Posts

  • A new CheckPoint report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter. 
  • Barnes & Noble acknowledged what they initially thought was a systems error earlier in October turned out to be a cyberattack on some of its systems. 
  • Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from Dickey’s BBQ restaurant chain throughout 2019 and 2020. 
  • Darkside announced they donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations. 
  • If you are the victim of a phishing attack or data compromise, contact the Identity Theft Resource Center for no-cost assistance at 888.400.5530 or by live-chat on the company website. 

A new report reveals how frequently identity criminals use well-known brands to trick people into sharing their personal information. CheckPoint Security researchers say one company has jumped to the top of the heap when it comes to fake emails and fake websites involved in brand phishing attacks – Microsoft.  

Subscribe to the Weekly Breach Breakdown Podcast 

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant cybersecurity news in our Weekly Breach Breakdown podcast. This week, we take a look at CheckPoint’s latest survey and what it means, as well as two data compromises that recently prompted consumer notices, and a ransomware group donating to charities.  

Brand Phishing Attacks 

There are different types of phishing attacks. What is a brand phishing attack? In this attack style, a cybercriminal imitates a well-known brand’s official website by using a web address and webpage design similar to the real thing. A link to the fake website is then sent to people by email, text message, or social media.

The fake webpage often contains a form intended to steal the credentials, payment details, or other personal information of the people caught in the phisher’s net.  

While many of the spoofed websites are fake with poor spelling or grammar, these emails, websites, texts and social media accounts are increasingly sophisticated and highly accurate imitations that even trained professionals don’t spot at first glance. 

Report Reveals Microsoft as the Top Spoofed Brand 

CheckPoint’s current report shows that 44 percent of all phishing attacks involve emails that use Microsoft as the spoofed brand. Forty-three percent of all types of phishing attacks involve fake websites, and Microsoft is again the number one brand used to lure unsuspecting users.

As tolled, Microsoft was the brand used as bait in 19 percent of all forms of phishing last quarter.  

However, Microsoft is not the only brand in the crosshairs of cybercriminals. The rest of the top ten brands currently being used in phishing campaigns include: 

  • Google (nine percent) 
  • PayPal (six percent) 
  • Netflix (six percent) 
  • Facebook (five percent) 
  • Apple (five percent) 
  • WhatsApp (five percent) 
  • Amazon (four percent) 
  • Instagram (four percent) 

How to Avoid a Phishing Attack 

The best way to avoid falling victim to all types of phishing attacks is to ignore unsolicited emails and texts that include links. If anyone receives a notice from a company where they do business, they should log in directly to their account to verify the message they received was real.

Anyone who gets a notice can also go to the company website directly and contact them. Under no circumstances should anyone click on a link or call a telephone number in an unexpected email.  

Barnes & Noble Data Compromise 

We also want to tell you about two recent data compromises that led to consumer notices. Barnes & Noble – the online brick and mortar bookseller – acknowledged what they initially thought was a systems error earlier in October was, in fact, a cyberattack on some of the company’s systems.

Customer email addresses, billing and shipping addresses, telephone numbers and transaction histories may have been involved in the security breach. Barnes & Noble says there is no evidence of a data exposure. However, they are not ruling out the possibility. 

Dickey’s BBQ Data Compromise 

The Barnes & Noble breach is different from the circumstances at the Dickey’s BBQ restaurant chain. Cyberthieves posted three million credit cards for sale on the dark web earlier in the month stolen from the popular eatery throughout 2019 and 2020. Security researchers believe 156 Dickey’s locations across 30 states likely had payment systems compromised by card-stealing software.  

“Darkside” Ransomware Group Tries to Claim its Legitimacy 

Finally, the ransomware group known as “Darkside” is trying its hand at brand building just like a legitimate company. This week Darkside announced they had donated $20,000 in bitcoins to two global charities. Darkside claims they do not attack schools, hospitals or governments, and instead focus on highly profitable, large corporations.  

Security researcher Chris Clements notes, “The most troubling realization here is that the cybercriminals have made so much money through extortion that donating $20,000 is chump change to them.”  

Neither of the two charities has acknowledged receiving the donation and say they will not keep it if it turns out to be true. 

notifiedTM 

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you accidentally click on a link of a brand phishing attack or provide information to what you discover later was a fake website form, contact the ITRC toll-free at 888.400.5530 or live-chat with an expert advisor on the company website. An advisor will walk you through the steps to take to protect yourself from any possible identity misuse. 

If you receive a breach notice due to the Barnes & Noble or Dickey’s BBQ events or any other data compromise and you’d like to know how to protect yourself, contact the ITRC to speak with an expert advisor. Also, download the free ID Theft Help App to access advisors, resources, a case log and much more. 

Join us on our  weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  


Read more of our latest articles below

Identity Theft Resource Center® Reports 30 Percent Decrease in Data Breaches so Far in 2020

Election Scams Begin to Surface with the General Election Less than One Month Away

Recent Insider Attacks Stress the Importance of Smart Business Practices

  • Credential theft is when fake webpages are created that look real for the sole purpose of stealing logins and passwords to access legitimate accounts.
  • The top targeted companies for phishing scams from credential theft include Paypal with 11,000 fake login pages, Microsoft with 9,500 fake pages, and Facebook 7,500 fake pages.
  • To prevent falling victim to a credential theft attack, consumers should not click on any links unless they know they are legitimate, double-check the email address of the sender, and change their password if they believe they used a fake login page.
  • For more information about the latest data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM.
  • Victims of identity theft can contact the ITRC toll-free at 888.400.5530, or by using the live-chat function on the website.

