Crime-as-a-Service Targets Popular Platforms

Linn Freedman
Robinson+Cole Data Privacy + Security Insider
Contact
LinkedIn
Facebook
X
Send
Embed

It’s getting difficult to keep up with the jargon of all of the new digital scams. The SaaSes in the beginning became regular business terms, such as Software-as-a-Service (SaaS), and Business Processes-as-a-Service (BPaaS). But then the criminal enterprises came up with Malware-as-a-Service (MaaS), Ransomware-as-a-Service (RaaS) and now Crime-as-a-Service (CaaS).

A new Crime-as-a-Service offering is targeting PayPal, Apple, and Amazon accounts. The attack vector is a phishing campaign dubbed 16Shop, which is targeting victims through phishing emails with incentives to click on malicious links and attachments. Old tricks are still working, and the tools are being sold quite successfully on underground forums.

The most recent campaign, alleged to originate in Indonesia, is targeting PayPal customers in order to obtain usernames, passwords, credit card information, and other personal information. This phishing-kit-as-a-service (PkaaS) (I can’t even pronounce that acronym) boasts that it has induced over 23 million individuals to actually click malicious links in emails and provide personal information that can be sold for a profit. One scheme that is particularly successful is when the victim is told their email has been compromised and that they need to change their password for security purposes. Unfortunately, in a real cyber-incident, one of the first things we do is ask users to change their passwords. Criminals are leveraging this fact, using it to their advantage by duping users into believing that a false notice to change passwords is real and then stealing the credentials.

Security professionals continue to advocate that multi-factor authentication is critical to assist with combating these types of attacks. Employee education is also helpful, so that when employees receive an instruction to change their passwords, they reach out to confirm rather than blindly following blind instructions. Employees must understand that they cannot rely solely on digital instructions. Any and all instructions that come via emails regarding usernames and passwords must be confirmed face-to-face or verbally with a known source. It is sad, but true. Email communication should be just that—email communication. No personal information, sensitive information, critical business information or information allowing access to systems should ever be provided through email communication. It just can’t be trusted these days.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider
Robinson+Cole Data Privacy + Security Insider
Contact
more
less

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide