Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Security

Scammers Are Hacking Target's Gig Workers and Stealing Their Money (vice.com) 40

Posted by msmash from the security-woes dept.
Scammers have been spoofing Target's delivery company Shipt's phone number in order to steal its gig workers' earnings by phishing their credentials from them. From a report: On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target's delivery platform, when he received an email from "Shipt Support" asking him to reset his password. The worker says he didn't request to reset his password, but didn't think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt's corporate headquarters' phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity.

Remembering the password reset email from earlier that day, the worker provided an authentication code that he'd received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck -- $499.51. "I noticed my withdrawal balance was zero," he said in a public video uploaded to Facebook. "At that point, I'm livid. I'm pissed." In recent weeks, personal shoppers on Target's delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers' credentials from them. Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt's personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the "forgot password" button below the Shipt login. Then they follow up via phone, asking personal shoppers to "verify" their passwords in order to look into "unusual activity" or requests to update info on their accounts.
This discussion has been archived. No new comments can be posted.

Scammers Are Hacking Target's Gig Workers and Stealing Their Money More

Scammers Are Hacking Target's Gig Workers and Stealing Their Money

Comments Filter:

  • (You know... just so the obvious is out of the way.)

  • It's 2021... (Score:3, Insightful)

    by Bobberly ( 1677220 ) on Friday April 30, 2021 @03:46PM (#61333266)

    1. Who gives out their password over the phone?
    2. Who gives any information out at all when they aren't the initiator of the call?

    • 1. Who gives out their password over the phone?
      2. Who gives any information out at all when they aren't the initiator of the call?

      It's 2021.
      • This sort of thing would've never happened in 2019. Lockdown must've made people stupid.

        • Re: (Score:2)

          by ebvwfbw ( 864834 )

          This sort of thing would've never happened in 2019. Lockdown must've made people stupid.

          No. People are just as stupid as they've always been.
          Wonder who he is. I bet someone could sell him an extended car warranty.

    • Re: (Score:2)

      by fermion ( 181285 )
      I donâ(TM)t really blame the end user here. What he gave was a code used to verify his identity. This should not be useful unless the third party has the password. No, the end user should not have given out. It there is no way that should have allowed access to the account.

      The lack of security is the issue. My bank puts interstitial DHS between me logging in and my account. Instagram has evidently no security on its password change page so even with third party token turned on I sometimes get 10 p

      • Re:It's 2021... (Score:5, Insightful)

        by dgatwood ( 11270 ) on Friday April 30, 2021 @05:24PM (#61333628) Homepage Journal

        I donâ(TM)t really blame the end user here. What he gave was a code used to verify his identity. This should not be useful unless the third party has the password. No, the end user should not have given out. It there is no way that should have allowed access to the account.

        The lack of security is the issue. My bank puts interstitial DHS between me logging in and my account. Instagram has evidently no security on its password change page so even with third party token turned on I sometimes get 10 password change emails in a row..

        You touched on the problem in that last paragraph, and then veered away at the last minute. The problem isn't the lack of security. It's that Target is acting like a bank without being regulated like a bank. Why would a service like this have an account with funds in it? When they complete a job, they should get paid immediately by an ACH transfer into their bank accounts. If they don't have a bank account, they should set one up.

        The entire idea that someone should be able to add a debit card to a Shipt shopper account and get money for previous work is absurd. If you don't have a bank account and are getting paid by check, and you add a bank account, that should take two pay periods to set up, just like it does when you set up ACH paychecks from a real employer. The entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.

        • the entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.

          The defining characteristic of a bank is the use of deposits entrusted to them for loans, which is not the case here. For example, PayPal is not a bank either.

          There are still regulations that apply, but far far than for a real bank.

        • The entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.

          It seems to have worked out pretty well for PayPal. Their entire business is exactly what you describe.

    • Re:It's 2021... (Score:4, Informative)

      by OrangeTide ( 124937 ) on Friday April 30, 2021 @04:24PM (#61333408) Homepage Journal

      Only minutes earlier I had someone claiming to be "from Comcast" that needed to "reset security services" because "not all of your security services are working". She never asked for me by name or even asked to speak the the account holder. I chatted with her a bit because it was hard to understand what she even wanted, she eventually got cross with me because I wasn't logging into my computer and clicking on the links they were feeding me.

      1. caller ID is a lie.
      2. most places won't just call you out of the blue. If they do, they will at least be able to answer simple questions about your account and identity.
      3. links that aren't https, aren't through the company's main website, and aren't signed properly are a big red flag. but even so, it's usually not even worth trying some weird link because of all the 0-day shit for browsers. (I should probably install Qubes OS or something if I cared about the safety of my data)

      I think these kinds of scams only need to be effective 1% of the time to make them worthwhile. If you run a scam 99 times with no pay out, wasting a few minutes each time. And that 100th time you manage to hijack an account or install ransomware and make $100-$10000 on it. Then it's worth it, making $20 an hour minimum by that made-up example.

      • Re: (Score:1)

        by ebvwfbw ( 864834 )

        Last few times I've called comcast they were crazy with figuring out if it really was me. Bad part is they use SMS for verification.

        I bet she was cross with you. You weren't cooperating. She might have to get a real job and do real work.

    • 1. Who gives out their password over the phone? 2. Who gives any information out at all when they aren't the initiator of the call?

      Who answers the phone?
      If they aren't on your contact list, why would you even let it ring?

