Weekly Threat Report 24th November 2017
Report's are drawn from recent open source reporting, see the latest report here:
Black Friday online seasonal scams
Although ostensibly a US tradition of the Thanksgiving holiday weekend, Black Friday has been adopted in the UK by many retailers who heavily discount goods to kick start the Christmas shopping season. The surge of bargain hunters seeking good deals on the high street and online inevitably attracts criminals looking to exploit this seasonal activity.
Last year, victims reported losing nearly £16 million to Christmas shopping fraudsters, increasing from £10 million lost the year before. Responding to Action Fraud reports over last year’s festive period, the City of London Police requested the suspension of 658 websites, emails addresses and telephone numbers that fraudsters were using to commit their crimes.
This Christmas, the City of London Police who run Action Fraud, and supported by police forces across the country, have launched the ’It is the thought that counts’ campaign, encouraging people to slow down when Christmas shopping so that they are able to not only think about the gifts they are purchasing, but also who they are purchasing them from. They also plan to release a series of videos over the festive season which show how one small mistake can result in a Christmas without gifts.
Advice on how to avoid falling victim to Black Friday or Christmas shopping frauds can be found on Get Safe Online. The NCSC has also published a blog post offering advice to consumers on securing newly purchased gadgets.
Theft of Uber driver and customer data
Uber’s Chief Security Officer has revealed that the company experienced a data breach in October 2016 but did not report it to regulators or victims. It is reported that Uber paid a $100,000 ransom demand in exchange for the deletion of the stolen data.
It is reported that the personal information of an estimated 50 million customers and 7 million drivers, including names, email addresses and telephone numbers were stolen, along with the driving licence details of 600,000 US-based drivers. Uber have stated that no trip information history, credit card numbers, banking account numbers, social security numbers or dates of birth were taken in the breach. The attackers are reported to have obtained login credentials for an Uber Amazon Web Services account that contained the data.
UK citizens are believed to be among the 57 million customers and drivers whose personal information was stolen. Identity theft protection and credit monitoring services have been offered to the 600,000 US drivers affected. Based on current information, the NCSC has not seen evidence that financial details have been compromised.
The NCSC is currently working with government departments and law enforcement partners, including the NCA and ICO to verify the extent of this breach, including the type and volume of information compromised. DCMS Digital Minister, Matt Hancock said in Parliament on Wednesday that details of the impact on UK citizens would be published once there is a sufficient assessment of the incident. His full statement can be seen here.
In the meantime, Uber customers and drivers are encouraged to be vigilant and to follow the NCSC’s advice.