Piracy. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reports on the dark underbelly of the internet.
Hackers break into the accounts of unsuspecting victims’ Cash App, a wildly popular payment app, and steal hundreds of dollars, according to victims Motherboard spoke to. In one person’s case, they said, Cash App did not reimburse them for stolen funds.
“It’s frightening!” Liz Shelby, who said their son was a victim of the hack, told Motherboard during an online chat. “My son saved some money for a little vacation with his grandma. We put it in his Cash app before he left. He called me on August 9th and told me his money was gone. .
Shelby said after looking at the account, she discovered that someone else had logged into it and sent the money to themselves. Shelby said she emailed Cash App support, to no avail.
“I’m not getting anywhere and I’m sure my son will never get his money back,” she added.
Do you know anything else about Cash App, Venmo or similar fraud? We would love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox or email [email protected] .
Cash App is one of the most popular payment service apps, with over 50 million downloads from the Google Play Store. Cash App has also gained some infamy for large-scale cash giveaways on social media. The app is owned by payment services company Block, formerly known as Square. Jack Dorsey runs the company.
Marvis Herring, another target, told Motherboard the hackers tried to steal $1,400, in two installments of $700. In these cases, Herring believes his bank blocked the fraudulent transactions.
Motherboard has seen many other people report on social media that their Cash App accounts have been compromised in some way.
Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, as well as behind-the-scenes content from our biggest stories.
“The main thing that I found weird was that I went to change my account password and there really is no password for Cash App accounts,” Herring added. . When users sign up for Cash App, they can use an email address or phone number to open an account. After that, they receive a login code sent to one or the other.
On fraud websites, dark web marketplaces, and social media, several people appear to be selling login credentials associated with Cash App accounts. Some of these people’s listings specify that the logs contain the email address and password of a linked email account. Some of the listings may be scams, but those on dark web marketplaces are from scammers who have received positive feedback from suspected customers, according to the review system that is common on these sites. A list of hacked Cash App accounts indicates that the seller has sold that specific item multiple times.
“Our Cashapp accounts are of the highest quality and we provide them at the most competitive prices on the market today,” a listing reads. “Complete information presented recently compromised.” The listing states that the buyers get the hacked login credentials, the victim’s cookie file, and information such as the IP address used by the victim. This type of information can be useful for fraudsters to trick sites or applications into logging in as a user.
The listing claimed that hacked Cash App accounts could include between $1,000 and $5,000 in available balance. It is common for members of the fraud ecosystem to fulfill different roles. Some focus on finding hacked accounts and then selling them, while others focus on cashing them in effectively.
On its website, Cash App encourages users to ensure that two-factor authentication is enabled on their linked email address. The app also has an additional feature called Security Lock which means that each transfer requires the user to enter a PIN.
“Fraud prevention is of critical importance to Cash App. We continue to invest and strengthen anti-fraud resources by increasing staff and adopting new technologies. We are constantly improving systems and controls to help prevent, detect and report bad activity on the platform,” a spokesperson for Cash App told Motherboard in a statement. “For those who believe they have been victims of identity theft scams or account takeover, we encourage them to contact Cash App Support where we will review the account in question. If found to be fraudulent, we will take appropriate action beginning with account closure and deactivation of all applicable products. »
Fraudsters also seem to offer Cash App accounts for another purpose: to launder money. Motherboard found several listings on a dark web marketplace offering these newly created and verified accounts. Cash App requires users to verify their identity to use certain features, which may require them to provide their social security number with the platform. These pre-verified accounts will allow fraudsters to purchase Bitcoin through the Cash app without having to verify their identity, the listing suggests.