Cyber crooks use the KISS method – Keep it Simple … Quickbooks, Credit Cards and your supposedly anonymized data – things we think we know and trust are being used in scams that not only evade technical detection and are so simple in their concept that almost anyone could be fooled.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and TechNewsDay in the U.S. sitting in for the vacationing Howard Solomon.
QuickBooks is the accounting software which is a blessing to small and even medium sized businesses. It’s reasonably priced, affordable by any business and can automate many tasks from bookkeeping to accounting and time keeping and billing.
As one of its productivity benefits, the software has ability to send invoices and even enable phone follow up. It was this capability that hackers have turned into a surprisingly low tech phone scam.
While software and automated defences have become more and more sophisticated in anti-phishing defenses: the tried and true telephone fraud becomes more and more attractive and it even has its own name – vishing, short for voice phishing.
The attackers just need a phone number that they get the unsuspecting mark to call. When they do, an operative will try to extract valuable information from them.
Between December 2021 and the present, a security firm by the name of INKY detected thousands of legitimate QuickBooks notifications that were impersonating retail brands in voice phishing (vishing) attacks.
These attacks were highly effective at evading detection because they were identical to non-fraudulent QuickBooks notifications,
What makes it even easier is that QuickBooks offers free trials for 30 days. The crooks create free accounts and sent fraudulent invoices from QuickBooks and generate phone calls.
Inky reports that they have impersonated a number of well known brands:
-
Amazon
-
Apple
-
Best Buy (and Geek Squad)
-
PayPal
-
Norton
-
McAfee
The attackers call a legitimate customer stating who is presented with an invoice or order confirmation indicating that their credit card had already been charged. They are asked if the wished to dispute the charge. If so, they should contact the phone number in the email.
Once a victim called, a scammer will try to get information (login credentials, credit card info, other personally identifiable information) or send them to a form on a site that will look authentic, but exists to steal information.
Credit card fraud is not normally thought of as high tech but it is prevalent and profitable. According to the 2022 Automated Fraud Benchmark Report, from Perimiterx, carding attacks have increased 111.6% YoY and are expected to cost businesses $130 billion by 2023.
If you steal a credit card number, or buy a stolen number, the first thing you want to do is to determine if it’s still working without setting off alarms. Once you verify that it hasn’t been reported as compromised, you can go to town.
Automated carding attacks have a similar pattern: bots are used to attempt small purchases with stolen credit, debit and gift card data. If the transaction goes through, the fraudster knows that the card is valid. Valid cards can be used to make larger purchases of goods or gift cards, or resold on the dark web at a much higher value.
But even a small purchase can alert cards holder or trigger real time alerts on their credit card. Perimiterx reports that cybercrooks have developed a “silent validation” both which can validate the card without actually making a purchase. The exploit a function that checks the validity of a card when it attempts to store the payment method. This function, designed to weed our fraudulent cards actually makes it easier for fraudsters to evaluate their stolen card data.
Consumers are amazingly schizophrenic when it comes to their data. On one hand, there is a growing desire for privacy and to protect their personal information. On the other had, many people gladly give away their data in exchange for services – like – tell me the fastest way home through traffic. What they don’t want is to give away highly sensitive data.
But reality is that there are a growing number of “shadowy ad tech and data brokers” which harvest an enormous amount of personal data and then process and sell that data.
There are a number of ways this data can be gathered. Mobile apps are among the biggest offenders and many sell that data. Software development kits (SDKs) have embedded functions that gather data from a number of sources and then sell access to ii.
The state of the art in protecting data privacy has always been “anonymizing” information. Anonymization refers to the practice of protecting private or sensitive information by stripping off identifiers such as names, social security numbers, and addresses that connect an individual to stored data. It’s a nice idea, but it has been repeatedly established that anonymized data can often be re-identified by combining several datasets.
A 2016 study found that any four apps selected at random can be used to re-identify a user more than 95% of the time.
The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies’ illegal use and sharing of highly sensitive data and false claims about data anonymization.
Until this crackdown occurs, many security professionals suggest that you look very carefully at any app that asks to collect data that it does not need. Presume that anything an app should give you the equivalent of a US Miranda warning – anything you do or say can be used against you.
And a breaking story sent to us just as we went to air:
Patches were issued this year to close a critical hole in Apache’s Log4j2 logging framework. But a report this week from the U.S. Cyber Safety Review Board says IT leaders should be prepared to address Log4j vulnerabilities for years. That’s because Log4j is an open-source software that developers have integrated into millions of systems, says the report. It also says there haven’t been any significant attacks on critical infrastructure because of the vulnerability so far. But because of the widespread use of the utility vulnerable instances will remain in IT systems perhaps for another 10 years. The discovery of the vulnerability shows the security risks in what it says is the “thinly-resourced, volunteer-based open source community. To reduce the odds of creating bugs like this government, software companies and developers must create centralized resources and security assistance structures to help the open source community, the report says. That includes adding a software bill of materials in every application.
That’s Cyber Security today for Friday July 15, 2022.
Follow Cyber Security Today where ever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.
I’m Jim Love, CIO of ITWC, publishers of IT World Canada and creators of the ITWC podcasting network. I’m also host of Hashtag Trending, the Weekend Edition where I do an in depth interview on a topics related to information technology, security, data analytics and a host of other topics. If you’ve got some extra time after you’ve listened to Howard’s great weekend interview, check up out at itworldcanada.com podcasts or anywhere you get your podcasts.
Thanks for letting me into your day.
Howard will be back this weekend.