Anatomy of a survey scam – how innocent questions can rip you off

By Paul Ducklin

We’ve been receiving loads of survey scam emails lately – and you probably get heaps of these, too.

So we thought we’d take you through a recent scam from go to woe, with screenshots to document the path that the crooks lured us along.

Sometimes, a picture is worth 1000 words (or 1024 words, if you are accustomed to binary numbers like many computer programmers), so we hope this visual tour will be useful so you can show your friends and family what to watch out for.

After all, there doesn’t seem to be much harm in answering a few pseudo-anonymous questions such as “would you visit our shops in person if they were open later?”, or “how often do you browse our website for new products?”

Many brands ask questions of that sort, and sometimes offer small rewards for people who take the trouble to fill in the survey – $5 off your next purchase, for example, or a free product of modest value with your next order.

Tha scammers, however, have much bolder goals.

Typically, cybercriminals suck you in with a seemly and believable promise, but suddenly switch things up by suggesting that you’re one of the lucky few who is going to get a gift that’s much, much more valuable than just a discount code for 5% off your next purchase.

But there’s a catch…

Read more at https://nakedsecurity.sophos.com/2020/06/22/anatomy-of-a-survey-scam-how-innocent-questions-can-rip-you-off/

Hacker indicted for stealing 65K employees’ PII in medical center hack

By Lisa Vaas

A Michigan man has been indicted for the 2014 hack of the University of Pittsburgh Medical Center’s (UPMC’s) HR databases and theft of employees’ personal information – information that he allegedly wound up selling on the dark web to crooks who used it to file thousands of bogus tax returns.

The 43-count indictment, returned on 20 May and unsealed on Thursday, named 29-year-old Justin Sean Johnson, also known as TDS or DS, with conspiracy, wire fraud and aggravated identity theft.

The theft involved personally identifying information (PII) belonging to 65,000 employees from the medical center’s PeopleSoft human resources management system.

The purloined data included the names, Social Security taxpayer ID numbers, birth dates, addresses, marriage statuses, salary information, and yet more PII contained in employee W-2 forms.

After the hack, Johnson allegedly sold UPMC employees’ PII to buyers around the world on dark web marketplaces, leaving every one of those people subject to identity theft and potentially years of financial fraud, as US Attorney Scott W. Brady pointed out in a press release.

Hackers like Johnson should know that our office will pursue you relentlessly until you are in custody and held accountable for your crimes.

Tom Fattorusso, Special Agent in Charge of IRS-Criminal Investigation, was also quoted in the release, talking about the prolonged misery that victims of ID theft suffer:

Unfortunately, through no fault of their own, the people whose identities are stolen in cases like this are often victimized repeatedly. Initially, they have to deal with the stress of knowing their personal information was stolen. Criminals then use the stolen information to file false tax returns, or they sell it to other criminals who use it to file false returns. This causes a hardship for the innocent victims when they try to file their own tax returns. Victims are then left to deal with credit issues caused by the unscrupulous actions of the criminals.

One of the victims was a nurse who wrote to the court, saying that the US had refunded her IRS refund money, but that she was still devastated by the invasion of her privacy. The Pittsburgh Post-Gazette quoted from her statement:

I think the perpetrators of this particular crime think every American is rich. Most of us, like me, are not … To think that someone could drain any of my assets as a result of possessing information about me including my Social Security number is too painful to think about.

Prosecutors say that Johnson allegedly sold the PII of doctors, nurses and other medical center employees – including W-2 tax forms – on dark web markets between 2014 and 2017. The crooks who purchased the data went on to submit false tax returns to the Internal Revenue Service (IRS) and made off with about $1.7 million in unauthorized federal tax refunds.

Read more at https://nakedsecurity.sophos.com/2020/06/22/hacker-indicted-for-stealing-65k-employees-pii-in-medical-center-hack/