    • Pretty sure the 80/20 rule can apply here. Probably at least 20% of the population fall for this. Maybe more depending generation, lack of education education (about this stuff) etc.

  • Kind of a change. First it was the way companies treated their workers. Now it's how bottom-feeders treat workers. Doesn't pay to be a productive member of society, does it?

    • Not really a change. I was a bike messenger in NYC before that was 'gig work', and it wasn't all that unusual to get robbed.

      It would have been nice for them to do it via email rather than jump out of an alley and push me off my bike.

    • Gig workers. Some would say that's not a real worker. Get a regular job. Quit trying to be non-commital because nobody will have your back.

      Why would they?

  • It's 2021, and you did give out your password and an MFA code.

    • Re:This really sucks, but... (Score:4, Interesting)

      by notsouseful ( 6407080 ) on Friday April 30, 2021 @04:22PM (#61333396)

      He didn't give them his password, just the code. It was a password reset code, so the scammer was simply using his email address to set a new password using that code. The combination of knowing his name, email and phone number was enough to scam this guy out of his money, and the scammers could probably have gotten that from any dump, like the Facebook one from 2015, or the LinkedIn one from a couple years or so earlier.

      Hopefully these Shipt people have spent every minute since this was uncovered re-engineering their password reset protocol. Hell, I'd wonder if there was some sort of hint on the password reset screen they had which would have triggered the scammer to knowing they had found a hit for an account given while they're pumping email addresses through it.

    • I feel like signing up for a full-time job or a gig position should include some orientation session on basic security. It's not obvious to everyone, and a 20 minute instructional video would probably go a long ways. My work makes us go through 4 hours of videos every year on a variety of topics, but the fastest expanding library from our security team. I think it's a bit excessive the amount of information they want us to cover, but shit has gotten serious these days.

      • Great, one more video to suffer through that no one will pay attention to. Honestly the only way to get people to pay attention to this is to try pulling these awful kinds of tricks on them at a much earlier point in life so that they learn to develop a bit of vigilance and skepticism. The videos or training done by employers is strictly to cover their own ass so that they can claim you were presented with the information. They don't actually expect you to pay attention to it and most people are happy to ob

      • Have you ever been through any of these useless videos with someone babbling about stuff they really don't know anything about but they read from a script?

    • Sure, the people are just sneaker about it, and sometimes you get a "Value Add" without realizing that they are scamming you.

      I am researching into buying a Tesla car (And no Slashdot I don't care to hear your opinion on this), however I was just wondering what Apps for my phone and my smart watch are available. We have the Standard Tesla App, which came from Tesla... But then I found a number of Scary 3rd party apps, on the Google Play Store. Some for my Watch in which for it to operate I will need to ent

  • Don't talk to strangers ... (Score:4, Insightful)

    by fahrbot-bot ( 874524 ) on Friday April 30, 2021 @03:50PM (#61333280)

    Later that evening, ... he received a phone call from Shipt's corporate headquarters' phone number.

    Never give out or confirm information to someone who calls you, unless you know that person. Doesn't matter what the Caller ID says or what they already "know" about you. Always take a name and say you'll call them (or someone else) back on a well-known / published number -- like on the back of your CC -- not one they give you. It may be a bigger hassle in legitimate cases, but will save your butt otherwise.

    • Re: (Score:2)

      by dryeo ( 100693 )

      It depends, my Credit Union asks me if I am me and then asks when I can come in to talk to them. Seems fairly safe as anything important is discussed in person.

      • It depends, my Credit Union asks me if I am me and then asks when I can come in to talk to them. Seems fairly safe as anything important is discussed in person.

        For sure. I was talking about over the phone. I mean, you'd have reservations if "someone from your credit union" (who you didn't know) showed up at your front door and asked for some account info from you. You'd probably say, let's talk about this back at the office (to prove they actually worked there).

  • Everyone should know not to do this kind of thing by now. What next, will they be helping a Nigerian prince get his money out of Nigeria by giving out their bank info?

    • Re: (Score:3)

      by jwhyche ( 6192 )

      Did they ever get that astronaut down? Last time I heard from him he had been in orbit for 17 years on the ISS.

  • Phone calls are not secure. I feel like we've done an ok job educating people not to click through on unsecure websites. We need that same sort of click-through warning for all phone calls.

  • I wish it was easier to ensure people didn't make these mistakes. Even when providing training, too many people will still fall for these (and other) tactics.
    The email message with the code likely said to never give the code out to anyone (many such codes I receive have that). The fact they called him rather than locking his account is a red flag. Of course, calling them yourself (if using such dubious methods as searching for on Google) is just as likely to put you in contact with the wrong people.

    Some

  • Shipt that shit. (Score:3)

    by Random361 ( 6742804 ) on Friday April 30, 2021 @07:28PM (#61333996)
    "Hello. This is Shit, I mean Shipt support. Your password may have been compromised so we are going to require that you reset it for your own security. You should receive a code in your email some time this morning telling you how. Thank you for using Shipt."

    "Hello. This is Shipt support. We need to verify your security credentials. Can you please go to your email and tell us the six digit code that was emailed to you this afternoon?" "Uh, 12345." "Checking... Thank you for using Shipt for your Shit." ... "Who the hell just stole my Shit from Shipt?!"

  • In this day and age, if you fall for phishing, it is pretty much your fault.

Slashdot Top Deals

Lawrence Radiation Laboratory keeps all its data in an old gray trunk.

Close