Saturday, July 20, 2024

The triangle of holiday shopping: Scams, social media and supply chain woes

‘Tis the season to avoid getting played by scammers hijacking Twitter accounts and promoting fake offers for PlayStation 5 consoles and other red-hot products

As the holiday season beckons, so begins the frantic shopping season to find and acquire the much-wanted gift. This year, depending on what you’re looking to buy, could present some very significant challenges. A Sony PlayStation 5, for example, is one of the countless products to have been severely hit by the shortage of chips and a quick Google search to find available stock will present you price tags twice as high as the manufacturer’s suggested retail price. Many electronic items are in short supply due to the world’s increased demand throughout the pandemic for web cams, laptops, tablets, and other devices needed to effectively work or study from home. Semiconductor manufacturing companies saw increased demand at a time when there was decreased output due to working practice restrictions.
The general shortage at the point of manufacture is further made worse by the distribution issues of actually getting any products, regardless of category, onto retailers’ shelves, be it physically or virtually. Due to the pent-up demand for goods as the pandemic restrictions have been eased, the cost of shipping a container from China to the US recently hit an all-time high. Having recently taken a flight from Santa Ana airport to San Francisco I saw for myself the many cargo ships waiting outside the Port of Los Angeles to be docked and unloaded.
The issue is not unique to the US, however. A shortage of workforce in the distribution channel was also witnessed in the UK with long lines forming at gas pumps for fuel, due in part to a media frenzy stating there would be a shortage of gas – the issue being a shortage of truck drivers. The pandemic has caused people to evaluate where they live and what career path they want to follow, and in the supply chain this is causing very specific issues.

Recommended:  CISA list of 95 new known exploited vulnerabilities raises questions

What a great opportunity this creates for cybercriminals. Given the shortage of goods and a holiday season approaching, it’s time to create scam campaigns and advertise we have ‘Turbo Man’ in-stock (for those of you that have not seen the 1996 classic Schwarzenegger movie ‘Jingle All The Way’ – it’s worth a watch!).
Where better to promote a scam than social media? It’s a place where consumers are sharing experiences of not being able to find goods and linking to groups and accounts that keep them apprised of which stores and sites may have stock. So, with a retrospective view, it should not have surprised me, but it did, when I received a frantic message from Jessica, a contact at a PR company contracted to ESET in the US.
As a parent of a teenager looking to acquire, yes, you guessed it, that hard-to-find Sony PlayStation 5, Jessica was delighted to find a trusted source claiming to have a spare one they wanted to sell. The offer to buy it at cost came from a renowned journalist’s verified account followed by 250,000+ Tweeters, stating having a spare console that is not needed for personal use. Vendors often provide journalists product to test and on occasion do not ask for the goods to be returned, so the backstory of this person having a spare console is quite feasible.

This was a ‘Turbo Man’ moment for Jessica, finding a source for one of the most sought-after gifts that teenagers and gamers want to find under the tree this holiday season. Responding to the offer 35 minutes after it was posted and getting a positive response that it was still available should have sounded the alarm bells. With adrenalin pumping, Jessica attempted to move the conversation to a call to get the deal done. This was met with a negative response to keep the conversation on Twitter, which should have been red flag number two. The conversation moved to price and identification of which particular package was being offered, an amount of $499 plus $50 for shipping was agreed; a deal too-good-to-be-true given that re-sale devices are currently priced at $800+.
When questioned about shipping, minds were set at ease when the scammer responded that they have a fixed-fee deal with UPS to ship anywhere in the US for $50. In hindsight this is probably red flag number three – why would a journalist have a shipping deal with UPS? Desperate to secure the deal, they agreed on Zelle, an instant payment system using cell phones. The name provided did not match that of the journalist, but the scammer had already squared this question away up front by saying his assistant was dealing with the transaction. The scammer was thinking ahead and had all the answers to make this all sound legitimate. In the moment, it’s easy to get carried along by the desire to do a deal rather than face the reality of it being a scam. To make sure the details of the transfer were correct, Jessica transferred $10 and they confirmed receipt.
At this point Jessica shared the deal of the day with a colleague who quickly responded with the term no one wants to hear – ‘that’s probably a scam!’. They checked recent articles posted by the journalist and it was apparent he was in Europe, so unlikely to be selling a device in the US while travelling. The colleague suggested emailing the journalist on his work email address to find out if his account had been compromised. It transpired that the scammer had taken over the Twitter account, changed the password and the email associated with the account, so the journalist was having a hard time regaining access to his own account. Jessica responsibly reported the scam to Twitter, who removed the post, and to Zelle, who opened an investigation.
As the current supply chain is making many products hard to find and the holiday countdown is on, scammers will use any means necessary to make a pretty penny. This example, shared by Jessica, demonstrates that the backstory and the answers provided during the scam can all seem very feasible and real, making it very difficult to identify the scam when you are in the middle of the excitement. I should take a moment to thank Jessica for both sharing the story with me and allowing her experience to be published, hopefully, protecting others from being scammed.
To further help highlight the perils of purchasing red-hot products on social media, here’s my own conversation with another verified (though apparently also hacked) Twitter account that now claims to sell PlayStation 5 consoles:
The moral of sharing this story is that it’s important to remember: ‘when something sounds too good to be true then it probably is’ – regardless of the source as it could have been compromised’. For many years, cybersecurity professionals such as myself offer advice on cyber-safe shopping and I hope the message is at least in some form in the depths of everyone’s mind when they transact over this holiday season, and with this story I hope to add a small additional reminder to everyone that social media can be the playground of scammers.

Recommended:  Ukraine: Wiper malware masquerading as ransomware hits government organizations

Oh, and one last comment, please make sure all your online accounts, where possible, are secured with two-factor authentication. This limits the possibility of account takeovers and your accounts being the ones used to advertise a scam.

Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

User Avatar
Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates