It’s getting difficult to keep up with the jargon of all of the new digital scams. The SaaSes in the beginning became regular business terms, such as Software-as-a-Service (SaaS), and Business Processes-as-a-Service (BPaaS). But then the criminal enterprises came up with Malware-as-a-Service (MaaS), Ransomware-as-a-Service (RaaS) and now Crime-as-a-Service (CaaS).
A new Crime-as-a-Service offering is targeting PayPal, Apple, and Amazon accounts. The attack vector is a phishing campaign dubbed 16Shop, which is targeting victims through phishing emails with incentives to click on malicious links and attachments. Old tricks are still working, and the tools are being sold quite successfully on underground forums.
The most recent campaign, alleged to originate in Indonesia, is targeting PayPal customers in order to obtain usernames, passwords, credit card information, and other personal information. This phishing-kit-as-a-service (PkaaS) (I can’t even pronounce that acronym) boasts that it has induced over 23 million individuals to actually click malicious links in emails and provide personal information that can be sold for a profit. One scheme that is particularly successful is when the victim is told their email has been compromised and that they need to change their password for security purposes. Unfortunately, in a real cyber-incident, one of the first things we do is ask users to change their passwords. Criminals are leveraging this fact, using it to their advantage by duping users into believing that a false notice to change passwords is real and then stealing the credentials.
Security professionals continue to advocate that multi-factor authentication is critical to assist with combating these types of attacks. Employee education is also helpful, so that when employees receive an instruction to change their passwords, they reach out to confirm rather than blindly following blind instructions. Employees must understand that they cannot rely solely on digital instructions. Any and all instructions that come via emails regarding usernames and passwords must be confirmed face-to-face or verbally with a known source. It is sad, but true. Email communication should be just that—email communication. No personal information, sensitive information, critical business information or information allowing access to systems should ever be provided through email communication. It just can’t be trusted these days.