This Week: Scams "R" Us and Police Database Mischief

Next: Dark Web Forums: the Underbelly’s Underbelly
Previous: This Week: Steep Discounts and Limited Loyalty
When all of your friends have store credit except you.
February 10, 2017

The Terbium Analyst Team is on the front-line of combatting dark web myths and legends. Whether it's a threat report, white paper, or blog post, the Analyst Team's job is to know things and speak intelligently about them. Other interests include weightlifting, chocolate, and accumulating obscure dark web trivia to amuse and confuse our co-workers.

This week a toy retailer found evidence of rewards scamming, and the government discovered that password re-use is just a hop, skip, and a jump away from a major breach. With Valentine’s Day around the corner some people are discovering a catfish instead of their future Romeo.

“R” You Scamming Me?

Toys “R” Us notified members of their Rewards “R” Us program when they discovered evidence of someone attempting to access user accounts without authorization. In an official statement, the company stated the incident appears to be related to an earlier online breach not associated with Toys “R” Us – that is, credentials leaked from a separate breach entirely.

From airlines to hotels to retailers, rewards scams can impact any retailer. Cyber criminals aim to get as much value from a set of credentials as possible, including the financial benefits tied up in rewards scams. These rewards can often be turned into store credit, which is all the more easily laundered into cold hard cash.

Another vBulletin Bites The Dust

More than 700,000 records from forum members are being sold on the dark web for the low, low price of $400. The database, which was originally stolen from the law enforcement news site in 2015, includes usernames, email addresses, dates of birth, hashed passwords, and other identifying data collected by the site.

The attacker claims to have used a known SQL exploit against PoliceOne, which was reportedly running the infamously-buggy vBulletin forum software. The site quickly pulled their forums offline after being notified of the breach.

The listing’s description notes that the 290MB of data contains “emails from NSA, DHS, FBI and other law enforcement agencies as well as other US government agencies,” which is particularly troubling.

The tendency to re-use passwords is ubiquitous and is a common method of gaining unauthorized access to other systems (see the Toys R Us issue above). But when those credentials can be used to gain access to law enforcement and government portals, the effects can be far more severe.

One more thing… Romance (Fraud) is in the Air

Don’t get catfished this Valentine’s Day. According to the BBC, online dating scams are at a record high. There were 3889 victims of “romance fraud” last year. The National Fraud Intelligence Bureau reported 3363 cases with losses falling to £25,882,339 in 2015, and a record £39 million in related fraud cases in 2016. Looks like these bachelors and bachelorettes are getting thorns instead of roses.

analysis March 20, 2019
Trends and Projections: Shifting Law Enforcement

For the first post in the Trends and Projections series, we unpack the increased law enforcement attention toward cyber-enabled fraud and the shift in resources allocated to taking down dark web communities trading compromised...

analysis January 24, 2019
Collection #1: Why You Should Care but Not Panic

January is not yet over and 2019 has already brought us the second biggest collection of stolen data in history. Unlike traditional data breaches, Collection #1 is actually a massive collection of smaller credential...