later, because they know that stealing some money is better than none, and it helps build trust with the victim. Keep in mind that these deposits are still hundreds of dollars.
Reporting the post has no impact at all, nor does reporting the profile, even after dozens or maybe even hundreds of reports. Facebook has been no help through their automated systems, even though there is an active police report filed with the county Sheriff’s Office. Talking to a person about it is impossible.
The Facebook method of dealing with accounts that have been stolen, is to ask for proof of account ownership by uploading a copy of your identification. This is where the scammers likely supply the image of the drivers license, and Facebook ignores dozens of people who have been scammed or are trying to help stop these criminals. How did they get the image of the drivers license? Odds are it was from one of the many data breaches that occur each week, or it was found after being lost somewhere (although L has not lost the physical copy of her license). Perhaps someone used personal information to get a duplicate, but it is unknown at this point.
Facebook is not the only thing impacted. L has also had to make sure other areas of her identity are locked down, including her credit reports and other areas of her life. Her Instagram account has also been taken over, but worst of all is wondering if the next person there to pick up their puppy after losing hundreds of dollars, is going to become violent.
If you think attacks like this on social media accounts are rare, I have bad news for you. Cybercriminals and scammers know the value of an account, and work hard to take them over. Just recently, a cybercriminal took over one million Facebook accounts in just four months (https://www.techrepublic.com/article/a-cybercriminal-stole-1-million-facebook-account-credentials-over-4-months/), mostly by tricking people into entering their login information in a fake webpage claiming to be from Facebook. Once they took over an account, they would send links to people in that account’s friends list, making the work very easy.
So, how can you protect yourself from being a victim of something like this? It pays to understand the threats to social media accounts.
A major threat is the reuse of passwords across different websites. When a breach occurs that leaks usernames and passwords, cybercriminals often use these credentials in something called a ‘credential stuffing’ attack. This means they try the same username and password in other places such as the major banks, shopping websites, email providers and yes, social media. If the username and password are used there, they will gain access to the account and will immediately change the password to their own. Then, they will change the recovery email address and phone number to ones they control as well, effectively locking you out of your account with no way to reset the new password.
A similar attack called ‘password spraying’ occurs when a cybercriminal takes an email address or username and tries it along with the most commonly used passwords, such as ‘12345678’ or ‘qwerty’, etc. There are lists of the most common passwords posted every year and they do not change very much. Just like in the above example, they then change passwords and contact information and essentially own the account.
In these two cases, having strong, unique passwords can make all the difference between keeping your account or losing it. To help manage these unique passwords, look into password managers, which are usually free or low-cost tools that help generate and protect passwords for you.
Multi-Factor Authentication (MFA) is another great way to help secure accounts. While it adds another step to the login process, it really helps stop cybercriminals who somehow guess or steal a password to an account. MFA is widely used in banking and is where you get a code via a text message, or type in a code that is generated in an application on your smartphone. This way, to log in, an account thief would need both your username, password and the code, making it much tougher.
Finally, any time a link takes you to a webpage that is asking for login information, be very careful. Make sure the URL of the login page is really from the website (facebook-login.com or login-facebook.com are NOT Facebook websites for example) and ask yourself if there really is a reason you would need to be logging into the account again.
Please understand the dangers of social media accounts and the potential nightmare they can become and protect your account just like you would your bank account. Not only can things get ugly online, but they can also become a physical threat, such as in the case with L.
Edit: They are back at it on July 01, 2022, just in time for the 4th of July holiday
Edit: there was another posting up as recent as July 11th, 2022, but it has been removed as of July 13th, 2022
I had a chance to sit down at BH 2021 and chat with Scott Schober, whom I have known for quite a few years now. I always enjoy our conversations and find they get me thinking about things in a new light. Enjoy!
I have been hearing some interesting things from the RSA conference this year. That is nothing new, as RSA is a great source for the latest in cybersecurity technology and a wonderful place for education. Unfortunately, I was not able to attend RSA this year; however, one trend that I have heard about involves something near and dear to my heart, and it concerns me.
On more than one occasion now, I have been told that this year, well respected speakers have said, on stage, that Multi-Factor Authentication (MFA) can stop 99% of phishing attacks. This is not only a foolish statement, but a dangerous one. It is also not the first time I have heard this claim or the first time I have addressed it.
Looking back to 2018 when I first read the headline, “Google: Security Keys Neutralized Employee Phishing” from Brian Krebs, I have had serious issues with how MFA is explained. That article started with this quote, further misleading people:
“Google has not had any of its 85,000+ employees successfully phished on their work-related accounts since early 2017, when it began requiring all employees to use physical Security Keys in place of passwords and one-time codes, the company told KrebsOnSecurity.”
Not only are statements like this misleading, but they are also just plain wrong and even dangerous.
Ironically, shortly after this article was published quoting Google telling us about how MFA keys did such a great job eliminating phishing, the marketing giant launched the sale of these same MFA keys. This was not an accident, but rather a clever marketing scheme.
I do not want to give the wrong impression here. I actually really like MFA and recommend it to people all the time. I support the FIDO Alliance wholeheartedly and use Yubikeys myself. The issue is that it is not the silver bullet that some people claim it to be. While it can be effective at stopping some phishing attacks and other very specific types of attacks, it is mostly useless against the vast majority of them. MFA protects account logins – that is all.
Why would I make such a bold statement? It is simple really. While MFA helps to prevent accounts from takeover due to lost, stolen or weak credentials, it does nothing to counter a person clicking on a link to a malware-infected website, opening an infected document or wiring money to bad actors. According to the FBI , between June 2016 and December 2021, there were over $43 billion in losses due to Business Email Compromise (BEC). While the name implies that accounts were compromised, the majority of times these scams are pulled off by simply spoofing the name of an email account, not actually having access to the real account. MFA does nothing to stop a spoofed account from asking someone to transfer funds or buy gift cards.
Another huge part of email phishing is the distribution of malware. This most commonly happens by getting the targets of the emails to click on a link in the email or by opening an infected document and enabling active content or macros. None of these scenarios are impacted by MFA in the least.
By telling people that MFA will stop 99% of phishing attacks, we are doing a great disservice to people by giving them a false sense of hope. Executives could come back from the conference and tell their staff that if they implement MFA, they can cut in other places, which is a really dangerous message.
Phishing cannot be stopped by a single technology or even a mix of technologies. The best we can do is to manage the problem and reduce the risk through a mixture of technologies and by helping individuals spot these attacks through education and practice. A focus on a good, strong security culture within the organization can do far more than simply enabling MFA; although these measures are an important part of a strong security program.
As security professionals, it is our duty to be objective about how effective security controls are and not fall for marketing messages that are meant to promote products. Snake oil is still too prevalent in our industry to let our guard down.