In an unusual move this week, we will be looking at a legitimate email that gives us an insight into scams and their evil cousin, credential stuffing.
What is Credential Stuffing?
You know all of those big data breaches you keep hearing about? Like the Capital One breach and the Equifax data breach? The stolen data often includes things like email address, and even unsecured passwords. As in, your email address and password, which in cybercriminal speak translates to an opportunity to hack into other accounts you own.
The cybercriminals sell these data in places like darknet marketplaces. The buyers then use the stolen credentials to try and hack their way into online accounts. Security vendor, Akamai, recorded 61 billion attempts to stuff credentials into online accounts over an 18-month period.
You can see this is a popular follow-on method for data stolen in big (and smaller) data breaches. Cybercriminals are nothing, if not persistent and innovative.
The Legitimate Email and a Warning to the Curious
Why I mention credential stuffing is because I believe the cybercriminals have been attempting to hack into one of my online accounts. The account in question is CreditKarma, a service that allows you to access your credit report.
In a previous Breaking Scam post, I mentioned that having access to your credit report is useful as it allows you to see unusual activity that can help prevent fraud and identity theft. However, these accounts also contain a large amount of data about you. Personal data such as name, address, previous addresses, as well as financial data. All of this can be used by fraudsters to commit fraud and steal your identity to commit even more fraud.
I received an email from CreditKarma, alerting me to an unsuccessful attempt to login to my account. This was great, CreditKarma had noted the activity and gave me due warning to check that this was/was not me. They also asked me to contact them if it was not me, which I did.
As a slight aside, I also, alerted CreditKarma to the absence of a second factor to access the account which would help prevent credential stuffing attacks.
Legit Emails Look an Awful Lot Like Phishing Emails These days?
The email from CreditKarma, showing an unsuccessful access attempt, was more than likely to be an alert after a credential stuffing attempt by a fraudster. The problem is, the email format was such that it could easily be a spoof email. This is not a jibe at CreditKarma, I am grateful for the heads up on the login attempt and it encouraged me to make the password I did have, more robust.
However, it did also make me realise just how vigilant we have to be to tease out the legit from the illegit email.
As part of the security of CreditKarma, the email contained a link to reset my password.
Cybercriminals often use a trick such as a faked account security issue, to encourage us to click a malicious link. We have to be incredibly aware of the subtle ways that cybercriminals use real email templates to carry out fraudulent acts and phishing.
As if by magic, when writing this up, such a spoof email dropped into my inbox. It looked a lot like PayPal, except it wasn’t. It used the trick of making me think my account was at risk and reactivate it, I must click a link.
To ensure that you can tell a legitimate email from a spoof email:
- Check the email “from” address; is it the same domain as the brand? Check this carefully as fraudsters use similar domains to trick us.
- Avoid clicking links in emails, even legitimate ones, as it creates a habit of clicking. Instead, navigate to a website directly and login from there.
- Use robust passwords and if your password has been part of a data breach, change the password immediately.
- If you have a second factor option available on an account, switch it on.
In a reply email from CreditKarma, it looks like they may be swamped:
“We’re currently experiencing high volumes and will respond to your query as soon as we can.”
It is possible that scammers are targeting the site. If you have an account with CreditKarma, be vigilant.
To find out if any of your credentials have been stolen in a data breach, visit: HaveIBeenPwned.
Why not help your colleagues stay safe and send them this little reminder. Feel free to edit, copy/paste the advice below:
When an Illegitimate Email Looks Like A Scam
Emails from legitimate brands may show an attempted but failed login to your account. Be vigilant as spoof emails often also take the format of a security alert with a link to update a password.
ALWAYS AVOID CLICKING ON ANY LINKS IN AN EMAIL. IF CONCERNED, NAVIGATE TO THE WEBSITE DIRECTLY AND LOGIN FORM THERE TO CHANGE A PASSWORD
For more information on what to do if you receive a phishing email check out “What to Do if You Click on a Phishing Link?”
Don’t forget to share this with your colleagues and friends and help them stay safe.
Let’s keeping breaking scams!
Subscribe to the Proofpoint Blog