The attack on Verizon Visible turned out to be a credential stuffing campaign; Hacked accounts billed for thousands of dollars in purchases


Verizon Visible, the wireless giant’s budget offering, recently suffered an attack that saw customer accounts supported and orders placed using stored payment information. Verizon verified that the hacked accounts were compromised by a credential stuffing campaign.

The breached accounts were said to have been compromised by a single player, as a pattern was established after an account was redeemed: stored credit and debit cards were used to order and ship a new model iPhone. The attacker appears to have used credentials that were leaked in previous data breaches and available on the dark web.

Verizon Visible hack attributed to credential stuffing

Verizon Visible is a subsidiary of Verizon which offers low cost cellular and data plans in exchange for certain limitations; mainly that there are no long term contract offerings and customers are not eligible for support at physical Verizon points of sale.

An investigation followed a wave of Verizon Visible customers reporting account intrusions on various social media sites. The attacker would switch the account to a new email address (generating a notification to the previous valid email address) and then use the payment methods stored in the account to purchase an iPhone 13. Apple’s latest model costs around $ 800 to $ 1,100 depending on storage capacity and other options.

Verizon finished its investigation this weekend, attributing the hacked accounts to credential stuffing (although some victims have claimed on social media that their Verizon Visible login details and password are unique to the site). The company released a statement saying it has deployed internal tools to mitigate the issue, provided customers with additional security checks, and advised customers to identify any passwords shared on other accounts and change them by. precautionary measure.

One of those “extra security checks” appears to be an email verification required to change the address (or other personal information, such as a shipping address). When an email address change is attempted, the current registered address receives a verification email requesting a response within 30 minutes. If the user does not respond, the change is not made. Users of the Verizon Visible Reddit forum report that this was not the procedure when the attacks began over a week ago; email addresses could be changed immediately and without secondary verification once an attacker was in the account. In the immediate wake of reports of hacked accounts, Verizon Visible also temporarily locked down password resets and billing address changes before issuing a statement acknowledging the situation.

Verizon Visible has not released information on the number of affected customers. Some of the customers with hacked accounts reported that the fraudulently purchased iPhones were shipped to an address in New York.

Bill Lawrence, CISO of Security door, points out that an underestimated factor in choosing a mobile operator is the ability to make one-off payments without having to store payment cards or account numbers on their server: with a customer account. This scenario gives the impression that attackers could change account access and afford new iPhones with the victim’s credit. When setting up these types of accounts, first look for and enable multi-factor authentication options. Also, beware of direct links between bank accounts, and if you are using a card, credit cards offer better fraud protection than debit cards. Never check the box that shopping websites offer to save credit card information to “make the next purchase easier”. This makes your information available to be lost in the future breach of each business. Instead, use a password manager or your browser. And regularly keep an eye out for other fraudulent activity in your accounts.

Hacked accounts, an endemic problem for the telecommunications industry

Verizon Visible is far from the only telecommunications service to have struggled with hacked accounts in recent months. Another big story that dropped this month was the breach of the Syniverse messaging platform, which runs in the background to facilitate text message transfers between the networks of all major carriers in the United States.

A Securities and Exchange Commission filing earlier this month indirectly revealed that the company discovered hacked accounts and unauthorized access to its network in May. Sadly, the company also believes the breach began five years earlier (in May 2016) and was only discovered recently. The company said 235 of its telecom customers have been affected and have already been notified and asked to reset their credentials. The long window of violation led many to wonder what the exact extent of the compromise was in these ventures; for their part, the telecom giants have largely remained silent on the issue. If hackers had unrestricted access to the country’s major carriers, it could mean billions of text messages have been spied on in recent years.

T-Mobile also suffered a major breach that was disclosed in August, with the records of more than seven million customers as well as some 40 million who had applied for compromised credit by a hacker who offered the stolen personal information to the phone. dark web. That same month, a hacking group appeared on dark web forums claiming they had 70 million stolen AT&T recordings for sale (AT&T denied the breach was legitimate).

Telecommunications companies have become one of the most popular targets during the period of heightened pandemic of cyber criminal activity. Ruston Miles, Founder and Cyber ​​Security Advisor at Red tuna, says these incidents of hacked accounts are a clear sign that it’s time for businesses to wake up and modernize their security: more perimeter – although that’s still important – but making what’s inside that absolutely unnecessary perimeter. We call it devaluing data; it’s basically taking all sensitive customer data, such as login credentials, and encrypting or tokenizing it or both, depending on the business use case. Encryption and tokenization hide data so that it is not readable and therefore not salable on the Dark Web. No business or organization will ever be able to 100% prevent a data breach, but it can prevent breached data from being compromised. Organizations can ensure that in the event of a breach, this encryption or tokenization is in place to protect data from compromise, even after the breach. It’s like in old westerns where thieves steal the bank safe, only to find out later that the safe is too strong for them to break into.

The attacker would switch the account to a new email address and then use the stored payment methods to purchase an iPhone 13 that costs around $ 800 to $ 1,100. # cybersecurity #respectdataClick to Tweet

Matthew Rogers, Global CISO at Syntax, agrees and adds that automated behavioral analysis should be considered: “In light of the new and growing security threats associated with COVID-19, organizations need to secure themselves beyond simply implementing software solutions. Take phishing threats, for example. Traditional antivirus software solutions are signature-based, so their protection is limited to familiar threats. As a result, only a fraction of actual threats will be detected. Modern security solutions with intelligent sandboxing functions represent an alternative. These solutions perform static and dynamic analyzes of files based on behavioral metrics and ask the question “What type of behavior is typical for users, devices, and systems, and what constitutes a gap?” Combining traditional threat detection with a more sophisticated endpoint detection response can help provide a more comprehensive defense system against attacks.

Source link


Leave A Reply