Scammers Are Hacking Target's Gig Workers and Stealing Their Money (vice.com) 40
Scammers have been spoofing Target's delivery company Shipt's phone number in order to steal its gig workers' earnings by phishing their credentials from them. From a report: On the morning of March 28, a gig worker near Tampa, Florida, was shopping an order for Shipt, Target's delivery platform, when he received an email from "Shipt Support" asking him to reset his password. The worker says he didn't request to reset his password, but didn't think much of the email and went on with this day. Later that evening, the worker says he was sitting at home on his couch when he received a phone call from Shipt's corporate headquarters' phone number. Someone identifying themselves as a Shipt employee and addressing the worker by his first name said there had been unusual activity on his account regarding his password and asked him to read back a code that had been emailed to him to verify his identity.
Remembering the password reset email from earlier that day, the worker provided an authentication code that he'd received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck -- $499.51. "I noticed my withdrawal balance was zero," he said in a public video uploaded to Facebook. "At that point, I'm livid. I'm pissed." In recent weeks, personal shoppers on Target's delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers' credentials from them. Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt's personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the "forgot password" button below the Shipt login. Then they follow up via phone, asking personal shoppers to "verify" their passwords in order to look into "unusual activity" or requests to update info on their accounts.
Remembering the password reset email from earlier that day, the worker provided an authentication code that he'd received via email from Shipt. Shortly after, he received an email notifying him that someone had added a debit card to his account. When the worker checked his account again, he realized someone had logged in and cashed out his entire paycheck -- $499.51. "I noticed my withdrawal balance was zero," he said in a public video uploaded to Facebook. "At that point, I'm livid. I'm pissed." In recent weeks, personal shoppers on Target's delivery app, which boasts roughly 300,000 personal shoppers in the United States, have been repeatedly targeted by scammers hoping to steal their earnings by phishing gig workers' credentials from them. Since March 28, more than 30 gig workers have posted in private, unofficial Facebook groups for Shipt's personal shoppers saying scammers have targeted them using phishing schemes that include spoofing Shipt's corporate phone numbers and asking for passwords over the phone. In at least some cases, the strategy used by scammers is different from other phishing campaigns: Scammers trigger password reset emails sent to personal shoppers by clicking the "forgot password" button below the Shipt login. Then they follow up via phone, asking personal shoppers to "verify" their passwords in order to look into "unusual activity" or requests to update info on their accounts.
You mean more than Target? (Score:1)
(You know... just so the obvious is out of the way.)
It's 2021... (Score:3, Insightful)
1. Who gives out their password over the phone?
2. Who gives any information out at all when they aren't the initiator of the call?
Re: (Score:3)
2. Who gives any information out at all when they aren't the initiator of the call?
It's 2021.
Re: (Score:3)
Re: (Score:2)
This sort of thing would've never happened in 2019. Lockdown must've made people stupid.
No. People are just as stupid as they've always been.
Wonder who he is. I bet someone could sell him an extended car warranty.
Re: (Score:2)
The lack of security is the issue. My bank puts interstitial DHS between me logging in and my account. Instagram has evidently no security on its password change page so even with third party token turned on I sometimes get 10 p
Re:It's 2021... (Score:5, Insightful)
I donâ(TM)t really blame the end user here. What he gave was a code used to verify his identity. This should not be useful unless the third party has the password. No, the end user should not have given out. It there is no way that should have allowed access to the account.
The lack of security is the issue. My bank puts interstitial DHS between me logging in and my account. Instagram has evidently no security on its password change page so even with third party token turned on I sometimes get 10 password change emails in a row..
You touched on the problem in that last paragraph, and then veered away at the last minute. The problem isn't the lack of security. It's that Target is acting like a bank without being regulated like a bank. Why would a service like this have an account with funds in it? When they complete a job, they should get paid immediately by an ACH transfer into their bank accounts. If they don't have a bank account, they should set one up.
The entire idea that someone should be able to add a debit card to a Shipt shopper account and get money for previous work is absurd. If you don't have a bank account and are getting paid by check, and you add a bank account, that should take two pay periods to set up, just like it does when you set up ACH paychecks from a real employer. The entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.
Re: (Score:3)
the entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.
The defining characteristic of a bank is the use of deposits entrusted to them for loans, which is not the case here. For example, PayPal is not a bank either.
There are still regulations that apply, but far far than for a real bank.
If Target is a "bank"... (Score:2)
The entire notion of having undistributed funds sitting in an account at Target that someone can suddenly and instantaneously cause to get sent somewhere else makes them a bank, and they should be subject to banking laws if they're going to behave that way.
It seems to have worked out pretty well for PayPal. Their entire business is exactly what you describe.
Re: (Score:2)
And folks have been trying to get them reclassified as a bank for at least a decade.
Re:It's 2021... (Score:4, Informative)
Only minutes earlier I had someone claiming to be "from Comcast" that needed to "reset security services" because "not all of your security services are working". She never asked for me by name or even asked to speak the the account holder. I chatted with her a bit because it was hard to understand what she even wanted, she eventually got cross with me because I wasn't logging into my computer and clicking on the links they were feeding me.
1. caller ID is a lie.
2. most places won't just call you out of the blue. If they do, they will at least be able to answer simple questions about your account and identity.
3. links that aren't https, aren't through the company's main website, and aren't signed properly are a big red flag. but even so, it's usually not even worth trying some weird link because of all the 0-day shit for browsers. (I should probably install Qubes OS or something if I cared about the safety of my data)
I think these kinds of scams only need to be effective 1% of the time to make them worthwhile. If you run a scam 99 times with no pay out, wasting a few minutes each time. And that 100th time you manage to hijack an account or install ransomware and make $100-$10000 on it. Then it's worth it, making $20 an hour minimum by that made-up example.
