A phishing campaign targets couriers of Postmates, a delivery service with a strong presence in the United States. The hackers pose as employees of the Uber branch in order to obtain worker credentials. They accuse the application of failing to ensure their security against its attacks.
Postmates, a subsidiary of Uber, is one of the largest delivery services in the United States. The app employs more than 500,000 couriers across the country. Obviously, such a platform makes the eyes of malicious hackers, who see it as a golden opportunity to make money. A phishing campaign has been in place for some time, targeting exclusively couriers who think at the time of a delivery like any other.
One of them, Benjamin Safer, recounts having received a simple order for a McDonald’s cookie, which ultimately cost him all of their income for the week, i.e. $ 346. To do this, hackers take advantage of the very system of the application, namely the absence of interaction between colleagues and the possibility of transfer the earned money instantly and at any time on his personal account. The method is always the same: make a false command to contact the courier by pretending to be a Postmates employee.
Hackers convince couriers to provide their credentials
After the cookie was retrieved from McDonald’s, an unknown number called Benjamin Safer. The voice over the phone, who claimed to be a Postmates employee, informed the courier that his account has been blocked due to fraudulent activity. To avoid deactivation, he then had to verify his information, by entering his identifiers on a fake page. “I was panicked”, says the victim. “The conversation sounded strange, but it made more or less sense.”
The hackers, having gained access to the victim’s account, then only had enter their bank details instead of those of Benjamin Safer to then proceed with the money transfer. For Steve Ragan, cybersecurity researcher, this practice is not surprising. “Delivery men are lucrative targets for criminals”, he explains. “They are stressed, they are overworked and many of them cannot afford to lose their jobs. Hackers take advantage of the fear element. “
Also read – Uber is forced to consider its drivers as employees
Steve Ragan considers such attacks to be half phishing, half social engineering, since the pirates manage to convince the couriers to act according to their wishes by pretending to be their “Boss or someone important who [leur] said what to do ”. He specifies that these scams have increased since the start of the pandemic. “We’ve all been confined this year, so have the criminals. They have changed their strategy in order to take advantage of COVID-19. There is a link between the pandemic and the fact that couriers are targeted ”.
Couriers accuse Postmates of doing nothing
Shaleece Green, another courier working for Postmates, complains lack of action on the part of the application. “Sucks you have to go blindly like this, there’s no one to help you. Postmates must react, proposing preventive measures or alerting people ”. She’s not the only one of this opinion. Other delivery people regret not having been warned of the existence of these kinds of scams in their early days. Meghan Casserly, communications officer for the Uber subsidiary, talks about “Periodic reminders” sent to the courier, as well as setting up a help page for them. These indicate never have seen this page.
Cyber security experts believe it is Postmates’s responsibility to provide delivery people with the means to defend themselves. “There are always new couriers who have no idea what to watch out for” according to Elizabeth Watkins, a researcher at Princeton University. “The platform is indebted to workers and must provide them with tools enabling them to protect themselves.”
Read also – Coronavirus: Uber now suspends the accounts of people exposed to COVID-19
And Meghan Casserly to defend herself: “While these kinds of incidents are not uncommon at Uber and Postmates, we take all fraudulent activity alerts very seriously. ” The couriers claim better protections, such as additional time for transfer in the event of changes to banking information, or the creation of an identifier for incoming calls. Postmates recalls having added a two-factor authentication system. The latter was only put in place a few weeks ago.
Source: The Markup