Catch Of The Week: Cyber Scam Roundup

Los Alamos

Social Media Coupon Scams – Costco and Kohl’s Spoofed

People love to share things on social media, including scams. Has one of your friends posted about a coupon deal that just seemed too good to be true? Spoiler – it is too good to be true. A common variation on this scam is a post offering some amount of in-store credit if you answer a quick survey. Frequently these scams claim to be celebrating the retailer’s “anniversary” with a gift card giveaway. These may look very real, but remember, it is incredibly easy to steal the themes, fonts, logos, etc. needed to make a fake ad look real.

Recent victims of this scam include Kohls and Costco. Users were asked to sign up for the “free” gift card by handing over their personal information, and possibly even payment or password info. Sometimes the scams try to trick a user into paying “shipping and handling” or signing up for “discounted” items to receive the gift cards. There are many variations on this scam. All are, regrettably, fake. Don’t share them, don’t click them, and just keep scrolling.

Online Shopping Hazards – Macy’s Security Breach

Recently Macy’s revealed they were the victim of a security breach for a week in October. The breach exposed the personal information of customers including their payment information. The breach occurred on their retail website, “” and was caused by a Magecart attack. Magecart is a group of malicious hacker groups that target online shopping cart systems, usually Magento based, to steal customer payment information. The hackers inserted malicious code into the shopping cart pages of the store’s website, which then collected the personal information of customers using the site.

The malicious code was present on the site from October 7th till October 15th. If you shopped there between those dates, your personal and payment information was probably stolen. The information collected by the bad actors included first name, last name, address, city, state, zip, phone number, email address, payment card number, security code, and month/year of expiration.

According to Macy’s, only a “small number of our customers” were impacted by the breach. They have hired a forensics firm to investigate, law enforcement is involved, and all major payment card companies have been informed of the breach. If Macy’s thinks you may have been affected, they should have sent you an email informing you of the breach.

With the holidays coming up, remember that online shopping, while convenient, can be risky. You are relying on the online store to protect your information, and frequently it is way too easy for hackers to compromise a site.

There are ways to make online shopping more secure- consider alternatives to credit cards. Apple recently launched a payment card with no numbers to type in or reuse, several major credit cards offer one time use virtual card numbers that can be used for payment instead of entering your actual credit card number, and there are safer alternatives to credit cards like Apple Pay, Amazon Payments, Google Pay, PayPal, and Venmo. All of these options can protect you from attacks like Magecart, though nothing is bulletproof online. Be cautious; check your credit card statements regularly for any irregular charges. And never use a debit card to pay online; these don’t offer the same fraud protection as a credit card.

Password Hygiene – Disney + Accounts for Sale on Dark Web

Reports from users of the new Disney + streaming service that their accounts have been “hacked” have been in the news recently. Within hours of the service going live, account credentials (username and password) were already up for sale on the Dark Web. Does this mean the accounts were “hacked”? Not exactly…

According to Disney, there is “no indication of a security breach on Disney+”. Customer credentials were likely stolen through other security breaches. Many people use the same email login and passwords for multiple accounts, including streaming services. Many people continue to use the same email address and password to sign up for new accounts, even after their information has been part of a prior data breach involving a different account.

If your login credentials are breached, consider them compromised forever. Hackers will post the information on sites like Pastebin and on the Dark Web. It is easy to get these breached credentials, and even easier to automate checking that email address and password against multiple other sites. So if your information is breached once and you reuse it, it’s like hiding the spare key to your house under a see-through doormat. Hackers will walk right in and help themselves to whatever they want.

You can sign up on sites like to keep track of whether or not your email address has been exposed in a breach. Google Chrome has a “Password Checkup” feature that will check your saved passwords for security problems, and some password vaults will also tell you if you are reusing passwords across multiple sites, and urge you to change them. Pay attention, and if a password is breached, stop using it and change it at any other sites you have used it at.

Always use different, complex passwords across sites; never reuse a password. Passwords should be at least 12 characters and complex, meaning they use a combo of upper and lowercase letters, numbers and special characters. Or use a long passphrase that you can remember. Use a password vault to help manage all passwords; it’s impossible to remember them all. There are many, many options including Dashlane, 1Password, Lastpass, and many others. Most are fairly affordable, and certainly cheaper than having your information stolen.

Another issue with Disney+ is that they don’t currently offer two-factor authentication (2FA). This additional step would have helped to guard accounts against being breached. Hopefully they will offer 2FA in the future. Any time you can use a service that offers two-factor authentication, do so. You can use a service like Google Authenticator, a physical token like a Yubikey, or even your cellphone number or email address for 2FA. An authenticator app is best, but any form of 2FA helps protect your accounts.

If your account on Disney + was breached, change your password. If you are locked out, contact Disney+ customer service and ask for help.

Editor’s note: Becky Rutherford works in information technology at Los Alamos National Laboratory.