In the last couple days before Christmas, people are frantically buying last-minute gifts.
But being harried sets you up to be the perfect hacking victim.
And the latest scam is preying on people using a seemingly innocuous tool — the wish list, employed by a range of stores including Amazon, Target, Walmart, Overstock, Toys R Us, and others.
It’s part of a larger trend in phishing — in quarter 3 of 2016, the retail/service sector accounted for the greatest portion of phishing victims (43%).
While the word “hacker” conjures someone who uses fancy technical footwork to break into your accounts, that’s usually not the way the bad guys get ahold of accounts these days.
Often the victims themselves provide all the information necessary for the hackers to do their misdeeds. As described in my article earlier this week about a recent spate of hackings costing victims millions of dollars, a hacker can trick an unwitting customer service representative into believing that they are you by using information you put on Facebook, Twitter, LinkedIn and Foursquare.
Or, as in the case of the wish list, they use it to trick you into thinking that they are a business you know and trust.
“You can’t trust people who come to you through email or phone or any other means who seem to know a lot about you just because they know a lot about you,” says Chris Hadnagy, chief human hacker at Social-Engineer.com.
In these wish list crimes, hackers are taking advantage of the fact that these retailers offering wish lists enable customers to make their lists publicly searchable. If a target has made his or hers public and has added items that they intend to give as gifts, then the attacker writes an email saying that one of the items is now 30% off and that if you click that link, you can get a code.
“People are now in the holiday crush. People who haven’t done that shopping are starting to feel panicked and overwhelmed and short of time, and when we are high in our emotions, our logic centers don’t work as well as they should,” says Social Engineer chief operating officer Michele Fincher. “So, maybe getting a coupon from a vendor I haven’t ever done business with is something I would notice if I had time to think about it, but if I’m panicked in my last 48 hours of Christmas shopping, I might do something stupid if I get a coupon code for something I was looking for.”
Once you click, the hackers can do any number of things. They might just offer to send you the discounted item after you enter your credit card number. Or they’ve created a page that mimics an Amazon web page, where they ask you to log in. They can then steal credentials such as the last four digits of your credit cards and any shipping addresses you’ve entered. Then, they use that information to wage other attacks on you, such as by calling your bank with your credit card information and address to get access to that account. Or they use your Amazon login and password on other sites, since people often reuse passwords.
“They do their homework. They get into one account and use that information to get into an account that’s more critical. So maybe it’s not a big deal they got into your Twitter feed, but then they use information from it to get into your bank, so it’s an expanding web where they launch an attack that seems simple and nominal but has far-reaching consequences. Malicious social engineers aren’t necessarily very technical people but they’re crafty and clever in the way they think.”
People often think that they will never fall for a phishing scam, but Social Engineer has found that 90% of the people they ask will give the proper spelling of their name and their email address without confirming the identity of the person requesting it. And 67% give out birthdates, Social Security Numbers and employee numbers.
So beware. If an offer seems too good to be true, then stop. Instead of clicking directly on the link offered, go directly to the company website to obtain that offer, so you can be sure it’s legit. And if it’s not, then think of this precautionary step you took as your Christmas gift to yourself.
Source: SANS ISC SecNewsFeed @ December 23, 2016 at 12:30PM