Credential stuffing is a term consumers often hear from cybersecurity experts. Credential stuffing is a type of cyber attack where stolen credentials, like usernames and passwords, are used to gain access to other accounts that share the same credentials. There is another term not heard as much, but just as prevalent: credential theft.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) takes a look at the most interesting data compromises from the last week in our Weekly Breach Breakdown podcast. This week, we are talking about creating fake websites that look real for the sole purpose of stealing logins and passwords used to access legitimate accounts. We will look at how security researchers found tens of thousands of fake website login pages that are used to collect credentials from consumers.

Credential Theft

To commit a credential stuffing attack, a hacker must have credentials. Where do data thieves get the logins and passwords needed to fuel these attacks? The most obvious way is through data breaches everyone has seen over the years, where millions of credentials are stolen in a mass attack. However, there are less obvious ways, too. One of those less obvious ways is credential theft.

Earlier in 2020, security company IRONSCALES began to look for a specific kind of webpage; fake login pages that look like they could come from real companies. From January until June, IRONSCALES found more than 50,000 phony login pages from more than 200 recognizable brands with a high volume of web traffic.  

These fake login pages are used in phishing emails as a way of getting people to click on what they think is a legitimate login page. Most people cannot tell the login page is fake, leading unsuspecting victims to enter their real login and passwords into a fake webpage. That is all it takes for data thieves to have actual credentials from live accounts. They do not even have to buy or steal any data.

Top Targets for Phishing Scams

Anyone reading this blog might be wondering if they have ever clicked on an email link connected to an account. If they have, was it a real login page?

IRONSCALES reports that PayPal is the top target for phishing scams, with more than 11,000 fake login pages spoofing the brand. Microsoft is not far behind with 9,500 phony login pages. The list continues with Facebook with 7,500, eBay with 3,000 and Amazon with 1,500 known fake login pages. Other commonly spoofed brands include Adobe, Aetna, Apple, Alibaba, Delta Air Lines, JP Morgan Chase and Wells Fargo.

All of these companies have people who do nothing but seek and shut-down these and other kinds of fake webpages, websites, social media accounts and text messages that are used to collect personal information from their legitimate customers and prospects. However, research shows that credential theft is easy for a couple of reasons. The first is because malicious phishing emails that deliver fake login pages can easily bypass cybersecurity tools and spam filters just by making small changes in the email.

Inattentional Blindness

The second reason is because of inattentional blindness; when something looks so familiar or causes you to focus so intently that you don’t see the apparent errors hiding in plain sight. An example of inattentional blindness comes from a study where people were told to watch a video to count the number of people wearing white jerseys as they passed a ball. More than 50 percent of people taking the test missed the fact that one of the players was wearing a gorilla suit.

How Inattentional Blindness Applies to Identity Theft

Credential theft attacks translate into the inability to spot the tell-tale signs of a phishing scheme, even among trained cybersecurity and fraud professionals. What should people do if they encounter what they believe is a phishing attack?

1. Don’t click on any links unless you are sure they are legitimate. When in doubt, navigate directly to the website or webpage you are trying to reach instead of using a link.

2. If the link arrives in an email, double-check the address of the sender. An email address can be masked to make it look legitimate in the sender line. However, if you click on the sender’s name to see the actual address, you may find the email from mybank.com is actually from bob@scams-r-us. Get into the habit of checking email addresses.

3. If you believe you used a fake login page, change your passwords and alert the security team at the company whose login page has been spoofed as soon as possible. While changing your password, consider switching to a 12-character passphrase with upper and lower case letters. It will take an automated hacker tool 300 years to break that passphrase, as well as be easier to remember.

notifiedTM

For more information about the latest data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, you can speak with an ITRC expert advisor by calling toll-free at 888.400.5530, or on the website via live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest breaches below

Fortnite Gaming Data Being Sold for Hundreds of Millions of Dollars Per Year

“Meow” Attacks Lead to 4,000 Deleted Databases and Perplexed Security Experts

Cense.Ai, Freepik and ArbiterSports Headline Recent Data Breaches

With some businesses opening back up after temporarily closing due to the COVID-19 pandemic, scammers are trying to capitalize using online job scams to steal people’s personal information.

Recently, Scripps Health found hackers exploiting job seekers through phishing emails with Scripps Health-themed “lures.” Scripps sent the following email to warn their community members:

Image provided to the Identity Theft Resource Center by public

ATA Engineering, another San Diego-based company, reports they also are seeing similar-type online job scams.

The Identity Theft Resource Center (ITRC) has seen a rise in victims contacting the organization about online job scams, including phishing emails. Some of the particular job scams reported to the ITRC include ones from Indeed, Zip Recruiter, and Facebook. The ITRC has had more than 40 victims reach out about online job scams the last three months.

Who Is It Targeting

People looking for work amist the COVID-19 pandemic

What Is It

Either a fake listing posted on a job board or a phishing email, robocall, social media message, or text message looking for a response.

What Are They After

While scammers attack in different ways, they are all looking for one thing: personal information. They hope they can trick people who are desperate or vulnerable into giving up sensitive data like usernames and passwords, financial data, or Social Security numbers. Once scammers have that information, they can commit many different forms of identity theft.

How You Can Avoid It

  • Never click on a link or open an attachment from an email you are not expecting. Instead, go directly to the source to verify the validity of the message.
  • Review all emails and websites carefully to make sure there are no suspicious addresses, subject lines or URLs.
  • Be careful about how much personal data you share, at least during the application process. Do not turn over information like your Social Security number until you are hired.
  • Make sure you have the job, and it is legitimate, before giving away financial information like a bank account number or routing number for direct depositing of paychecks.

If you think you may have fallen victim to an online job scam, you can call the ITRC toll-free at 888.400.5530. You can also live-chat with an expert advisor on the company website.


Read more of our latest articles below