At a glance.
- Seller, beware.
- College network intrusion results in data compromise.
- AT&T denies stolen data came from an internal breach.
BleepingComputer details a credit card theft operation called Classicscam that’s targeting sellers on classified sites. Cybersecurity firm Group-IB first discovered the scam in 2020 in Russia, Europe, and the US, and analysts reported a surge in activity in March of this year that increased its scope to include Singapore. A fully-automated "scam as a service" platform, Classicscam boasts 38 million users, targeting sellers as well as banks, cryptocurrency exchanges, delivery companies, moving companies, and other services providers, and resulting in an estimated $29 million in damages since its inception in 2019.
Using messaging service Telegram to coordinate and promote the operation, Classicscam lures targets to phishing sites mimicking payment confirmation pages for legitimate classified sites. Once there, the victim is prompted to enter their credit card details in order to receive payment, and a fake OTP (one-time password) page is used to log in the scammer on the real bank portal via a reverse proxy. Digital Trends notes that although Group-IB has blocked five thousand Classicscam endpoints over the last three years, the complexity and automation of the operation allows it to continue to expand. Ilia Rozhnov, head of Group-IB's digital risk protection team, explains, "Unlike the conventional scams, Classiscam is fully automated and could be widely distributed. Scammers could create an inexhaustible list of links on the fly.” So caveat vendor.
College network intrusion results in data compromise.
Marymount Manhattan College, a private college located in New York City, has disclosed it suffered a data breach last November when an unauthorized party gained access to the school’s network, JD Supra reports. After detecting a “network disruption,” administrators enlisted the assistance of cybersecurity professionals to conduct a more thorough investigation. The probe revealed the intruder had exfiltrated files containing sensitive data including the names, Social Security numbers, driver’s license numbers, financial account information, medical information and health insurance details of thousands of individuals. Marymount notified the impacted parties earlier this month.
AT&T denies stolen data came from an internal breach.
US threat intelligence firm Hold Security reports that last week its analysts discovered a 1.6 gigabyte compressed archive of stolen data on a popular file sharing site on the dark web, and the file appears to originate from international telecommunications giant AT&T. Consisting of more than 28 million records, the database includes sensitive customer info including names, cell phone numbers, landline numbers, street addresses, dates of birth, and Social Security Numbers. Hold Security’s founder Alex Holden says the database bears a number of details indicating the data stems from AT&T, including email addresses ending in att.net as well as SBCGLobal.net and Bellsouth.net (AT&T-owned companies), customer aliases linked to AT&T properties, and corporate records with names starting with “ATT.”
One of Hold’s own analysts found her name in the database, bearing the same unique misspelling that appears on her AT&T bill. While AT&T has not denied the data belong to them, they say the records do not appear to have originated from its systems and suggest it could be the result of a breach at another company. A written statement from AT&T reads, “It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web.” (The statement goes on to recommend impacted individuals turn to the web for advice on preventing identity theft.) KrebsOnSecurity says the data could be linked to a database posted for sale by well-known threat actor ShinyHunters on a hacker forum last August.