Tag: scam

Categories
Ξ TREND

“The most sophisticated online scam I have ever seen.” This is how new Vinted users are being scammed


Pablo Grueso, CEO of the technology consulting firm TecnoFor, published a thread on Twitter yesterday that began like this: “I just witnessed the most sophisticated online scam I have seen so far”. Next, Grueso recounted his recent experience on Vinted, detailing step by step how this user fell into the scammers’ trap.

It all started when the user in question, practically new to the platform, put a garment for sale on Vinted. A simple step that quickly became complicated when she received an email supposedly from the “Vinted Team.”

This is, received an email from the address “[email protected] (Remember that it is possible to spoof legitimate email addresses, although that does not mean that it comes from that address). The e-mail simulated collecting an internal message from an interested buyer…

…message that includes a screenshot of the mobile phone of said ‘buyer’ in which you can see how the Vinted app asks for the seller’s mobile phone (that is, the aforementioned novice user).

And this is where we get to the key part of the scam, because in addition to the text message and the screenshot, the email (remember, supposedly official) includes a link that, when clicked, took the user directly within the Vinted application… or, rather, an almost perfectly duplicated website.

“A screen where you don’t notice the difference, where you can’t click on ‘info’ but you can navigate to the Inbox, for example”

The seller, confident that he is operating within Vinted’s own platform, ‘completes’ his data by entering his phone number… in such a way that the information goes directly to the cyber fraudster who sent you the email in the first place. And now this one, having the number of his victim, sends you an SMS (again, supposedly coming from Vinted).

In said SMS, the user/victim is informed that, to verify their credit card, “they will make the typical virtual charge that they later cancel…”…a practice commonly used to confirm the authenticity of a card, with the particularity that this time “the charge is €500“.

Another user, also affected by the scam, expands the information about said SMS:

“One of my daughters put some things up for sale, it was the first time and it was as if they suddenly wanted to buy everything. The following was what you describe, a message within the app to enter the mobile phone and an SMS to enter the data of the card”.

That is, a textbook phishing strategy in two rounds, impersonating Vinted, to provide the scammers with our personal data, first, and our financial data, later. And, furthermore, when we receive the authorization notice of the supposed voidable charge to Vinted, The victim of the scam will authorize it because he believes it is legitimate and that it will be returned to him. Oh, innocent.

Result and data to take into account to avoid falling yourself

Result of all this story? 500 euros less, and the item for which the victim registered on Vinted will remain unsold because there was never an interested buyer. Always remember to take these data into account:

  • Make sure that any data you enter in an app you are actually doing it on the official domain of the appnot just on a “look-alike” website.
  • To facilitate the above, never access the platforms through third-party links (even if they seem to be your real interlocutor): access the website/app yourself and look for the section in question.
  • Remember that, if entering data is necessary to operate on a trading platform, it will have warned you about it during registration. You will not receive a message afterwards.

  • Ask yourself some obvious questions: “Why would they spend money on sending SMS when you can send a notification to the mobile app?” or “Why would Vinted ask the seller’s number… from the buyer?”

Categories
Ξ TREND

This email announces you 90 days of free subscription to Netflix: don’t bite, it’s a scam


A new cyber-scam is now targeting Netflix users: the INCIBE (National Institute of Cybersecurity) has given notice of the massive sending of malicious e-mails announcing to users that their Netflix subscription has expired. Cybercriminals are, however, ‘generous’ and offer a free 90-day extension… however, behind this offer is an attempt to steal information.

And it is that, if we accept, we will be asked to enter our personal data (including credit card data) before granting said extension, in what constitutes the typical phishing attack, which not seen a thousand times seems to lose effectiveness.

What is the phishing attack?

Fraudulent emails, with subjects such as , alert the user about the expiration of their subscription to the streaming platform.

As a supposed loyalty strategy, they promise a free extension of 90 days if the user links a credit card to validate the account. They ensure that no charges will be applied to the card provided.

By clicking on the link included in the email, users are redirected to a fake website pretending to be the official Netflix platform (see main image). On this page, the company logos and the same subscription expired message are displayed, along with a button to extend the subscription for free.

However, as we said before, the hidden objective is to convince the user to provide their personal and credit card information in a form.

The mistake, however, we have made at the same moment that we have opened the e-mail and we haven’t checked the sender address. If it had, we would have verified that it does not correspond to an official Netflix address.

And that is precisely one of the first details that we always have to check in these cases.

What to do if you have received this type of mail?

If you have received a similar email and have not provided information, it is essential Mark it as spam and remove it from your inbox.

On the other hand, if you have fallen into the trap and have given your personal and bank details in the form, you should not delete anything: on the contrary, You should immediately contact your bank to notify them of the situation and take the necessary measures. This could involve canceling the credit card involved to prevent potential unauthorized charges.

Next:

  1. Regularly review the movements of your bank account to detect possible unauthorized charges.
  2. Collect evidence of fraud, saving emails and screenshots of the process. These tests can be useful if you need to file a complaint.
  3. Get in touch with the State Security Forces and Corps (FCSE) and report the facts, providing the evidence collected.
  4. Do regular “egosurfing” to check if your personal or banking details have been exposed online. If so, follow the process provided by the Spanish Agency for Data Protection (AEPD) to request its deletion through suppression to oblivion.