Road Toll Smishing & MetaPixel Tracker Scam: Unveiling Security Threats Live from Hack Space Con

The Daily Decrypt
The Daily Decrypt
Road Toll Smishing & MetaPixel Tracker Scam: Unveiling Security Threats Live from Hack Space Con
Loading
/

SMS phishing warnings by the FBI and innovative skimming tactics exposed by Sucuri experts. Discover actionable tips to shield yourself and your digital platforms from these sophisticated threats. Join the conversation by sharing your cybersecurity challenges and solutions.

00:00 Kickoff: Live from Cape Canaveral

00:59 Deep Dive into the FBI’s Warning on SMS Phishing

06:14 Protecting Yourself Against Smishing and Phishing

13:13 Exploring the Dangers of Default WordPress Credentials

Related Articles:

  1. FBI warns of massive wave of road toll SMS phishing attacks:
  2. Sneaky Credit Card Skimmer Disguised as Harmless Facebook Tracker:
  3. Hackable Intel and Lenovo hardware that went undetected for 5 years won’t ever be fixed:

Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/

Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/

Logo Design by https://www.zackgraber.com/

Tags for the episode: FBI, SMS phishing, cybersecurity, Sucuri, credit card skimming, Meta Pixel, WordPress, Magento, digital threats, personal data protection, cyber attacks, scam awareness, online security, toll fraud, phishing alerts

Search Phrases:

  1. FBI SMS phishing alert 2024
  2. How to protect against SMS phishing
  3. Sucuri finds credit card skimmer in Meta Pixel script
  4. Preventing credit card fraud on WordPress and Magento
  5. Latest cyber scams and digital threats
  6. Protecting personal information from online scams
  7. Understanding toll service phishing scams
  8. Cybersecurity tips for digital platforms
  9. Identifying fake toll debt notices
  10. Enhancing website security against skimmers

Transcript:

Boyz

offsetkeyz: Let’s do this so we friggin rocket launch

Welcome back to the Daily Decrypt. Coming to you live from Cape Canaveral, Florida.

got offsetkeys and dogespan.

dogespan: hello.

offsetkeyz: we’re going to bring you some tasty news.

Up first, the FBI has sounded the alarm on a massive SMS phishing wave sweeping across the U. S.,

targeting unsuspecting individuals with bogus road toll debt notices as part of a sophisticated scam aimed at harvesting personal data. What can you do to protect yourself from falling victim to these SMS phishing scams?

dogespan: Cybersecurity experts at Securi have unearthed a cunning credit card skimmer disguised within a fake Metapixel tracker script. Cleverly hidden in customizable code sections of widely used platforms like WordPress and Magneto. How can website administrators safeguard their platforms against such stealthy credit card skimming attacks?

offsetkeyz: Alright, so the first story comes to you straight from the FBI, and what better way to deliver the news than to just read the memo that the FBI released. So, here we go. Since early March of 2024, the FBI Internet Crime Complaint Center, or IC3, has received over 2, 000 complaints reporting smishing texts representing road toll collection services from at least three states. The FBI does not mention which three states, so, good luck. The IC3 complaint information indicates the scam may be moving from state to state. Nice.

The texts will look something like this. We’ve noticed an outstanding toll amount of 12. 51 on your record. To avoid a late fee of $50, visit some URL to settle your balance.

dogespan: true. And

offsetkeyz: true.

dogespan: part

offsetkeyz: part of the reason

dogespan: that so many users have gotten hit, is because If I got a bill for 12, I’d click and pay.

And

offsetkeyz: the mail. The road department is going to know your phone number.

They’re not. Your license plate is linked to your address, and then they mail it to you there.

dogespan: you there. So,

offsetkeyz: So, any text you’re getting probably isn’t coming from them unless you signed up for it, in which case you would know.

The texts claim the recipient owes money for unpaid tolls and contain almost identical language. The outstanding toll amount is similar among the complaints reported to the

dogespan: the IC3.

offsetkeyz: However, the link provided within the text is created to impersonate the state’s toll service name, and phone numbers appear to change between states. ok so they’re at least like masqurading as that state Yeah, they are, they are targeting specific states, yes. Which is an easy tactic to take, probably takes the attackers very little time,

dogespan: oh yeah

offsetkeyz: and is very effective.

dogespan: Yeah. So if you receive one of these texts, the following is suggested file a complaint with the IC3 at www.IC3.gov texts I’m gonna admit, I’m actually really guilty of never reporting those names, those scams. I get them all the time. Text messages for like UPS deliveries and stuff. But also like, yeah, I never think of reporting it to the IC3. But I do tend to put on my security researcher hat and

offsetkeyz: on

dogespan: go click the link.

