For the second time in 12 months I found a lot of logins and passwords exposed on the internet. And this is not exceptional. If I searched every day, every day I would find it even though I am not an expert on doing it. The lot I found today had 222 lines of data, belonging to 222 customers of Magazine Luiza. But one can find such data of several other e-commerce operations: Ponto Frio, Casas Bahia, Mercado Livre … It’s just a matter of knowing where to search.
The list I found was originally published in Pastebin, a kind of mural where everyone puts absolutely what they want. Since it has sensitive data, it had already been removed from the site, but I could still find it anyway. How? Because it remained exposed by Google in “Google Cache”. At least until this morning.
The list I found had more than login and passwords: each set contained full name, CPF, date of birth, state of residence and personal phone number. With login and password, anyone accessing the Magazine website could see the rest of the data, such as the address, for example.
Like last year, after finding the data I contacted the manager of the company’s security area, informed him and sent him the data, so he could lock the accounts and ask customers to change their password.
Important Information: the data did NOT came from a data leak in Magazine database.
These data are obtained by cybercriminals through phishing, a fraud scheme that works like this:
1) criminals create on the internet a website just like the store one
2) they start a spam campaign with irresistible “offers” (like 70% discount offers) asking customers to log in to see the merchandise;
3) In such login the cybercriminals capture the credentials (user and password) that the client uses in the official store.
And now you wonder why these data were on the Internet? It’s pure advertising. The guy who set up the scheme and got the data has a lot more of it. He amassed everything by himself or has been buying from other cybercriminals and wants to sell it. He has not only this but the complete kit for anyone who wants to make fraudulent purchases over the internet. To shop on an e-commerce site, one first need a store registration. Second, one needs to provide data from a credit card for payment. And the guy has both things to sell.
To make a fraudulent purchase like the one shown in the picture, the buyer can access the store and change the customer address. It puts the address of a person paid just to receive the merchandise, to where the goods will be shipped. If the police appear on the scene, the receiver becomes the culprit. Good, is not it? Secondly, the buyer places a credit card number that the seller has already tested – a card with all the data already checked and works finely to pay the purchase.
These purchases are never of astronomical value, not to require a phone call from the card company. And they really work, as you see in the image that I also took today, from a Facebook group.
It is on Facebook itself: there are a lot of groups (in several of which I participate with a fictitious name, as undercover observer) where other bad things are also sold – such as fake money, fake documents and real drugs. Nothing deep web, like in Russia. Here such things are done clearly.