Cyber ​​Security Today – Friday, July 15, 2022 Quickbooks, credit cards and new data scams

Cyber ​​crooks use the KISS method – Keep it Simple… Quickbooks, Credit Cards and your supposedly anonymized data – things we think we know and trust are used in scams that not only evade technical detection and are so simple in concept that almost anyone could be fooled.

I’m Jim Love, CIO of ITWC, publishers of IT World Canada and TechNewsDay in the US, replacing Howard Solomon on vacation.

QuickBooks is the accounting software that is a boon for small and even medium-sized businesses. It’s reasonably priced, accessible to any business, and can automate many tasks, from bookkeeping and accounting to time tracking and invoicing.

Among its productivity benefits, the software has the ability to send invoices and even enable phone follow-up. It’s this ability that hackers have turned into a surprisingly low-tech phone scam.

As software and automated defenses have become more and more sophisticated in anti-phishing defenses: proven phone fraud is becoming more and more attractive and it even has its own name – vishing, short for voice phishing.

The attackers just need a phone number which they call the unsuspecting mark. When they do, an agent will try to extract valuable information from them.

These attacks were very effective in evading detection because they were identical to non-fraudulent QuickBooks notifications,

What makes it even easier is that QuickBooks offers free trials for 30 days. Scammers create free accounts and send fraudulent invoices from QuickBooks and generate phone calls.

Inky reports that they impersonated a number of well-known brands:

Attackers call a legitimate customer telling who is presented with an invoice or order confirmation that their credit card has already been charged. They are asked if they wish to contest the charge. If so, they should contact the phone number provided in the email.

Once a victim calls, a scammer will try to get information (login credentials, credit card information, other personally identifiable information) or send them to a form on a site that will look genuine, but exists to steal information.

Credit card fraud is not normally considered high tech, but it is widespread and profitable. According to 2022 Automated Fraud Benchmark Reportsince Perimiterx, carding attacks have increased by 111.6% YoY and are expected to cost enterprises dearly $130 billion by 2023.

If you steal a credit card number or buy a stolen number, the first thing to do is to determine if it still works without setting off an alarm. Once you’ve verified that it hasn’t been reported as compromised, you can head to town.

Automatic card attacks have a similar pattern: bots are used to attempt small purchases with stolen credit, debit and gift card data. If the transaction is successful, the fraudster knows that the card is valid. Valid cards can be used to make larger purchases of goods or gift cards, or resold on the dark web for a much higher value.

But even a small purchase can alert the cardholder or trigger real-time alerts on their credit card. Perimiterx Reports that cybercriminals have developed a “silent validation” that can validate the card without making a purchase. They operate a function that checks the validity of a card when it tries to memorize the means of payment. This feature, designed to weed out our fraudulent cards, actually makes it easier for fraudsters to assess their stolen card data.

Consumers are incredibly schizophrenic when it comes to their data. On the one hand, there is a growing desire for privacy and protection of their personal information. On the other hand, many people willingly give their data in exchange for services – like – tell me the fastest way home through traffic. What they don’t want is to release highly sensitive data.

But the reality is that there are a growing number of “dark ad tech and data brokers” who harvest huge amounts of personal data, then process and sell that data.

There are several ways to collect this data. Mobile apps are among the biggest offenders, and many sell that data. Software Development Kits (SDKs) have built-in functions that collect data from a number of sources and then sell access to ii.

The state of the art in data privacy protection has always been to “anonymize” information. Anonymization refers to the practice protect private or sensitive information by removing identifiers such as names, social security numbers, and addresses that link an individual to stored data. It’s a good idea, but it was Many times established that anonymized data can often be re-identified by combining multiple data sets.
A 2016 study found that four randomly selected apps can be used to re-identify a user more than 95% of the time.

The U.S. Federal Trade Commission (FTC) warned this week that it will crack down on tech companies’ illegal use and sharing of highly sensitive data and false claims about data anonymization.

Until that crackdown happens, many security professionals suggest that you look very carefully at any app that asks to collect data it doesn’t need. Suppose anything an app should give you is the equivalent of a US Miranda warning – anything you do or say can be used against you.

And a breakup story sent to us just as we went on air:

Patches were released this year to close a critical hole in Apache’s Log4j2 logging framework. But one report This week, the US Cyber ​​Safety Review Board said IT managers should be prepared to deal with Log4j vulnerabilities for years to come. That’s because Log4j is open-source software that developers have integrated into millions of systems, the report says. It also says there have been no significant attacks on critical infrastructure due to the vulnerability so far. But due to the widespread use of the utility, vulnerable instances may remain in computer systems for another 10 years. The discovery of the vulnerability shows security risks in what it says is the “resource-limited, volunteer-based open source community. To reduce the chances of creating bugs like this government, software vendors and developers should create centralized resources and security support structures to help the open source community, the report says. This includes adding a software BOM in each application.

It’s cybersecurity today for Friday, July 15, 2022.

Follow Cyber ​​Security Today wherever you get your podcasts – Apple, Google or other sources. You can also have it delivered to you via your Google or Alexa smart speaker.

I’m Jim Love, IT Director of ITWC, Publisher of IT World Canada and creator of the ITWC Podcast Network. I’m also the host of Hashtag Trending, the weekend edition where I do an in-depth interview on topics related to information technology, security, data analytics and a host of other subjects. If you have a bit more time after listening to Howard’s weekend interview, head over to podcasts or wherever you get your podcasts.

Thanks for letting me into your day.

Howard will be back this weekend.

About Donald J. Beadle

Check Also

Hangzhou hosts cybersecurity forum ahead of Asian Games

You viewed more than 50 articles in the last 12 months. Keep Olympic News Free …