3
Ganofins
44d

Today at work an interesting project came in, so we need to do vapt on a Shopify store and they want us to figure out how their customers are getting fraud calls
Basically whenever their customer places an order, after that the customer gets fraud calls on their mobile phone saying they know all the details of their orders, address, etc things

Where do you think the customer details are being leaked at??

Comments
  • 3
    It’s an inside job
  • 1
    @Lensflare hm, possible. But the customer has verified and says no
  • 3
    @Lensflare could be a 3rd party app issue. They use several analytics and marketing apps
  • 3
    Possible sources of data leaks into 3rd party:

    - email providers used to send order confirmation emails
    - CRM tools
    - Less likely but payment providers and access to such
    - Compromised account credentials
    - Leaking customer and order data into Analytics tools
    - Malware on employee machines

    I would start from compromised credentials first and look at unusual account activity to rule out the worst case scenario
  • 1
    Inside job indeed, 3rd party - consider to host an own open source solution for things like analytics and stuff, own email send system... And if it then still leaks - it has to be someone from inside. But it's not that someone can see an invoice by putting the number in some url somewhere? Check what urls are frequently called. Suspicious user accounts on server? Check ps aux for stuff you don't know
  • 2
    Scammers are such pieces of shits. Strategic nukes are a possible solution. I don't know enough to help. I hope you fucking nail the bastards.
  • 1
    @retoor they have a large customer base so I don't think it would be possible for them to switch to own hosting thing. Beside most of their team is sale, customer success related. Only 1-2 people take care of engineering stuff

    It will be tricky thing for them. Right now we will be suggesting them to harden their user login, removing unused/suspicious 3rd party apps, things like that
    Let's see
  • 1
    @jestdotty yeah nice way
  • 1
    @PappyHans yeah we also focused on compromised users thing and suggested them to harden their users login passwords, implementing 2FA, etc things
Add Comment