I was supposed to publish a blog today that discusses our recent report, Operation Emmental, which disclosed details about a cybercrime organization that put together an elaborate online banking theft operation whereby they socially engineered the victims using DNS Changers, phishing sites, and mobile apps to obtain 2-factor authentication codes. This report highlights the needs for individuals to be vigilant with their financial accounts, especially online.
This brings me to the main topic I want to share today. Recently, my wife’s PayPal account ended up being compromised. The thieves were able to get access to her account even though she had a good password with caps, numbers, and symbols associated with it. Once they had access, the criminals kicked off a series of transactions which consisted of more than 70 purchases of $100 gift certificates. This occurred within a 1 hour timeframe. Not very subtle by the criminals, and they also started purchasing Starbucks gift cards too from that account as well. The Starbucks account used a different password from the PayPal one.
The good news was my wife had set up her PayPal account to email her whenever a transaction occurred, so she was able to identify very quickly that something was amiss. Contacting PayPal, we were able to stop those transactions from occurring, and cancelling the credit card tied to the account, any other transaction would be stopped. My wife then persisted in changing all of her online accounts passwords, just to be safe, which was many as most of you probably have experienced too. She also opened a fraud case with IC3 (Internet Crime Complaint Center) who we hope are looking into the criminals behind the attack.
All of this was rather stressful for us as we were not sure which other accounts they may have compromised, but the swift action on her part I believe we were able to stop these criminals from getting any money from this attack. This is great, but I can’t help think how many others they do, since IC3’s email response from her case submission stated, “This is the only reply you will receive from the IC3. Because we receive thousands of complaints per week, we cannot reply to every complaint received or to every request for updates.” And that is only the complaints actually filed by people, one has to wonder how many don’t get submitted probably due to most people not even knowing how to file one or that they can file one.
I’d like to share a few things you can do to help mitigate these types of incidents from occurring to you.
We’ve seen over the years that cyber criminals will do whatever they can to steal your money, but if you take some precautions and set up your accounts properly, you can prevent these criminals from getting money from you.
I’d love to hear your feedback on any other practices you’ve implemented to help deter cybercriminals through your comments to this article. Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.