Security researchers discovered a paid Facebook post that posed as the Isracard credit card company. It promised security, but actually sought to obtain people’s credit card information
“To ensure that your card isn’t stolen, please provide its number, your secret code and the three digits on the back of the card.” If this sentence makes you burst out laughing, you’re in great shape. You understand that there are two possibilities here – either it’s a joke, or it’s a particularly brazen fraud.
The problem is that many people are likely to fall into this trap. And before you start looking down on them, perhaps you should think about the traps into which you’ve fallen. You may well discover that they’re not a great deal more sophisticated.
An attack exactly like the one described in the first sentence took place on Facebook on last week. The attacker launched a paid campaign aimed at all Hebrew-speaking Israelis active on the social media site. The campaign was launched via a Facebook page that was labeled in way that made it look as if it belonged to the credit card company Isracard. It wasn’t, of course, but it provides a great lesson on how such scams work and how simple they really are.
Here’s how it worked: Anyone who entered the campaign page – which was apparently funded by a fake credit card – arrived at a page on an Israeli server that looked as if it belonged to a legitimate company (in this case, Isracard) rather than hackers. However, in most cases the hackers will actually create a website to make it look real. In this case, they hacked a site that is also used by the credit card company – using the real Israeli domain to lend legitimacy to their fake landing page.
The hackers then added their own page to the legitimate site. And their page requested a great deal of personal information, including the user’s email, phone number, credit card number and CVV number – the three digits on the back of the card.
Some readers will laugh, but to others, this will look completely legitimate. That’s what’s great about social engineering campaigns – there are always some people who will fall for it. An ad that looked legitimate, its use of Facebook as a distribution platform and an Israeli domain name could certainly mislead some people.
“The way this type of hacker works is by entering a website’s administration interface and adding a referral to pages that the hackers created,” said May Brooks-Kempler, an information security expert who founded the Think Safe Cyber community on Facebook. “In this case, it was a phishing site aimed at stealing information, but only a few days ago, a similar case led to the infection of over 100 websites, mostly in the printing industry.”
A Malaysian hacking group, DragonForce Malaysia, was apparently responsible for the latter attack, she said. “The group has used this method in the past for a plethora of incidents in the same style,” she added.
Of course, there are many situations in which you can provide some details – for example when making a purchase on Amazon or renting a place via AirBnb. But in these cases, your details are taken from you in an organized and secure manner when you register through a special site. Such sites also ask for less information and will only use those needed for billing.
Generally, there are quite a few sites that can help users discover whether their personal information has leaked through phishing scams like those mentioned above. The best known is haveibeenpwned.com, which asks for your email address and then tells you whether that address has been involved in information leaks that would also have revealed your username and password.
If so, the site can tell you where it happened. This enables victims to change their password and avoid thefts from their accounts, or to change passwords on other servers if they learn that their email has been hacked.
The site also lets you provide your password (on the following page) to see if it has been exposed to information leaks. For instance, if I used a password like 3q1w2e, I could see that it appears 203,124 times in different information leaks. In other words, it isn’t unique and isn’t strong enough, and must be changed immediately.
Other sites, like www.security.org/how-secure-is-my-password, provide tools that enable you to test the strength of your password and how easy or hard it would be to guess it.
But there’s an enormous difference between these sites – which are well known and reliable – and sites that request your full credit card number. You should never give any site your full credit card number and expiration date, even if the site claims to belong to a credit card company. To enter a real credit card company’s site, you don’t need to provide your full card number, and you certainly don’t need to provide the expiration date and the three digits on the back; much like with ecommerce sites.
In the case of the Isracard scam, the security experts who saw the ad reported it to Facebook, which quickly removed it.
In this case, the people who were tempted to provide their credit card details weren’t the only victims; another victim was the Israeli company whose site the hackers used to plant the fake page. Such incidents can severely damage a company’s reputation.
Sometimes, it could even get them into trouble with powerful entities like Google and Facebook, because it may lead to the company and its websites being labeled dangerous. And that could lead to its sites and profiles being blocked or pushed to the bottom of the search engine results.
This is one more reason why small businesses should be very careful about security, even if their website is strictly informational and doesn’t store customers’ data.
By Ran Bar-Zik, September 12, 2021, published on Ha’aretz