On a safe device, it is always, don’t try it at home unless you, you know, know how to virtualize and segment and all that stuff. Um, But yeah, that’s usually my approach is I just want to learn what they’re doing and I

offsetkeyz: report it as

dogespan: guess I need to report it as well because it’s stopping at me if nobody else reports it.

offsetkeyz: I, until you said that, I didn’t even consider reporting anything to whom I didn’t, I don’t know. So I think I’ve mentioned before on the podcast that you can report things to the FBI, but I personally have never done it. So, yeah, I think both of us, both dogespan and I’s takeaway is that we’re going to start reporting stuff and imagine how many people also don’t report things.

So 2, 000 reports came in to the FBI.

dogespan: in to the

offsetkeyz: Is probably hitting hundreds of thousands of

dogespan: people. Yeah, like a, I don’t know, what is that, 10%? Yeah.

offsetkeyz: What’s the reporting rate? How do you study that? I don’t know. Not my problem, but if it does happen to you, it really helps

dogespan: FBI

offsetkeyz: the FBI understand the severity of the situation by you reporting it and they can gather the information.

That’s your tax dollars hard at work. So make sure you get your bang for your buck there.

dogespan: so there.

offsetkeyz: So, Pennsylvania Turnpike officials have reacted to these threats by advising customers to avoid clicking on any suspicious links sent via text that claim to resolve outstanding toll amounts. So, by hearing that article, that’s mentioned in the article from Bleeping Computer, so Pennsylvania is one of those states.

Thanks. They emphasize the importance of deleting the phishing texts immediately, which is interesting. Additionally, the Pennsylvania State Police have issued warnings about these deceptive texts, stressing that the links lead to counterfeit websites designed to harvest personal information. So, they’re not coming after money at this point.

They’re trying to get your credentials to unlock even more than

dogespan: credentials to unlock even more than 12. Yeah, this is very

offsetkeyz: Yeah, this is very smart, because those types of things keep a lot of people up at night. Unpaid debts, that people are very scared of the banking systems and the credit scores and all that stuff. So if you have this threat of an unpaid debt. And you have the means to afford to pay that unpaid debt, You’re gonna go on and hastily pay that so that you can sleep well at night.

So in the spirit of security awareness, what can you do as the listener to identify these types of smishing, it’s a fun word to say, you should say it, smishing, smishing attack text messages.

This podcast, I often mention hanging up the phone and calling the source or the claimed source of text messages or phone calls. So if you’re getting a call from, or if you’re getting a text message from this toll company, one way to verify is to go Google it, right?

Google that toll company, find the website, don’t click on the Google ad. Go find the actual listing for the website, go to that website, fill out a contact us form,

And

say, hey, I received a text that says I have unclaimed debts. Is that real? pro tip from someone who hasn’t paid most of their toll fees.

They don’t. It’s not urgent They they’ll keep that debt on ya for a while and yeah it might go up a few pennies a couple pennies but honestly I don’t think it does I think they come after that toll and that’s it

the only times I’ve seen it is if they’re tied into the registrationl so when you go to renew your registration it.

guys,

dogespan: toll. Yeah.

offsetkeyz: It might seem easy to pay 12, but you know, there’s a lot more at risk than just 12 for your data. I’m, I’m curious if these attackers have infiltrated some sort of toll system, or if they’re just shooting them off at random.

Because the only other attack, which you had mentioned earlier, is the USPS or UPS package incoming, and what’s crazy about that one,

dogespan: about

offsetkeyz: a family

dogespan: one is I always have a package incoming when I get those.

offsetkeyz: why are they texting me about my package?

Oh, it’s not them. I’m going to have to do some research into that because it’s just occurring to me now that

dogespan: me now

offsetkeyz: I always have a package on the way. But luckily the attackers who have purchased that information, or the ones who are conducting the smishing of the UPS, haven’t figured it all out yet. I have a screenshot from one of my most recent ones that came from a sexyboy69 at gmail.

com text. That’s the

dogespan: That’s the trend. Yes, they’ve been compromising email accounts to send these out.

offsetkeyz: send these out.

dogespan: Or they are making bogus. But I’ve gotten an AOL and a Yahoo before.

offsetkeyz: Interesting. there’s always some typos, so keep your eye out for typos. In the age of chat GPT and, and large language models, you don’t really even have to speak English to get a coherent, smishing message out there.

