Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Account Takeover. Show all posts
Phishing Attacks
Account Takeover AI Powered Scams Amazon Scam Alert Consumer Data Protection Cyber Security Cyberthreats Fake Retail Websites Holiday Fraud Risks Online Shopping Safety Phishing Attacks

Amazon Sounds Alarm Over Attack Threatening 300 Million Accounts

 


In the face of looming Black Friday 2025 frenzy, Amazon has unveiled a warning to its large customer base that is expected to overlap the holiday season's busiest shopping week. The warning warns of a surge in sophisticated scams expected to shadow the holiday season's busiest shopping week. On November 24, the company emailed a security advisory to millions of users, one that Forbes first reported on, warning that cybercriminals are increasingly exploiting the seasonal spike in online purchases by impersonating individuals, using fraudulent advertising, and sending unsolicited messages to elicit personal and financial information from them. 

There are approximately 310 million active customers on Amazon, making the retailer a high-value target for attackers looking for easy money during the holiday season, so they outlined five prominent tactics currently used to deceive shoppers, including the use of fake account verification emails and unsolicited phone calls to deceive shoppers. 

As Consumer Protection experts, we agree with these concerns; Mr. Mike Andrews, a representative from National Trading Standards, told Metro that scammers have an advantage over consumers when it comes to the weeks leading up to Christmas, knowing that even a small fraction of successful attempts during peak retail activities can yield significant returns. 

In a new study published in the journal Cybercrime: Science and Technology, a cybercriminal network has stepped up their impersonation campaigns against global companies such as Netflix, PayPal, and many more, with the use of browser-based notification traps and criminal infrastructures, as well as a variety of other methods for deceiving large numbers of users. 

Amidst this background, Amazon’s advisory dated November 24 details how similar tactics have now been employed against Amazon’s own customers, as scammers are attempting to coerce victims into providing them with personal data, financial credentials, and Amazon login information in exchange for money. The fact that such scams aren't new, but they have become more refined and adaptive as they cycle through techniques such as credential-stuffing attacks and malware-assisted account takeovers. 

Fraudsters often carry out such operations by posing as customer service personnel or technical support personnel - a similar tactic that the FBI has also warned about in parallel alerts concerning bank-related scams. The underlying mechanics of the deception are essentially the same: attackers send persuasive text messages, emails, or phone calls that push customers to verify activity, or to resolve a supposed issue, resulting in password disclosures or multifactor authentication codes. 

A fraudster will immediately reset all of the security settings within an account once he has gained access. He will lock out legitimate users' accounts as soon as he gets access. A recent study by the FBI reveals that there have been an increase in lookalike websites and bogus alerts mimicking delivery updates and promotional offers, as well as misleading third-party advertisements and unsolicited calls masquerading as Amazon support. 

These methods are closely related to the patterns outlined in recent FBI investigations. According to FortiGuard Labs, new findings published on November 25 further emphasize the urgency of Amazon's warning. These findings indicate a sharp increase in threats specifically designed for the holiday season, which has already been identified by the researchers. 

Over 18,000 domains were recently registered that included the terms "Black Friday," "Christmas," and "Flash Sale," with over 750 of those domains already confirmed to be malicious. In addition, nearly 3,000 of the 19,000 domains that were designed to mimic major retailers, including Amazon, were verified by the report as fraudulent, of which nearly half were identified as frauds. Decoy sites are often created with subtle spelling variations and visual similarities, which can be easily overlooked by shoppers who are rushing through deals while focusing on them. 

Among the cyber security experts who warn that the threat landscape is changing at a rapid rate, experts like Anne Cutler of Keeper Security point out that many of the latest scams are driven by artificial intelligence. By doing so, attackers are able to generate convincing order confirmations, spoofed customer service conversations, and highly realistic retailer websites with the aid of artificial intelligence. 

A response to these escalating risks has been the adoption by Amazon of stricter digital hygiene guidelines. Amazon has requested that customers rely solely on the Amazon app or website to manage their accounts, enable two-factor authentication or use passkeys to protect their login credentials, and remember that Amazon never solicits your payment or credential information via unsolicited phone calls or email. 

There is no doubt that the retailer stressed the importance of these safeguards as cybercriminals intensify their efforts before the busiest shopping season of the year. In the end, Amazon shoppers should also keep in mind that security experts warn that the threat goes well beyond phishing attacks and fraudulent domains; it is also possible to face threats within the broader online marketplace. 

A researcher, Mike Andrews, explains that artificial intelligence has made it significantly easier for scammers to manipulate product credibility by creating a large volume of convincing fake reviews on popular platforms like Google, Trustpilot, and Amazon in order to create fake reviews for their products. A growing number of bots are capable of flooding product pages with glowing testimonials, making it more difficult for customers to distinguish genuinely well-rated products from items that have been artificially boosted to mask inferior and even dangerous products. 

