A year ago, KrebsOnSecurity warned that “Informed Delivery,” a new offering from the U.S. Postal Service (USPS) that lets residents view scanned images of all incoming mail, was likely to be abused by identity thieves and other fraudsters unless the USPS beefed up security around the program and made it easier for people to opt out. This week, the U.S. Secret Service issued an internal alert warning that many of its field offices have reported crooks are indeed using Informed Delivery to commit various identity theft and credit card fraud schemes.

Image: USPS

The internal alert — sent by the Secret Service on Nov. 6 to its law enforcement partners nationwide — references a recent case in Michigan in which seven people were arrested for allegedly stealing credit cards from resident mailboxes after signing up as those victims at the USPS’s Web site.

According to the Secret Service alert, the accused used the Informed Delivery feature “to identify and intercept mail, and to further their identity theft fraud schemes.”

“Fraudsters were also observed on criminal forums discussing using the Informed Delivery service to surveil potential identity theft victims,” the Secret Service memo reads.

The USPS did not respond to repeated requests for comment over the past six days.

The Michigan incident in the Secret Service alert refers to the September 2018 arrest of seven people accused of running up nearly $400,000 in unauthorized charges on credit cards they ordered in the names of residents. According to a copy of the complaint in that case (PDF), the defendants allegedly stole the new cards out of resident mailboxes, and then used them to fraudulently purchase gift cards and merchandise from department stores.

KrebsOnSecurity took the USPS to task last year in part for not using its own unique communications method — the U.S. Mail — to validate and notify residents when someone at their address signs up for Informed Delivery. The USPS addressed that shortcoming earlier this year, announcing it had started alerting all households by mail whenever anyone signs up to receive scanned notifications of mail delivered to their address.

However, it appears that ID thieves have figured out ways to hijack identities and order new credit cards in victims’ names before the USPS can send their notification — possibly by waiting until the cards are already approved and ordered before signing up for Informed Delivery in the victim’s name.

Last month, WKMG’s Clickorlando.com wrote that a number of Belle Isle, Fla. residents reported receiving hefty bills for credit cards they never knew they had. One resident was quoted as saying she received a bill for $2,000 in charges on a card she’d never seen before, and only after that did she get a notice from the USPS saying someone at her address had signed up for Informed Delivery. The only problem was she’d never signed up for the USPS program.

“According to a police report, someone opened fraudulent credit card accounts and charged more than $14,000 and signed her neighbors up for Informed Delivery, too,” Clickorlando’s Louis Bolden explained. “Photos of what would be in their mail were going to someone else.”

Residents in Texas have reported similar experiences. Dave Lieber, author of The Watchdog column for The Dallas Morning News, said he heard from victim Chris Torraca, 58, a retired federal bank regulator from Grapevine, a town between Dallas and Ft. Worth.

“Chris discovered it after someone created an account in his name at usps.com,” Lieber wrote in a post published Nov. 2. “The thief began receiving photos of Chris’ mail and also opened a bank credit card in Chris’ wife’s name. Postal officials promote the program as a great way to prevent ID theft, but for Chris, that’s what led to it.”

As noted in last year’s story, the major weakness with Informed Delivery lies in the method the USPS uses to validate new accounts. Signing up requires an eligible resident to create a free user account at USPS.com, which asks for the resident’s name, address and an email address. The final step in validating residents involves answering four so-called “knowledge-based authentication” or KBA questions.

KrebsOnSecurity has relentlessly assailed KBA as an unreliable authentication method because so many answers to the multiple-guess questions are available on sites like Spokeo and Zillow, or via social networking profiles.

I’ve previously advised that having a security freeze on your credit file should be enough to prevent someone from registering an Informed Delivery account in your name. That’s because the USPS validates new users by asking them a series of multiple-guess questions chosen by big-three credit bureau Equifax.

But numerous readers have responded that they were still able to sign up for the service even though they had security freezes in place with Equfiax and the two other major consumer credit bureaus (Experian and TransUnion).

Normally in these cases, I’d urge readers to simply plant their flag by registering an account to claim their address. However, the USPS allows new account creations for anyone currently able to receive mail at your address, which means that claiming your address may involve registering an account with every adult present at your address.

The Dallas Morning News piece referenced earlier says Americans can opt-out of Informed Delivery by emailing the “eSafe Team” at USPS at eSafe@usps.gov. However, emails sent to this address by KrebsOnSecurity elicited no response over the past four days.