So like, honestly, attackers, there’s no excuse for this. Come on, but

dogespan: Keep

offsetkeyz: keep, yeah, keep an eye out for those indicators. Check with the source. Don’t click any links unless you’re absolutely positive. Um, if anyone calls you, try to hang up. Like, I, I, you know, moment of truth, I received a call from, I believe it was Pretty Litter, cat litter delivery service, because I cancel my credit card once a year just to, you know, shed all the subscriptions and have to re subscribe, and right after I canceled it, they called and asked for 80 bucks, and I just gave them the new credit card number without calling back, and I felt icky about it. So,

dogespan: Did your litter

offsetkeyz: anyways, if someone calls you, doesn’t matter who it is, Don’t give them your credit card information, call them back. It’s like, it’s inconvenient, but it’s going to save you a lot of hassle on the backend.

dogespan: I was in that generative AI. Red teaming talk this morning. This, uh, this talk goes into a quick demonstration on a phishing text, er, a phishing email that was created to target a cyber security professional as a test. . So, they targeted Dave Kennedy in this phishing email. And What they did is they sent several GPT agents

Scouring the web for personal information about Dave Kennedy. And one of the things that I think has been very prominent in his more recent endeavors is health and,

offsetkeyz: know, taking

dogespan: um, weight management, you know, taking care of your body, fitness, all of that.

So it actually crafted up a really good phishing email that was like, hi, Dave. Um, This is the bodybuilding. com community representative or whatever, and we want to bring you on as a

offsetkeyz: you on

dogespan: community advocate

offsetkeyz: advocate

dogespan: or something. And it, it totally like spoke to his interests, and he even, he even said, like as he received that, they were tweeting him, like they gave him a heads up and everything, but he was like, I 100 percent would have clicked on

offsetkeyz: have clicked

dogespan: And it’s a, that’s a cyber security

offsetkeyz: cyber security

dogespan: Yeah. So these generative AIs are getting better and most attackers may not be using it to the full extent, but there will be ones out there that are going to be really good, like the lego. com one we talked about previously. Yeah, that might get me.

offsetkeyz: lego. com one we talked about. You’re probably going to get me, so there you go. What was that?

Did they use ChatGPT officially?

I’m mostly curious because, yeah, ChatGPT has built in,

safeguards against any malicious activity, so if you ask it for anything that can be used maliciously, like craft a phishing text or craft something that someone would be manipulated by, it’s gonna say no, so,

dogespan: That goes into just tricking the AI, because you could very easily just say, Hey, you know, this person, here’s a couple social media profiles, go find more info on them.

And then you say, okay,

you know, how can I appeal to this person’s interest in an email or something?

And

offsetkeyz: that’s a whole nother conversation we could get into where you can actually give prompts to ChatGPT to make it do whatever you want because large language models like ChatGPT are very smart and very dumb. And they are not very refined. So that’s, that’s super interesting. The talk that dogespan was mentioning is called Red, Blue, Purple AI, practical AI for security

dogespan: security practitioners.

offsetkeyz: the speaker is Jason Haddix.

dogespan: Yeah, it was a really good presentation.

offsetkeyz: Great job, Jason.

Cybersecurity experts have uncovered a deviously camouflaged credit card skimmer masquerading as a seemingly harmless metapixel tracker script. Researchers at Sikuri have pinpointed this malware, which sneaks onto websites through seemingly benign tools that permit custom code. plugins such as Simple Custom CSS and JS.

dogespan: or

offsetkeyz: the miscellaneous scripts section of the Magento admin panel. So that’s a little bit of technical jargon. to do a bit more research to figure out like what the heck is even a metapixel tracker. but if you’ve ever had a business or a website, and you’ve subscribed to Google Analytics, It’s a little snippet of code that you can place in the HTML that allows Google Analytics to track web page visits and other data points on web traffic. And Facebook or Meta has the same sort of thing for your website. They do Facebook analytics. And so this Meta pixel tracker script is essentially that. You add it to your website and Meta is allowed to track it. So that. That isn’t what’s happening here, but it is what it’s being disguised as. These little scripts are coming in and they’re trying to look like Metapixel tracker scripts so they don’t get picked up by signature detectors or things like that.

But what they’re actually doing, which is pretty interesting, is it’s a piece of code that identifies if you’re on a checkout page. So if your WordPress site has a shop, and that shop, Allows you to pay inside the WordPress app. That little snippet of code is able to identify that this is a checkout page. And it just turns on and starts listening for your credit card number.

security

Researcher at Securi.

Securi,

Highlighted the risk posed by custom script editors. Custom script editors are popular with bad actors because they allow for external third party and malicious JavaScript and can easily pretend to be benign by leveraging naming conventions

that match popular scripts like Google jQuery.

dogespan: Google Analytics or libraries like jQuery.

offsetkeyz: Lol.

dogespan: law, yeah, where the attacker will try to replicate what is normal within an environment. So in this case, it is the website. So they’re masquerading as a typical analytics, but it has a malicious intent of scraping of the credit cards.

So as mentioned before, this bogus script mimics the legitimate megapixel tracker.

offsetkeyz: However, a deeper inspection revealed a sinister twist. It stealthily replaces references to the authentic connect. facebook. net with a malicious beconnected. com. This rogue domain is then used to load a harmful script, fbevents. js, which targets victims on checkout pages by deploying a fraudulent overlay designed to capture their credit card information.

