Drive-By Phishing Scams Race Toward Uber UsersSocially Engineering the Masses: Ready, Set, Go
Give crooks credit for topicality: They remain loathe to miss a trick.
Indeed, hardly any time elapsed after Uber came clean Tuesday about the year-old breach it had concealed before crack teams of social engineers unleashed appropriately themed phishing messages designed to bamboozle the masses (see Fast and Furious Data Breach Scandal Overtakes Uber).
"Less than 24 hours after the Uber hack news broke, the phishing attacks started," says Australian data breach expert Troy Hunt via Twitter.
Hunt's alert comes in the wake of IT consultant Dale Meredith warning that he'd flagged his first verified phishing email with an Uber theme, which asks for people to change their password. Of course, this isn't a valid password-change request but rather a way for crooks to capture people's legitimate passwords. Doing so allows criminals to log into any account that shares the same email address, for which the user has reused their password.
One giveaway for at least one of the scams now in circulation is a claim that Uber is working with its arch-rival, the ride-hailing service Lyft.
Unfortunately, not all phishing messages are so easy to spot. Also there's no guarantee that even crack information security specialists won't accidentally click on a link, say when their mental defenses are down at 2 a.m. In other cases, said specialists may also give bad advice to users. That's reportedly what happened to John Podesta, the former chairman of Hillary Clinton's unsuccessful presidential campaign, who referred a phishing message to an IT support employee who erroneously told him that it wasn't a phishing message. Cue the compromise of Podesta's Gmail account (see Russian Interference: Anatomy of a Propaganda Campaign).
Hit and Run
The volume of phishing attacks continues to escalate. In September, anti-phishing service PhishLabs reported that the volume of phishing attacks increased by 41 percent from the first quarter to the second quarter of this year. The vast majority of attacks targeted one of these five sectors: financial services, webmail and online services, payment services, cloud storage and file-hosting services, and e-commerce companies.
The growth in phishing is no doubt down to such attacks being a cheap and easy way for cybercriminals to steal online access credentials as well as trick users into installing malware, including crypto-locking ransomware that has been generating massive profits for attackers (see Phisher Refrain: We Will Crypto-Lock You).
Fraud: Topicality 'Sells'
When it comes to phishing attacks, topicality isn't new. For fraudsters, that's one of the great things about text-based trickery: Giving your scam a refresh only requires plugging in a few new "ripped from the headlines" phrases.
That's why fraudsters wasted no time in attempting to exploit data broker Equifax's Sept. 7 announcement that it had suffered a massive data breach.
Just two days later, the U.K.'s National Cyber Security Center, which is part of Britain's GCHQ intelligence agency, issued a phishing alert.
"U.K. citizens affected by this data breach ... could be on the receiving end of more targeted and realistic phishing messages," the NCSC warns. "Fraudsters can use the data to make their phishing messages look much more credible, including using real names and statements such as: 'To show this is not a phishing email, we have included the month of your birth and the last 3 digits of your phone number.'"
That's because whoever hacked Equifax managed to steal names and personal information for 145.5 million U.S. individuals, 15.2 million U.K.-based individuals as well as information contained in 8,000 Canadian records. Not all of these individuals would have provided information to Equifax directly. Instead, their personal details may have been by third parties, such as their bank.
Out of Control
But Equifax is hardly the first large organization to have been breached and data on millions of consumers stolen. Security experts say multiple copies of many people's personal details are already in wide circulation and for sale on cybercrime forums. Unfortunately for potential phishing victims, this information can be used to personalize attacks against them.
Underscoring this point, NCSC warns that Equifax breach victims might be targeted by non-Equifax-themed phishing messages. "Usually, if you are the target of a phishing message, your real name will not be used," NCSC says. "However, in this case, if fraudsters have your name, people will need to be extra vigilant around any message that purports to be from an organization they deal with - especially when there are attachments or links which take people to sites asking for more personal information."
UK @Uber customers + drivers:— NCSC UK (@ncsc) November 23, 2017
- Immediately change passwords you used with Uber
- Be alert to phishing emails
- Be vigilant to potential scam calls
- Do not feel obliged to delete the app
- Contact Action Fraud if you think you have been a victimhttps://t.co/STw9K9hGJP pic.twitter.com/RWdFgJHg6Y
Fraudsters may not just email but also call. "If you do receive a phone call that is suspicious - for example by asking you for security information - do not divulge any information, and hang up," NCSC says. Then independently source the phone number for the organization in question and phone them to ask if they just called. If it wasn't them, alert law enforcement, such as the FBI's Internet Crime Complaint Center in the United States or Action Fraud in the United Kingdom.