Krebs on Security

Cybercrime takes many forms, but one of the more insidious and perhaps less obvious manifestations is warranty fraud. This scheme involves con artists who assume the identity of a consumer, complain that a given product has ceased to operate as expected, and demand that the retailer replace the article in question. Such claims turn into a loss for targeted merchants when the scammer hacks an unwitting customer’s account and replaces the customer’s email address with his own address and demands that the retailer ship him a brand new device.

Leakforums is a big source of account takeover and warranty fraud for a variety of products.

Fitness tracking giant Fitbit recently found itself the target of such fraud in the last few months of 2015, when the company noticed large caches of data from customer accounts being posted to Pastebin. To the untrained eye, such data might seem at first glance to indicate that Fitbit had experienced a breach that exposed their user account data. Included in the data dumps posted to Pastebin were details about the make and model number of each user’s fitness tracker, as well as information about the last time the user had synced the device.

But a more nuanced look at the information posted to Pastebin and other public data dump sites indicates that Fitbit is just the latest victim of customer account takeovers powered by breaches at other e-commerce providers.

Hacked Fitbit user accounts sell for about $2 apiece.

I reached out to Fitbit about this and the company’s security chief Marc Bown said the data appears to coming from a couple of sources: Customer computers that have been compromised by password-stealing malware, and customers who re-use the same credentials across a broad swath of sites online.

“They’re mainly interested in the premium devices,” Bown said, referring to the most expensive devices that Fitbit sells — such as the Surge, which retails for about $250. “Those are the ones that we’re seeing are most targeted for warranty fraud.” Continue reading →