Tuesday, May 20, 2014

A twist on identity theft

Do you pay attention to email confirmations for purchases, account registrations, shipments and such that you did not expect?

A professional peer on a forum I frequent encountered an unusual scam this week. The person noticed purchase confirmations in email, for purchases made through Sony Entertainment Network. Here's the rub though: the person did not have an account with Sony.

Fake order confirmations or shipping memos are a common phishing approach. You receive an email for an order you don't recognize, inviting you to login to (for example) target.com; when you click the cleverly-disguised link, you instead go to igothacked.com, which looks oddly similar to the Target login page. Provide your username and password, and voila: you've given an attacker carte blanche to your account (unless you have two-factor authentication enabled. You do have 2FA enabled on important accounts, right?).

This particular instance was different though. The email legitimately originated with Sony Entertainment Network, and the embedded links did go to the legitimate web site. They were in fact real purchase confirmations. Someone had created a Sony account, using this person's email address as their login ID, added payment information, and proceeded to make a dozen or more small-dollar purchases.

Why would someone do this?

Without being able to trace the incident back to the person that caused it, there is no way to be certain. There are a couple of possibilities though.

The most benign possibility is a simple case of mis-typed email. It is entirely possible someone meant to type [email protected] but instead typed [email protected]. It's less likely the person mistyped the same thing repeatedly though, and continued to use the account with a mistaken email address.

A more likely scenario is fraud against a third party, in which this person was simply an unwilling accomplice. By way of example I will describe something that happened to me personally a few years ago.

In April 2012, I received an unexpected purchase receipt email from iTunes Store. I did have an iTunes account, but had no payment information in my profile (I described why about a year earlier). It was the purchase of a song for a grand total of $1.41. It turned out that someone had accessed my account (possibly due to poor password choice - even professionals make mistakes), changed the billed-to name and address, added a stolen credit card, and made the purchase. Why a $1.41 purchase? Perhaps merely to test the validity of the credit card before selling it on the black market.

Here's what makes this particular scheme difficult to stop. I did not suffer any financial loss. It was not my credit card. In fact, if the actually defrauded person had noticed the charge and investigated, it would have looked as though I had committed the fraud. Since I was not defrauded, my local sheriff's office were not interested in pursuing it. The sheriff's office in the Washington state precinct of the victim treated it as a random tip since I was not the one affected - there was no mechanism for me to submit a formal report, because I had not been the victim of a crime in that state. Perusing Apple Discussion forums, it appears this was not an isolated incident.

Many websites send an email to the address on record, and require the person registering to reply to that email before the account becomes active. That prevents accounts from being set up for the wrong email address by accident, or by fraudulent intent. Sony Entertainment Network makes this particular scam easy by not having this safety step - the account is active the moment it is created, even if the email address is completely bogus.

What is the moral of this story?

Don't instantly delete a confirmation message you did not expect. It may be a phishing expedition, but it may also be an indication that an account has been compromised. If you do have an account with the service in question, log in (type the URL into your web browser directly - don't click on links in the message) and see if in fact an order was placed, or a shipment made (or whatever the confirmation confirms). If a fraudulent activity took place, contact customer support for the web site immediately. If there is no evidence of fraudulent activity, delete the email - it is most likely an attempt to get you to provide personal information that an attacker can use to impersonate you.

And if you don't have an account with the service? Consider the possibility that perhaps you now do, courtesy of someone with less than honorable intentions...

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen