Formjacking, Netflixphishing and new Medicare card scams

Shopping online is almost second nature now, right? But you could be jeopardizing your identity by just entering information into web page forms. Learn about “formjacking,” how fake Netflix sites are phishing for your PII, Medicare scams and more.

Duke Franklin always checked his credit card statements. One month he noticed a mysterious charge on his statement for three suits from a men’s clothing site that he’d used in the past. Franklin hadn’t worn a suit in years. He immediately contacted his credit card company, bank and companies with which he did business. He discovered that the men’s clothing site had been the victim of the new “formjacking” scam. Cybercriminals had illegally collected from the website’s “form page” personally identifiable information (PII), including Franklin’s credit card material. A web form allows users to enter data that’s sent to servers for processing.

This hypothetical situation represents a new scam. Cybercriminals continually conduct research to develop new types of malware to rob victims out of their personal identifiable information (PII), and they update older versions of malware to circumvent security updates.

Kevin Jones reported in his Oct. 1, 2018, Hacker Combat article, “Formjacking in the nutshell,” that Symantec, a cybersecurity company, defined formjacking as “a form of JavaScript-code injection when cybercriminals hack a site and take over the functionality of the site’s form page.”

Cybercriminals can then collect PII and use it for identity theft and other criminal behavior.

According to Jones, Symantec has discovered formjacking security issues with Ticketmaster, Newegg, British Airways and Feedify — all associated with just one formjacking group, Magecart. Since Aug. 13, 2018, Symantec says it has detected and blocked 248,000 formjacking incidents.

Cybercriminals maximize their return on investment by targeting forms on organizations’ websites that potentially have the most records to compromise, such as online shopping, payment processors and banks. The main goal of the criminals is to gain access to all types of PII, especially credit card numbers. “All companies and legal entities operating a website or payment transactions online is at risk to formjacking,” according to Symantec in the Hacker Combat article. Individuals trust the forms to process transactions because they trust the companies and believe the website systems are secure.

Symantec, according to the Hacker Combat article, recommends that webmasters constantly audit codes on their websites. Users should check their monthly credit card statements for unusual activity and report any anomalies to their credit card companies, the Federal Trade Commission (FTC), local law enforcement agencies, the companies they do business with online and media outlets.

Streaming Netflix theft

On Dec. 26, 2018, Colleen Tressler, an FTC consumer education specialist, placed an alert on the FTC’s website about a Netflix phishing scam designed to steal PII from consumers. She referred to an example from an Ohio police agency in which crooks used a Netflix logo to trick users into divulging PII. (See the screen shot the scammers used at the top of the page.) Fraudsters have long used genuine logos to reduce user skepticism of emails or texts.

In the Netflix case, Tressler wrote, scammers used email messages to tell potential victims that their user “account is on hold because Netflix is ‘having some trouble with your current billing information’ and invites the user to click on a link to update their payment method.” Victims who click on the link could download various types of malware, like ransomware, that can invade their computers or networks to look for vulnerabilities in software and then steal PII, such as contact lists, passwords and bank account numbers.

Tressler recommends before you give up PII:

• Check it out. Instead of clicking on any links or using contact information provided by an email, use official info you’ve found via an internet search.
• Take a closer look. Poor grammar, your missing name and misspellings tip you off to phishing. In the Netflix example, the scammer used the British spelling of “center” (centre) and used the greeting, “Hi Dear.” Listing only an international phone number for a U.S.-based company, of course, is also suspicious.
• Report phishing emails. Forward them to the FTC, spam@uce.gov or ftc.gov/complaint, and to the Anti-Phishing Working Group, reportphishing@apwg.org., which includes ISPs, security vendors, financial institutions and law enforcement agencies. Contact the company that the scammers impersonated, such as phishing@netflix.com.org.

Medicare tries, but scammers are persistent

U.S. Medicare is sending new enrollment cards to participants that now contain unique numbers for participants and not their Social Security numbers (SSN). That’s a good thing. You lose your Medicare card, you jeopardize your SSN and identity.

Scammers, of course, aren’t thwarted. According to a Sept. 20, 2018, FTC alert, they’ve been contacting potential victims using a variety of tactics to get cardholders to disclose their new Medicare numbers or charge them unneeded fees. (See “Hang up on Medicare card scams,” by Ari Lazarus, FTC.)

For example, these fraudsters, claiming to be Medicare reps, ask potential victims to verify the information on their new Medicare cards, tell them they must pay a fee for the new cards or offer plastic cards to replace the paper versions. They also tell Medicare participants that their new cards have been compromised, and they need to transfer money from their bank accounts to “safer accounts” controlled by the scammers.

The FTC offers advice:

• Don’t give personal information to receive your new Medicare card. If someone calls claiming to be from Medicare, hang up if they ask for your SSN, bank information or other PII. Medicare will never ask you to provide any information.
• Don’t pay for your new card. It’s free, so hang up if anyone calls asking for payment.
• Contact your financial institution immediately if you’ve already given out your bank account information over the phone.
• For more information about the new Medicare cards, visit go.medicare.gov/newcard.
• If you’re a scam victim, visit ftc.gov/complaint.

More scams targeting seniors

Also see the FTC/AARP video at “Protect yourself against Medicare scams,” March 15, by Lisa Weintraub Schifferle, attorney in the FTC Division of Consumer & Business Education.

Schifferle writes that the FTC worked with AARP to create a series of videos about imposter scams, including Medicare scams, Internal Revenue Service imposters and robocalls. The first video they posted helps viewers recognize scammers who ask for Medicare numbers. Visit ftc.gov/calls to learn how to stop unwanted calls, including using call-blocking technology.

Share, share, share!

Please share this information with your business associates, family, friends and clients and include it in your outreach programs. An important takeaway from this column is that new identity theft schemes continue to emerge. You’ve been forewarned, so tread with care!

Please contact me if you have any identity theft or cyber-related issues that you’d like me to research and possibly include in future columns or as feature articles or if you have any questions about this column or any other cybersecurity and identity theft issues. I don’t have all the answers, but I’ll do my best to help. Stay tuned!

Robert E. Holtfreter, Ph.D., CFE, is distinguished professor of accounting and research at Central Washington University in Ellensburg, Wash. He’s also on the ACFE’s Advisory Council and the Editorial Advisory Committee. Holtfreter was the recipient of the Hubbard Award for the best Fraud Magazine feature article in 2016. His email address is: doctorh007@gmail.com.