Members of the public are being warned to be vigilant of scammers targeting online shoppers. The Chartered Trading Standards Institute (CTSI) said it has received evidence of a text scam involving supermarket delivery messages. The messages claim “your Asda order is out for delivery” and links to a webpage supposedly allowing the recipient “to track your order and view your delivery note”. The reports also involve Morrisons, although the CTSI warned other retailers are also being targeted.
<p>Seeing that cybercriminals have consistently targeted those offering online shopping facilities through various threat vectors including social engineering with phishing campaigns, it would be wise for these online businesses to offer support and training. The training really should be provided prior to providing devices and online system access. It is only through security awareness training that staff and customers can make better-informed decisions. Partnering with IAM trusted providers to implement two-factor authentication reduces associated risks of unauthorized access to online shopping devices and systems which is now subject to Strong Customer Authentication (SCA) regulation.</p>
<p>Members of the public who receive text messages or emails like this should never automatically assume the sender is legitimate.</p> <p> </p> <p>First of all, folks that receive text messages like this should first consider whether they have actually made a delivery order from the merchant (DUH!), or ask their significant other if they made an order. If you still have questions about the supposed order, call the merchant (by obtaining the merchant\’s number from their official website or app), to check if an order has actually been made. Plus, remember that a legitimate grocery delivery service will never ask for personal information.</p>
<p>The pandemic spurred widespread adoption of meal and grocery delivery services. When you submit an order on one of these apps, users are often flooded with notifications via email, SMS, and the app itself. Users often get text updates letting them know their order has been received, that the delivery driver has picked it up, and that the driver will arrive shortly. Scammers are capitalizing on this trend by sending phishing messages via SMS in the hopes that recipients will think it\’s from a legitimate app. Because SMS messages come from phone numbers instead of emails, it\’s more difficult to determine which texts are legitimate.</p> <p> </p> <p>If you use a food delivery app, I recommend disabling the SMS notifications and just use the notifications that come directly from the app. Then, if you receive an SMS notification about a supposed delivery, you can safely ignore it.</p>
<p>This particular incident looks like it could be part of a campaign that\’s been targeting individuals across Europe in the last few weeks. The campaign that this seems to resemble, which uses data leaked from the massive Facebook data breach earlier this month to contact individuals on their personal cell phones, intends to trick the attacker into downloading a malicious app. The malicious app is laced with FluBot, which is a banking trojan that can intercept SMS messages, steal contact information, send messages to contacts and display screen overlays to trick users into handing over their credentials. FluBot is an example of malware as a service, which is a model that attackers use with increasing frequency as it allows them to easily acquire and customize the malware to be more convincing to the target.</p>