Monthly Archives: April 2017

Chipotle says payment system was hacked

Unauthorized activity detected from March 24 through April 18

Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.

The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.

Chipotle Mexican Grill Inc. said on Tuesday that it detected unauthorized activity on its payment system this spring.

The company did not have details about the extent of the hack, and how many restaurants or customers could have been affected. CFO Jack Hartung said during the company’s earnings call on Tuesday that the hack affected the company’s credit card systems from March 24 through April 18.

Hartung said the company immediately began an investigation, working with cyber security firms.

“We believe the actions taken have stopped the unauthorized activity,” he said.

The news put a damper on an otherwise strong first-quarter earnings report for the Denver-based burrito chain.

Chipotle reported 17.8-percent same-store sales growth in the quarter ended March 31, along with improved profit margins. The numbers were unexpectedly positive and led to a spike that at one time put Chipotle’s stock price above $500 a share for the first time since February 2016.

After Chipotle revealed news of the hack, the stock price fell below $480.

Just another day at the office.

 

Sound the alarm: Hacker sets off emergency warning sirens in Dallas

Emergency sirens around Dallas, Texas, activated late on Friday night, waking residents across the city for over an hour, and prompting a flood of calls to the city’s 911 center. Officials from the city’s emergency management office have confirmed that there was no emergency, and that the system was breached by hackers.

City officials said a hacker accessed the system and repeatedly sounded the sirens. The sirens were first heard at about 11:45 p.m. and sounded on and off intermittently for about an hour. Rocky Vaz, the director of the city’s Office of Emergency Management, said all 156 of the city sirens were hacked and activated.  Eventually, city officials were forced to essentially unplug the entire system to deactivate it completely. After investigating, they were able to locate “one area where we think [the attackers] were able to get into our system and activate all the sirens.”

Dallas City Fire and Rescue had to visit each individual siren site to manually turn them off. All sirens were completely shut off by 1:20 a.m. City officials said that Dallas 911 received 800 calls during a fifteen minute period around midnight.

Mayor Mike Rawlings said the hack was an attack on Dallas’ emergency notification system, and that the city will “find and prosecute whomever is responsible.”

“This is yet another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure,” Rawlings said. “It’s a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind. Making the necessary improvements is imperative for the safety of our citizens.”

Dallas officials said they are working with the Federal Emergency Management Agency to create a wireless alert system that would circulate messages to every cell phone in the area, in the event of a real emergency.

This attack will open the eyes of City officials..

 

‘Can You Hear Me?’ Scam Hooks Victims With a Single Word

Scams recently reported to the Better Business Bureau’s Scam Tracker.

Don’t pick up the phone to answer calls from unknown numbers. Instead, let them go to voicemail.

That’s the operational security advice being promulgated to Americans by the U.S. Federal Communications Commission in response to an ongoing series of attacks designed to trick victims into uttering a single word.

The FCC says in a March 27 alert that the scam centers on tricking victims into saying the word “yes,” which fraudsters record and later use to attempt to make fraudulent charges on a person’s utility or credit card accounts.

“The scam begins when a consumer answers a call and the person at the end of the line asks, ‘Can you hear me?’ The caller then records the consumer’s ‘Yes’ response and thus obtains a voice signature,” the FCC warns. “This signature can later be used by the scammers to pretend to be the consumer and authorize fraudulent charges via telephone.”

Fake Tech Support

This isn’t the first time that fraudsters have “weaponized” the telephone.

Scammers have long phoned consumers, pretending to be from a government agency such as the Internal Revenue Service. Another frequent ploy is pretending to be from the support department of a technology firm, such as Microsoft or Facebook, and then trying to get victims to pay for bogus security software meant to fix nonexistent problems on their PC.

Authorities have made some related arrests. Last year, Indian police arrested 70 suspects as part of an investigation into a fake IRS call center scam.

Also last year, the FTC announced a $10 million settlement with a Florida-based tech-support scheme, run by an organization called Inbound Call Experts, also known as Advanced Tech support. The FTC and the state of Florida said the organization ran “services falsely claiming to find viruses and malware on consumers’ computers.”

Researchers Study Scammers

In a recent paper, “Dial One for Scam: A Large-Scale Analysis of Technical Support Scams,” researchers at the State University of New York at Stony Brook described how the tech-support version of these scams work, as well as how they might be disrupted by targeting the infrastructure on which scammers rely.

“Scammers use specific words in the content of a scam page to convince the users that their machines are infected with a virus,” the researchers say.

The Stony Brook researchers designed a tool called ROBOVIC – for robotic victim – that found that of 5 million domains that it successfully connected to during a 36-week period beginning in September 2015, it logged 22,000 URLs as serving tech-support scams, connecting to a total of about 8,700 unique domain names.

But those 22,000 different web pages used a total of only 1,600 phone numbers, of which 90 percent were connected to one of four VoIP services: Bandwidth, RingRevenue, Twilio and WilTel.

The researchers also phoned 60 scam telephone numbers to log the social engineering tactics – aka trickery – used by scammers. The researchers found that on average, scammers waited until 17 minutes of a call elapsed before offering their services in exchange for money. Most would offer support packages that ranged from a one-time fix to multi-year support, with costs ranging from $69.99 to $999.99. Scammers would typically offer multiple options, then try to persuade victims to pick the middle-priced one, the researchers found.

Freelance attacks appear to be rare. “Through the process of interacting with 60 different scammers, we are now convinced that most, if not all, scammers are part of organized call centers,” the researchers write.

Fake Support is Lucrative

These attacks are relatively easy to launch, inexpensive to run, potentially very lucrative and show no signs of stopping.

Peter Kruse, head of the security group at Danish IT-security firm CSIS, this week warned via Twitter that multiple websites were pretending to be related to the technical support group from Czech anti-virus software developer Avast and urging individuals to call one of the listed phone numbers.

Needless to say, these numbers don’t lead to Avast, which develops free security software that’s used by many consumers. Instead, the numbers go to call centers tied to fraudsters. Avast has repeatedly warned that this a well-worn scam, with attackers often claiming to be connected to Avast, Dell, Microsoft, Symantec or other technology firms.

Advice for Victims

There’s no way to prevent criminals from running these types of scams.

But law enforcement and consumer rights groups have long urged victims to file a report, even if they didn’t suffer any financial damage as a result.

For anyone targeted by the “yes” scam, the FCC recommends immediately reporting the incident to the Better Business Bureau’s Scam Tracker and to the FCC Consumer Help Center. The FCC’s site also offers advice on tools for blocking robocalls, texts and marketing calls.

Anyone who thinks they may have been the victim of phone scammers, for example, by paying for fake tech support, can file a fraud report with their credit card company.

Authorities also recommend they report the attempt to relevant authorities, such as the FBI’s IC3 Internet Complaint Center. Law enforcement agencies use these reports as a form of crowdsourcing, helping them secure funding to battle these types of scams, as well as take them down.