I see, I see. So, it may look exactly the same as the regular checkout page, but it’s an overlay, and you’re actually entering it into some sort of

dogespan: sort of iframe or

offsetkeyz: iframe, or div, or something else that’s sending the information somewhere else.

So it’s crucial to note that beconnected. com itself is a legitimate e commerce website, which at some point was compromised to serve this skimmer code. WordPress is notorious for going, unup updated. There’s so many plugins that all require separate security updates, and you’re lucky if that plugin is still maintained and offering security updates.

But since it’s a commercial tool and often free, WordPress I mean, the people running their WordPress sites aren’t the most security minded, or they don’t have time to go in once a week and update their plugins. So, spoiler alert, the best way to combat this type of attack is to go into WordPress. And we’re using WordPress as an example to go into WordPress and update your plugins, but also take a look at the users tab and just see if there are any users in there that shouldn’t be in there.

That would

be a pretty key indicator.

If there are, delete that user, revoke all login sessions.

dogespan: yeah,

offsetkeyz: don’t know either. I bet they do. Or you can enable more verbose logging to get that information. But I think they do. And there are a lot of free security plugins out there. I don’t know which one we use. But every time I go into the WordPress dashboard, it says 15, 000 login attempts blocked. And I said, great, keep blocking them.

dogespan: Let me know when they get in.

offsetkeyz: Yeah, let me know if there are any that weren’t

dogespan: are any that weren’t blocked. Um,

offsetkeyz: this is my first WordPress website. TheDailyDecrypt. com. Plug, plug, plug. Have you ever worked with WordPress before? Yeah,

dogespan: experiment.

Yeah,

offsetkeyz: which is how this started out too. And when we started this, we started this together.

dogespan: WordPress

offsetkeyz: creates a default account for you. And the username is user and the password is always the same. I don’t remember what it is because I promptly deleted that, but you can Google it and it will say, this is the default WordPress credentials. And I would imagine that many WordPress administrators out there without any technical expertise, continue to use those default login credentials.

And so if you do.

dogespan: do,

offsetkeyz: It’s very easy to access your WordPress admin portal and set this type of credit card skimmer up.

dogespan: you remember if it prompts you at any point to

offsetkeyz: It does not.

dogespan: not.

Fantastic.

offsetkeyz: It does not, and it’s actually kind of complicated to delete an account. I had a hard time. I don’t know if I actually could delete it, but I did change the password if I didn’t delete it and revoke admin privileges and do all this stuff, but yeah, WordPress is not designed around security. And I, I think it’s just not talked about enough how bad it is to use default credentials. It’s significantly worse than reusing passwords, even if those passwords have been compromised on the dark web. Using default credentials. Well, first of all, if you have a WordPress site.

top

The domain, followed by the top level domain, which is the daily decrypt, and then dot com,

slash admin.

A script can easily navigate, do a get, for all of these things, to check even if it’s a WordPress site. And then once, if they’ve determined that it is, They can plug in the default credentials and get a count of how many they have now access to.

It’s very just, automatable. And that is the enemy of defense. You don’t want any sort of attack vector to be automatable. You’re gonna get got, you just are. So anyways.

dogespan: gonna getcha.

offsetkeyz: They’re gonna get ya.

dogespan: getcha. Literally,

offsetkeyz: please reach out to us if you’re a novice tech person who owns a WordPress site, especially if there’s e commerce on there. Either of us would be happy to donate one of our evenings to helping you secure that. It would be mutually beneficial, and your consumers would have a lot more confidence in you.

dogespan: And yeah, it’d be great. Yep. Oh yeah. That’s true. We

offsetkeyz: true. We should. We can replace the metaskimmer’s web overlay. With uh, this skimmer has been taken down by the Daily Decrypt, and now all your credit information goes to us. Ha ha ha ha. Just kidding, that won’t happen!

dogespan: won’t happen. Yeah, you

offsetkeyz: Yeah, you just got to be our first subscriber to Patreon, which I do not want to do.

dogespan: to do. It

offsetkeyz: That sounds like a lot of work.

you know what, we’re not gonna do Patreon, we’re gonna do OnlyFans. So, when we get our OnlyFans up, you better subscribe,

as I mentioned at the beginning, we are here in Florida, we both flew in from our respective locations. We’re visiting the Kennedy Space Center for HackspaceCon.

dogespan: Center

offsetkeyz: Day one, amazing. Loved it. But we have insider information that SpaceX is doing a launch in 30 minutes.

and so we gotta go

dogespan: We out.

offsetkeyz: We got to make sure everything’s safe in the in the low earth orbit or LEO

So huge thanks to dogespan for being on as always huge. Thanks to me and uh Hey,

dogespan: this.

We’ll talk to

offsetkeyz: for being a part of it.

dogespan: more

offsetkeyz: We’ll talk to you some more later

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.