This week a toy retailer found evidence of rewards scamming, and the government discovered that password re-use is just a hop, skip, and a jump away from a major breach. With Valentine’s Day around the corner some people are discovering a catfish instead of their future Romeo.
“R” You Scamming Me?
Toys “R” Us notified members of their Rewards “R” Us program when they discovered evidence of someone attempting to access user accounts without authorization. In an official statement, the company stated the incident appears to be related to an earlier online breach not associated with Toys “R” Us – that is, credentials leaked from a separate breach entirely.
From airlines to hotels to retailers, rewards scams can impact any retailer. Cyber criminals aim to get as much value from a set of credentials as possible, including the financial benefits tied up in rewards scams. These rewards can often be turned into store credit, which is all the more easily laundered into cold hard cash.
Another vBulletin Bites The Dust
More than 700,000 records from PoliceOne.com forum members are being sold on the dark web for the low, low price of $400. The database, which was originally stolen from the law enforcement news site in 2015, includes usernames, email addresses, dates of birth, hashed passwords, and other identifying data collected by the site.
The attacker claims to have used a known SQL exploit against PoliceOne, which was reportedly running the infamously-buggy vBulletin forum software. The site quickly pulled their forums offline after being notified of the breach.
The listing’s description notes that the 290MB of data contains “emails from NSA, DHS, FBI and other law enforcement agencies as well as other US government agencies,” which is particularly troubling.
The tendency to re-use passwords is ubiquitous and is a common method of gaining unauthorized access to other systems (see the Toys R Us issue above). But when those credentials can be used to gain access to law enforcement and government portals, the effects can be far more severe.
One more thing… Romance (Fraud) is in the Air
Don’t get catfished this Valentine’s Day. According to the BBC, online dating scams are at a record high. There were 3889 victims of “romance fraud” last year. The National Fraud Intelligence Bureau reported 3363 cases with losses falling to £25,882,339 in 2015, and a record £39 million in related fraud cases in 2016. Looks like these bachelors and bachelorettes are getting thorns instead of roses.