Earlier this week, Austin-based cybersecurity startup SpyCloud posted a tweet that showed a behind the scenes look at a cybercriminal forum.
In a carefully edited screen grab, SpyCloud's team showed how one hacker was sharing his or her recipe to crack consumers' food delivery accounts to redirect the food to a would-be criminal who would get the supplies for free during a pandemic when untold numbers of Americans have limited safe access to food.
The title was clear: "GET FREE FOOD FOR CORONAVIRUS RIGHT NOW LIMITED METHOD"
Then, the hacker suggested, get the meals you want, modify the shipping address and have it sent to yourself. "Don't worry there is 0 risk lol," they wrote.
As the global pandemic forces many people to signup and re-discover delivery services for food and other supplies, authorities everywhere are warning the public to be vigilant and try to avoid emerging scams. On Tuesday, Texas Attorney General Ken Paxton's office said several cyber scams involving false emails or text messages have already been reported.
Austin Inno connected with SpyCloud Senior Security Researcher Dustin Warren to learn more about what's going on behind the scenes and who's really responsible for protecting us from cyber attacks, account takeovers and other web-based scams. Below is our Q&A, conducted over e-mail.
Inno: Do we know if the hacking method spotted last night is legit and would actually work on Austin and/or U.S. based services? Or has it already?
Warren: This method was shared in a criminal community that is popular for cracking software and other fraudulent activity. These methods are ever changing as companies fight fraud for the services that they offer to their customers.
Methods like this one are relatively popular and common among lower-tier criminals and have been proved to work on a number of different targets in the past. However, we cannot confirm the success of this specific method and target at this time.
Inno: What are the other tactics cybercriminals are using that may be unique to the pandemic disruptions?
Warren: Cybercriminals can take advantage of these kinds of situations and in turn harness the general public’s interest, urgency for information, need for assistance, and desire to help as avenues to attack innocent individuals.
Inno: What can a regular consumer do to help prevent this kind of theft? Or is it really just on businesses to defend?
Warren: Criminals have been profiting off of credential reuse for a long time. We think that it is businesses’ responsibility to try and protect their customers from fraud related to password reuse, as well as work to educate their customers about good security practices -- security is everyone's job. This is a shared responsibility between customers and companies.
Inno: Are relatively big players like Favor, Grubhub, Amazon, etc. protected from these types of hacks – I assume their security is pretty robust? How about smaller startups that may be providing on-demand or online ordering – what might their concerns be?
Warren: All companies and individuals are at risk for account takeover-related fraud, and each company has a different security program. Risk related to ATO changes as criminals change tactics and companies take countermeasures like preventing password re-use among their customers. Smaller startups doing on-demand ordering need to make sure that they are using trusted and certified payment processing vendors, and ensure that they are not reusing credentials in any part of their supply chain. Monitoring for compromised password exposure, as well as following good security hygiene by using generated passwords and MFA on all accounts.
Inno: What are the cyber threats you’re most concerned about during these early days of the pandemic? How about long-term?
Warren: Misinformation campaigns are concerning in the early stages of the pandemic because of the long-term effects they have on people throughout the world; effects including conspiracy theories, spreading panic, and undermining governing bodies.
Fake donation campaigns are a concern throughout all stages of the pandemic.
Inno: How is SpyCloud dealing with these disruptions? I presume distributed teams work fairly well – given SpyCloud has a Michigan office, but curious if there are any insights there… especially considering your new Austin office.
Warren: Fight misinformation by promoting company-wide conversations about related information from legitimate sources.
Ensure our employees are aware of scams, phishing, and fraudulent campaigns and provide means by which to ask questions and converse about real-world examples we may come across.
Keep up-to-date on related news and on application updates.
We have a strong local presence in Austin but have distributed teams throughout the world. We keep in touch through video calls (Zoom) and encrypted chat. We have a COVID-related channel where we share news and scams, check in on each other, etc. Team leaders are doing more frequent stand ups and team meetings, and making time for quick catch ups throughout the day via video.
This situation has made us all grateful for the time we had in our new office to bond and develop more cross-functional relationships that we’re now leveraging more than ever during these challenging times. An example is marketing collaborating with our Applied Research team to get news out to the public about COVID-related scams, and how bad actors are looking for new and different ways to take over accounts and perpetrate fraud.
See more about SpyCloud's analysis of COVID-19-related scams here.