In addition, Andrews explains that despite the difficulty of quantifying the amount of online reviews that may be misleading, consumers should not rely on them blindly when making purchase decisions. If a high number of reviews appears within a very short period of time, overly vague praise without mentioning product features, or suspiciously generic comments are noticed, it may be a sign that the product is not as good as it sounds. 

It is possible to gain additional perspective using services like TheReviewIndex and RateBud that analyze review authenticity. Such manipulations of customer reviews vary in their goals. However, they are often aimed at convincing shoppers to make a purchase for substandard items or to purchase products that may never arrive in their hands. 

There is also an aggressive scam that seeks personal information, financial information, or Amazon login credentials through fake messages, advertisements, or phone calls. Moreover, Andrews warns that social media advertisers are becoming increasingly sophisticated when it comes to deceptive advertising, with artificial intelligence (AI) often generating storefronts that mimic small businesses or festive markets using fake images and videos. 

Even though these sites sound quite convincing, they often deliver nothing more than cheaply produced goods shipped from overseas, leaving customers disappointed and out of pocket. A surge in seasonal scams, on the other hand, illustrates the importance of taking an active role in one's online security as a shopper. Analysts believe that even simple habits, such as verifying sender addresses, checking URLs, updating passwords, and enabling multi-factor authentication, are enough to prevent the vast majority of attempts to penetrate an online network. 

The consumer is also encouraged to inform Amazon and the relevant authorities of suspicious pages or messages, so that they can be dismantled before they spread. Even though cybercriminals are developing their tactics with artificial intelligence (AI) and precision, the best way to stop them is to have an informed public that shop deliberately, questions what might be unexpected, and prioritizes safety over urgency.
Read more »
multifactor authentication
Account Takeover Atlantis AIO Credential Stuffing Cyber Crime multifactor authentication

Malicious Actors Employ Atlantis AIO to Target 140+ Platforms

 

A new cybercrime platform dubbed 'Atlantis AIO' provides automatic credential stuffing against 140 internet platforms, including email, e-commerce, banking, and VPNs. Atlantis AIO includes pre-configured modules for performing brute force assaults, bypassing CAPTCHAs, automating account recovery operations, and monetising stolen credentials/accounts. 

Credential stuffing and automation 

Credential stuffing is a type of cyberattack in which attackers utilise a list of credentials (usernames and passwords) stolen or acquired via leaked data breaches to gain access to accounts on sites.

If the credentials match and the account is not safeguarded by multi-factor authentication, they can take over the account, shut out the legitimate owner, and then abuse or resell it to others. This type of attack is common and ubiquitous, with major credential-stuffing attacks happening every day. 

Over time, these attacks have had an impact on businesses and services such as Okta, Roku, Chick-fil-A, Hot Topic, PayPal, PetSmart, and 23andMe. Credential stuffing assaults are regularly carried out by malicious actors using free tools such as Open Bullet 2 and SilverBullet, as well as prepackaged "configs" available on cybercrime forums. 

Credential stuffing as a service 

Atlantis AIO is a new Credential Stuffing as a Service (CSaaS) platform that enables attackers to pay for a membership and automate such operations

Abnormal Security identified the cybercrime service Atlantis AIO, which says that it can target over 140 online services globally. Hotmail, AOL, Mail.ru, Mail.com, Gmx, Wingstop, Buffalo Wild Wings, and Safeway are among the services being targeted. Atlantis AIO is a modular tool that allows cybercriminals to launch targeted assaults. Its three major modules are: 

  • Email account testing: Automates brute-force and takeover efforts on popular email services such as Hotmail, Yahoo, and Mail.com, allowing cybercriminals to take control of accounts and access inboxes for phishing or data theft. 
  • Brute force assaults: Rapidly cycles through common or weak passwords on targeted platforms in order to breach accounts with poor password management. 
  • Account recovery: Account recovery processes are exploited (for example, on eBay and Yahoo), CAPTCHAs are bypassed, and takeovers are automated using programs such as "Auto-Doxer Recovery" for faster and more efficient credential exploitation.

When cybercriminals gain access to accounts, they frequently sell them in bulk, posting hundreds or even thousands of compromised accounts for sale on underground forums. Other threat actors set up stores to sell stolen accounts for as little as $0.50 per account. 

Prevention tips 

You can prevent credential stuffing attacks by using multi-factor authentication and strong, one-of-a-kind passwords on all websites where you have accounts. Even if credentials are compromised, threat actors will be unable to log in without also acquiring the MFA information, which is why multi-factor authentication is so important. 