Yet, one reader received a curious response by emailing the customer service address advertised by USPS’s Informed Delivery service — informeddelivery@custhelp.com. That reader requested that USPS remove her address from eligibility for Informed Delivery, and asked the Postal Service to let her know if anyone had previously signed up for the service at his address.

According to an email shared with this author, the USPS’s customer help team responded by asking the resident to answer some of her KBA questions in plain text via email.

A response from the Informed Delivery division of the USPS’s customer service department.

Sources tell KrebsOnSecurity that the USPS is now processing some 20,000 new Informed Delivery account registrations each day, and that the USPS is continuously deleting new account registrations that it believes may be fraudulent.

There is also a potentially new security wrinkle in the USPS’s Informed Delivery service. The USPS is now generating revenue by allowing third-party companies to advertise interactive content in Informed Delivery communications (PDF) sent to email subscribers.

The program allows the USPS to automatically match scanned mail images to specific advertising campaigns. According to a review of its mailer delivery user guide (PDF), this initiative allows advertisers to publicize content that contains interactive links, which could be abused by malefactors posing as legitimate advertisers.

This graphic, taken from the Secret Service alert, describes how the USPS Informed Delivery system works.

Source

image
By Uzair Amir The Hongkong and Shanghai Banking Corporation (HSBC) has suffered a data breach in which unknown hackers have accessed personal and financial data of its customers. The data breach, according to the notification from HSBC, took between October 4, 2018, and October 14, 2018. Upon detecting the breach, authorities suspended online access to prevent further unauthorized entry […] This is a post from HackRead.com Read the original post: HSBC suffers data breach after hackers access customers' personal data

Source

The training and job-matching effort is a public-private partnership to address a growing workforce gap.

Source

image
By Waqas Eleven Turkish individuals have been arrested by Turkish police department for stealing cryptocurrency worth approx. $80,000 via Sim Swapping. Reportedly, the suspects tricked the phone providers into revealing the phone numbers of the victims and used the SIMs for performing 2FA authentication. The hacker group managed to steal from multiple crypto exchanges. It is reported […] This is a post from HackRead.com Read the original post: Sim Swapping Crypto Stealing Hackers Arrested by Turkish Police

Source

A file delete vulnerability in WordPress can be elevated into a remote code execution vulnerability for plugins like WooCommerce.

Source

By David Canellis

Cryptocurrency hackers have attacked one of the internet’s most used traffic analytics services, StatCounter, in order to siphon Bitcoin from users of online exchange desk Gate.io.

In a targeted attack, hackers breached StatCounter to such an extent that over 688,000 websites were caught loading the malicious script, ZDNetreports.

StatCounter is much akin to Google Analytics, in that it allows analysis of the internet traffic flowing through websites. Webmasters must add special StatCounter code to their sites in order to get the statistics, an aspect of its design that hackers appear to have leveraged to spread their malicious code as widely as possible.

REFERENCE:

https://thenextweb.com/hardfork/2018/11/07/bitcoin-stealing-malware/

By 

A Russian vulnerability researcher and exploit developer has published detailed information about a zero-day vulnerability in VirtualBox. His explanations include step-by-step instructions for exploiting the bug.

According to the initial details in the disclosure, the issue is present in a shared code base of the virtualization software, available on all supported operating systems.

Exploiting the vulnerability allows an attacker to escape the virtual environment of the guest machine and reach the Ring 3 privilege layer, used for running code from most user programs, with the least privileges.

REFERENCE:

https://www.bleepingcomputer.com/news/security/virtualbox-zero-day-vulnerability-details-and-exploit-are-publicly-available/

 

image
By Waqas Pakistani banks have debuted on the Dark Web with almost all of the country’s banks becoming victims of a devastating data hack. It is undoubtedly the biggest ever hacking campaign launched against banks in Pakistan. It is estimated that hackers have stolen financial data of more than 8,000 account holders from at least 10 different […] This is a post from HackRead.com Read the original post: Data from “almost every Pakistani Bank” stolen & sold on the dark web

Source

If you own an eCommerce website built on WordPress and powered by WooCommerce plugin, then beware of a new vulnerability that could compromise your online store.

Simon Scannell, a researcher at RIPS Technologies GmbH, discovered an arbitrary file deletion vulnerability in the popular WooCommerce plugin that could allow a malicious or compromised privileged user to gain full control over the

Source