Re: (Score:1)
Last few times I've called comcast they were crazy with figuring out if it really was me. Bad part is they use SMS for verification.
I bet she was cross with you. You weren't cooperating. She might have to get a real job and do real work.
Re: (Score:2)
1. Who gives out their password over the phone? 2. Who gives any information out at all when they aren't the initiator of the call?
Who answers the phone?
If they aren't on your contact list, why would you even let it ring?
Re: It's 2021... (Score:3)
Given he's a gig worker, probably a potential employer calling to schedule an interview.
Re: It's 2021... (Score:1)
Getting it on both ends. (Score:2)
Kind of a change. First it was the way companies treated their workers. Now it's how bottom-feeders treat workers. Doesn't pay to be a productive member of society, does it?
Re: (Score:3)
It would have been nice for them to do it via email rather than jump out of an alley and push me off my bike.
Re: (Score:2)
Gig workers. Some would say that's not a real worker. Get a regular job. Quit trying to be non-commital because nobody will have your back.
Why would they?
This really sucks, but... (Score:1)
Re:This really sucks, but... (Score:4, Interesting)
He didn't give them his password, just the code. It was a password reset code, so the scammer was simply using his email address to set a new password using that code. The combination of knowing his name, email and phone number was enough to scam this guy out of his money, and the scammers could probably have gotten that from any dump, like the Facebook one from 2015, or the LinkedIn one from a couple years or so earlier.
Hopefully these Shipt people have spent every minute since this was uncovered re-engineering their password reset protocol. Hell, I'd wonder if there was some sort of hint on the password reset screen they had which would have triggered the scammer to knowing they had found a hit for an account given while they're pumping email addresses through it.
Re: (Score:2)
I feel like signing up for a full-time job or a gig position should include some orientation session on basic security. It's not obvious to everyone, and a 20 minute instructional video would probably go a long ways. My work makes us go through 4 hours of videos every year on a variety of topics, but the fastest expanding library from our security team. I think it's a bit excessive the amount of information they want us to cover, but shit has gotten serious these days.
Re: (Score:3)
Re: (Score:2)
you can lead a horse to water but you can't make him drink.
Re: This really sucks, but... (Score:1)
You can force a hose down its throat, and pour water into it.
Does that qualify as making it drink ?
Re: This really sucks, but... (Score:2)
Have you ever been through any of these useless videos with someone babbling about stuff they really don't know anything about but they read from a script?
Re: (Score:2)
Sure, the people are just sneaker about it, and sometimes you get a "Value Add" without realizing that they are scamming you.
I am researching into buying a Tesla car (And no Slashdot I don't care to hear your opinion on this), however I was just wondering what Apps for my phone and my smart watch are available. We have the Standard Tesla App, which came from Tesla... But then I found a number of Scary 3rd party apps, on the Google Play Store. Some for my Watch in which for it to operate I will need to ent
Don't talk to strangers ... (Score:4, Insightful)
Later that evening, ... he received a phone call from Shipt's corporate headquarters' phone number.
Never give out or confirm information to someone who calls you, unless you know that person. Doesn't matter what the Caller ID says or what they already "know" about you. Always take a name and say you'll call them (or someone else) back on a well-known / published number -- like on the back of your CC -- not one they give you. It may be a bigger hassle in legitimate cases, but will save your butt otherwise.
Re: (Score:2)
It depends, my Credit Union asks me if I am me and then asks when I can come in to talk to them. Seems fairly safe as anything important is discussed in person.
Re: (Score:2)
It depends, my Credit Union asks me if I am me and then asks when I can come in to talk to them. Seems fairly safe as anything important is discussed in person.
For sure. I was talking about over the phone. I mean, you'd have reservations if "someone from your credit union" (who you didn't know) showed up at your front door and asked for some account info from you. You'd probably say, let's talk about this back at the office (to prove they actually worked there).
In this age? (Score:2)
Re: (Score:3)
Did they ever get that astronaut down? Last time I heard from him he had been in orbit for 17 years on the ISS.
Phone calls need a red open padlock (Score:2)
Phone calls are not secure. I feel like we've done an ok job educating people not to click through on unsecure websites. We need that same sort of click-through warning for all phone calls.
Re: (Score:2)
Phone calls are not secure. I feel like we've done an ok job educating people not to click through on unsecure websites. We need that same sort of click-through warning for all phone calls.
Exactly, and the training would last all of two minutes, tops.
"If someone calls you, don't answer the phone."
Re: Phone calls need a red open padlock (Score:2)
How about capital of punishment for spoofing caller id?? One or two public executions and people might think twice!
Re: (Score:2)
Re: Phone calls need a red open padlock (Score:2)
All the telcos have to do is to build in protections against spoofing.
too easy (Score:2)
The email message with the code likely said to never give the code out to anyone (many such codes I receive have that). The fact they called him rather than locking his account is a red flag. Of course, calling them yourself (if using such dubious methods as searching for on Google) is just as likely to put you in contact with the wrong people.
Some
Shipt that shit. (Score:3)
"Hello. This is Shipt support. We need to verify your security credentials. Can you please go to your email and tell us the six digit code that was emailed to you this afternoon?" "Uh, 12345." "Checking... Thank you for using Shipt for your Shit." ... "Who the hell just stole my Shit from Shipt?!"
Re: Shipt that shit. (Score:2)
And that goes for almost every site on the net.
Kinda your fault (Score:2)