If online services notify you of odd logins from odd places or unexpected emails requesting a password reset, you should look into if your credentials were compromised right away. Websites can help prevent these attacks by introducing rate limitation and IP throttling, utilising complex CAPTCHA puzzles, and monitoring for unusual behaviour patterns.
Read more »
Vulnerabilities and Exploits
Account security Account Takeover BreachForums Dark Web Data Safety GitHub NPM Vulnerabilities and Exploits

Critical npm Account Takeover Vulnerability Sold on Dark Web

 

A cybercriminal known as Alderson1337 has emerged on BreachForums, offering a critical exploit targeting npm accounts. This vulnerability poses a significant threat to npm, a crucial package manager for JavaScript managed by npm, Inc., a subsidiary of GitHub. Alderson1337 claims this exploit can enable attackers to hijack npm accounts linked to specific employees within organizations. 

The method involves embedding undetectable backdoors into npm packages used by these employees, potentially compromising numerous devices upon updates. This exploit could have widespread implications for organizational security. Instead of sharing a proof of concept (PoC) publicly, Alderson1337 has invited interested buyers to contact him privately, aiming to maintain the exploit’s confidentiality and exclusivity. If executed successfully, this npm exploit could inject backdoors into npm packages, leading to extensive device compromise. 

However, npm has not yet issued an official statement, leaving the claims unverified. The incident primarily impacts npm Inc., with npmjs.com being the related website. While the potential repercussions are global, the specific industry impact remains undefined. Account takeover (ATO) vulnerabilities represent severe risks where cybercriminals gain unauthorized access to online accounts by exploiting stolen credentials. These credentials are often obtained through social engineering, data breaches, or phishing attacks. 

Once acquired, attackers use automated bots to test these credentials across various platforms, including travel, retail, finance, eCommerce, and social media sites. Users’ reluctance to update passwords and reusing them across different platforms increase the risk of credential stuffing and brute force attacks. Such practices allow attackers to access accounts, potentially leading to identity theft, financial fraud, or misuse of personal information. To mitigate ATO attack risks, experts recommend adopting strong password management practices, including using unique, complex passwords for each account and enabling two-factor authentication (2FA) wherever possible. Regular monitoring for unauthorized account activities and promptly responding to suspicious login attempts are also crucial for maintaining account security. 

While Alderson1337’s claims await verification, this incident underscores the ongoing challenges posed by account takeover vulnerabilities in today’s interconnected digital landscape. Vigilance and collaboration across the cybersecurity community are essential to mitigating these threats and preserving the integrity of online platforms and services.
Read more »
User Privacy
Account Takeover Data Safety Mobile Security Social Media User Privacy

Security Experts Warn Social Media Users of Account Takeover

 

Anyone with a social media account has been warned that criminals are increasingly targeting common people and taking over their profiles. According to Action Fraud, the national fraud and cybercrime reporting service, there were 18,011 reports of social media and email hacking between August 2022 and July 2023.

In addition to stealing critical personal data from victims, fraudsters are also using the accounts for fraud - for example, there have been a dozen reports in the last two months regarding hacked social media accounts being used to promote fake Taylor Swift tickets. 

If the tickets appear to be sold by someone with a large number of friends on their profile and posts going back a long way, officials said, people are less likely to suspect it's a scam. Out of the 18,000 reports, 4,092 people reported they had been the victim of financial extortion or that fraud against the public had been committed using their accounts. 

There were two main categories of account takeovers in 49% of cases that Action Fraud received reports of: 

On-platform takeovers 

These take place entirely on the platform, via the messaging feature of the service. The suspect will dupe the victim into sharing or changing critical account information. This is primarily accomplished by the suspect already having access to one of the victims' friends' accounts. The fraudster will then message the victim, posing as a friend. 

The victim will think they are speaking with their friend and won't realise their friend's account has been hacked. After that, the criminal will ask the new victim to do something, like help "securing" their account, cast a vote in a competition, or possibly even extend a financial offer. 

Email hacking and phishing 

These types of account hacks frequently occur when victims unwittingly divulge their login information to fake websites after clicking on a link in an email they thought was legitimate. Once a fraudster has gained access to a victim's email account, they can use it to reset the password of any social media accounts linked to that email address. 

The scammer can easily access the email as a result of weak account security, such as a lack of 2-step verification, weak and re-used passwords, a leak of the victim's email on the dark web, or the actual expiration and purchase of the victim's custom web domain. 

"Social media applications are, without a doubt, the most widely used in the world, which presents a huge opportunity for criminals," stated Pauline Smith, Head of Action Fraud. Scammers have a large pool of potential victims to choose from because millions of people use social media and other apps on a daily basis. They frequently attempt to access people's online profiles in order to defraud others.

