In a recent Solutions Engineering blog, I walked readers through the different types of e-Commerce fraud prevalent today. Now I’d like to delve into the methods utilized by fraudsters to carry out these deceptions. Knowledge is power, and the more we know about each of these techniques, the more we can take action to minimize their occurrence.
One thing I’ve learned is that acquiring an individual’s personal information and credentials doesn’t always demand extensive expertise. I’ve found it helpful to categorize these attacks into two levels of complexity: sophisticated and unsophisticated attacks.
Sophisticated attacks
Sophisticated attacks require a high level of expertise and knowledge for execution. They are orchestrated by hackers skilled in coding, deployment, and evading detection. While some bad actors directly exploit acquired data, many act as intermediaries. Among the methods of impersonating trustworthy sources, phishing stands out as a dominant approach used to obtain valuable data, as discussed in my last blog. Here are some other commonly used techniques:
Data breach
In this scenario, hackers meticulously select a target company, assessing user profiles, potential data, assets, and security systems. They then pinpoint the data’s location and devise a strategy to access it. Familiar with the company’s organizational structure, they employ social engineering tactics to extract specific employee credentials. Platforms like LinkedIn might be exploited to impersonate HR or management personnel, coaxing workers into clicking malicious links or divulging login details. Multiple phishing attempts may be made until the necessary login information is acquired to breach file servers.
After obtaining the data, the hacker’s objective shifts to monetization. In breaches affecting millions of users, the sheer volume makes it unfeasible for the hacker to utilize all the data personally within the necessary timeframe. This is one of the reasons why stolen credit card data (and other personal data) is often bundled and available on the dark web.
Formjacking
In this scenario, rather than attempting to break into the server as in a data breach, hackers target the transaction process itself, seizing customer credentials during submissions such as sign-ups, logins, or transactions. They achieve this by injecting a malicious script into the webpage’s JavaScript, allowing the script to clandestinely copy the credentials as customers enter them.
Man-in-the-middle
This method bears similarities to formjacking but carries a notable difference. Instead of embedding malware, attackers create a fake page closely resembling the legitimate one. Unwary users are directed to this counterfeit page, resulting in the theft of their credentials during form submission. Although secure sockets layer (SSL) connections typically prevent such attacks, fraudsters incessantly seek ways to bypass these security protocols.
Public Wi-Fi Networks
Connecting to unsecured public Wi-Fi networks carries certain risks. While convenient, using Wi-Fi in places like airports or hotels demands caution to avoid exposing sensitive information. Hackers may exploit labels like “Free Public Wi-Fi” to deceive nearby users, capturing personal details on laptops or smartphones.
Unsophisticated Attacks
Not all cyberattacks require advanced hacking techniques. Certain “tools” are available for purchase online, while some information can also be physically obtained from discarded items (such as bank statements or utility bills) or USB drives. This information can suffice to create a synthetic online identity by combining data from multiple sources. Alternatively, it can serve as a significant starting point in the pursuit of specific credentials, for instance, through phone phishing or impersonation of a bank employee.
Fraudsters employ diverse methods, including stealing physical point-of-sale (POS) terminals containing credit card information. They might disguise themselves as repair personnel to easily walk away with these terminals and their associated data.
Another tactic involves discreetly attaching credit card skimming devices to legitimate card readers, secretly collecting credit or debit card information. These skimmers, often equipped with Bluetooth functionality, can be purchased online and strategically placed at card-swiping points like ATMs, gas pumps, and grocery stores. The stolen data from these devices is then exploited for fraudulent transactions.
To learn more about ways to safeguard your data, talk to us today. Also check out our SE blog series for unique topics tackled by our Solutions Engineering Team.