Search This Blog

Showing posts with label Taxpayers. Show all posts

Attackers Targeted Robinhood with a Phishing Campaign

 

Attackers have targeted clients of stock-trading broker Robinhood with a phishing campaign planned to steal their credentials and spread malware utilizing counterfeit tax documents, the organization has cautioned.

Robinhood Markets, Inc. is an American financial services organization settled in Menlo Park, California, known for offering commission-free trades of stocks and exchange-traded funds through a mobile application presented in March 2015. Robinhood is a FINRA-managed broker-dealer, enlisted with the U.S. Securities and Exchange Commission, and is a member of the Securities Investor Protection Corporation. The organization's revenue comes from three fundamental sources: interest earned on customers' cash balances, selling order information to high-frequency traders (a practice for which the SEC opened an investigation into the company in September 2020), and margin lending. As of 2020, Robinhood had 13 million clients. 

Robinhood, has confronted various regulatory and legal difficulties along the way, sent an email to clients Thursday warning of a phishing scam “that may have reached some of our customers.” 

Attackers targeted clients in two ways, as per the email. One assault vector utilized phishing emails with links to counterfeit Robinhood sites provoking visitors to enter their login credentials, including authentication codes the organization uses to help guarantee the security of individuals' accounts. Other emails saw assailants exploiting the tax season, requesting potential victims to download counterfeit tax files, for example, Form 1099—that included malware, as per the email. 

“There tends to be an increase in these types of emails around tax season, so we ask that you be extra careful about how you access your Robinhood account,” as per the email. Robinhood recommended individuals check the strength of safety features of the application on their gadgets, manually eliminating any gadgets they don't perceive from accessing and resetting passwords on the off chance that they believe they might be in danger. The organization likewise urged clients to reach out to its support team directly from the Robinhood application or its site. 

One of the main grievances among Robinhood clients was that they couldn't reach the company for support, causing regulators like the Securities and Exchange Commission (SEC) to become de facto customer support for the platform’s clients.

Taxpayers Personal Data Exposed Online in the UK

 

Different local councils in the UK have conveyed SMS to a huge number of citizens to encourage them to cover outstanding sums. The messages contained links to online databases that facilitated lists of different citizens whose information shouldn't be available to any other person. Lamentably, there was no security or any type of verification to keep the leak from occurring, so a large number of UK taxpayers have had their complete names, home addresses, and outstanding debts exposed.

The blunder was the work of Telsolutions Ltd., an organization that has given the contact and communication services to the local councils, which was contracted to urge tax defaulters to pay up. This is a typical strategy that is trailed by private and public entities around the world. Other than the psychological repercussions for the recipients of these messages, there is also the danger of data exposure.  

Other than SMS, the council tax services likewise use emails and surprisingly recorded voice messages. The entirety of this makes the space for tricksters to move in also, as taxpayers having to deal with official communications with their state through third-parties is the ideal setting for trickery. The information of this exposure reached The Register, who checked and affirmed that the information was indeed accessible via the sent short links. The entirety of the shared URLs have been taken offline now as both Telsolutions and some of the authorities were informed about the mistake. However, as the UK press webpage affirms, web crawlers have already caught some of these public entries, empowering individuals to search others and see their addresses, tax debts, etc.

After investigating the enumerable URLs, it was found that London's Bexley Council, a client of the Telsolutions service, had implemented no authentication at all. Anybody could unreservedly see the full details of an alleged tax defaulter in the borough without proving their identity. To see the data of another taxpayer, the recipient should have simply followed the URL from the SMS, modify the alphanumeric characters, and click a button labeled "proceed". 

Altogether, apparently, 14 councils have followed the same erroneous method after trusting the particular service provider. That incorporates Barnet, Bexley, Brighton, Cardiff, Coventry City, Greenwich, Lambeth, Redbridge, Southampton City, and Walsall.