“Keep your accounts secure and set up 2-step verification. Under no circumstances should you ever share your 2-step verification codes with anyone, and if you think something doesn’t seem right, report the message and block the sender within the app itself. To make your accounts even more secure, and to provide an extra layer of protection, we would recommend that your email and social media passwords should be strong and different to all your other passwords,” Smith added.
Read more »
User Security
Account Takeover Cyber Security Security Researchers User Data User Security

Zenly Addressed the Risks of User Data Exposure and Account Takeover

 

Zenly, a social app from Snap that allows users to monitor the positions of friends and family on a live map, has two flaws that potentially imperil people being tracked. The issues are a user-data disclosure vulnerability and an account-takeover vulnerability, according to the Checkmarx Security Research Team.   

Zenly is a real-time location sharing software created in 2015 by Alexis Bonillo and Antoine Martin in Paris, France. Zenly's primary role is to share and monitor locations with friends. The software may communicate not only your current position, but also your mobile direction and speed. Zenly employs dependable, effective, and precise positioning technology to pinpoint the precise location of friends or family members. 

According to Checkmarx, the vulnerability exploits the "Add by Username" procedure, which begins by searching for a known username. Then, to view requests that occur during the username search, "an environment that permits intercepting and decoding network requests to get visibility into network activities" can be employed. 

“By observing the response of the request that was executed on the /UserPublicFriends endpoint, a list of friends can be seen, although it is not displayed on the user interface of the application,” according to the analysis. “This list contains every friend of the user, one of them is Bogus_CEO (bogus CEO of Zenly, for demonstration purposes). Note that the response also contains their username, which could in turn be used to repeat this process and obtain their friends list instead.” 

According to the researchers, after the target username has been found, the same interceptor may be used to retrieve the associated phone number via a view named "Add by Username," then clicking the "Add as Friend" button.

This vulnerability's mitigation strategy can be divided into two phases. The most serious consequences are from gaining access to a user's Personally Identifiable Information (PII) without their permission. This could be avoided by eliminating the target phone number field from the reply sent when a friend request is created. The second step in this mitigation recommendation is to effectively limit or shape the data supplied by the /UserPublicFriends endpoint when a username search is performed, rather than returning an entire list of the friends' usernames. 

According to Checkmarx, the second bug appears in the user-authentication flow. This authentication uses SMS messages carrying verification numbers to validate sessions. After sending the SMS message to the user, the app uses the session token and the SMS verification code to access the /SessionVerify endpoint. 

Both vulnerabilities have been fixed, and users should update their apps to the most recent version to avoid compromise, according to the company.
Read more »
User Data
Account Takeover API Cyber Security Cybersecurity User Data

The Cat and Mouse Chase of Account Takeovers

Cequence Security Threat Research Team analyzed more than 21 billion applications transactions between June and December of 2021, API-based account registration and login transactions raised by 92 percent and around 850 million. It highlights the fact that hackers cherish APIs as developers do. The same database that shows account takeover (ATO) attacks on login APIs grew by 62 percent. An ATO causes an end-user to panic, with getting messages like “you have received a password reset notification from your favorite retailer/social media/financial institution because your account has been compromised.” 

If you are ever hit by an ATO, you will probably not want to conduct business with the organization that is associated with the account. This affects businesses by causing them to lose valuable customers and also hits the profit bottom lines due to loss in sales, brand damage, and infrastructure cost overruns. ATO techniques have evolved over credential stuffing, which is a high-volume, generally used technique. ATO now includes slow and low attacks having specific usernames and passwords. It follows a pattern, for instance, attacks on organizations and employees having some social presence (recommendations, reviews, etc.). 

For these people, ATOs have become a constant problem, the goal here is not to steal sensitive information, but to use these hijacked accounts for amplifying negative or positive information. The patterns observed in these attacks have been seen earlier in varying forms in different customer environments. Bots go silent for a while but return to cause more damage. Noticing these bot behaviors suggested that botters work together by sharing ideas, studying unsafe vectors (deprecated APIs), to prepare for the next attack. 

A robust defense system will require continuous monitoring, reviewing of all endpoints- mobile and Web API, cooperation between safety and peers. "ATO is a problem that more and more organizations are facing as threat actors want to steal gift cards, access one-click purchasing, and dominate hype-sales to buy and resell the inventory. As we have seen through this analysis, the pace and vigor are on the rise. All organizations that have an authenticated application should consider monitoring for ATO, and build mitigations to ensure their customer satisfaction remains high," writes Jason Kent for Threat Post.
Read more »
Subscribe to: Comments (Atom)