Florida man convinces Western Union clerk to insert a thumb drive, steals $32K, does it again, gets caught

Vasile Savu is accused of walking into a Western Union in Hollywood, Florida and asking the clerk to print out his flight itinerary, a pretense he used to get the clerk to insert a thumb-drive loaded with malicious software into his computers, which allegedly allowed Savu to steal $32k from the business. Read the rest

Security keys are "transformative" and "revolutionary" for information security

Mark Risher adapts his viral Twitter thread about the security advantages of security keys like Ubikey and Google's Titan Security Key, and how they are game-changers for information security. Read the rest

Bounty hunters and stalkers are able to track you in realtime by lying to your phone company and pretending to be cops

Early in January, Motherboard's Joseph Cox broke a blockbuster story about how America's mobile carriers sold access to their customers' realtime location data to many shady marketing brokers, who then quietly slipped that data to bounty hunters and other unsavory characters -- a practice that they'd been caught in before and had falsely promised to end. Read the rest

Malware vector: become an admin on dormant, widely-used open source projects

Many open source projects attain a level of "maturity" where no one really needs any new features and there aren't a lot of new bugs being found, and the contributors to these projects dwindle, often to a single maintainer who is generally grateful for developers who take an interest in these older projects and offer to share the choresome, intermittent work of keeping the projects alive. Read the rest

It turns out that halfway clever phishing attacks really, really work

A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest

Howto social-engineer someone's address and other sensitive info from Amazon

Eric Springer is a former Amazon engineer and a heavy AWS user. He's posted a long, terrifying explanation of how identity thieves have been able to repeatedly extract his personal info from Amazon's customer service reps by following a simple script. Read the rest

Prisoner escapes by faking an email ordering his release

Neil Moore was locked up in England's notorious Wandsworth Prison when he used a smuggled cellphone to send an email to the prison that appeared to come from a court clerk who was ordering his release on parole. Read the rest

Amazon Replacement Order Scam: anatomy of a social engineering con in action

Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.

The scam hinged on the fact that Gmail addresses are "dot-blind" (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.

Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.

A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.

If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address?

Read the rest