Cyber crooks use the KISS method – Keep it Simple … Quickbooks, Credit Cards and your supposedly anonymized data – things we think we know and trust are being used in scams that not only evade technical detection and are so simple in their concept that almost anyone could be fooled.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and TechNewsDay in the U.S. sitting in for the vacationing Howard Solomon.
QuickBooks is the accounting software which is a blessing to small and even medium sized businesses. It’s reasonably priced, affordable by any business and can automate many tasks from bookkeeping to accounting and time keeping and billing.
As one of its productivity benefits, the software has ability to send invoices and even enable phone follow up. It was this capability that hackers have turned into a surprisingly low tech phone scam.
While software and automated defences have become more and more sophisticated in anti-phishing defenses: the tried and true telephone fraud becomes more and more attractive and it even has its own name – vishing, short for voice phishing.
The attackers just need a phone number that they get the unsuspecting mark to call. When they do, an operative will try to extract valuable information from them.
These attacks were highly effective at evading detection because they were identical to non-fraudulent QuickBooks notifications,
What makes it even easier is that QuickBooks offers free trials for 30 days. The crooks create free accounts and sent fraudulent invoices from QuickBooks and generate phone calls.
Inky reports that they have impersonated a number of well known brands:
The attackers call a legitimate customer stating who is presented with an invoice or order confirmation indicating that their credit card had already been charged. They are asked if the wished to dispute the charge. If so, they should contact the phone number in the email.
Once a victim called, a scammer will try to get information (login credentials, credit card info, other personally identifiable information) or send them to a form on a site that will look authentic, but exists to steal information.
If you steal a credit card number, or buy a stolen number, the first thing you want to do is to determine if it’s still working without setting off alarms. Once you verify that it hasn’t been reported as compromised, you can go to town.
Automated carding attacks have a similar pattern: bots are used to attempt small purchases with stolen credit, debit and gift card data. If the transaction goes through, the fraudster knows that the card is valid. Valid cards can be used to make larger purchases of goods or gift cards, or resold on the dark web at a much higher value.
Consumers are amazingly schizophrenic when it comes to their data. On one hand, there is a growing desire for privacy and to protect their personal information. On the other had, many people gladly give away their data in exchange for services – like – tell me the fastest way home through traffic. What they don’t want is to give away highly sensitive data.
But reality is that there are a growing number of “shadowy ad tech and data brokers” which harvest an enormous amount of personal data and then process and sell that data.
There are a number of ways this data can be gathered. Mobile apps are among the biggest offenders and many sell that data. Software development kits (SDKs) have embedded functions that gather data from a number of sources and then sell access to ii.
The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies’ illegal use and sharing of highly sensitive data and false claims about data anonymization.
Until this crackdown occurs, many security professionals suggest that you look very carefully at any app that asks to collect data that it does not need. Presume that anything an app should give you the equivalent of a US Miranda warning – anything you do or say can be used against you.
And a breaking story sent to us just as we went to air:
That’s Cyber Security today for Friday July 15, 2022.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.
Thanks for letting me into your day.
Howard will be back this weekend.