‘Weaver Fundraising’ (and Trail’s End) is distributing notices of a security incident involving the recipients’ personal information. Apparently, someone has managed to access the organization’s systems by using an already compromised email account by using its credentials they have acquired on the dark web. The hacker used the “forgot password” step to pull a new password from the target’s systems, and eventually took over the account on the Trail’s End platform. The same process happened with an undisclosed number of accounts, which all received notices. The malicious operation started on May 3, 2020, and the platform admins discovered it on May 7, 2020, when they eventually blocked it.
Weaver is now sending two kinds of notices, one for those who have had Amazon.com Gift Cards redeemed through their compromised account, and one for those who haven’t. Typically, the threat actors changed the usernames, email addresses, and the passwords of the compromised accounts to ensure that their rightful owners were barred out. Moreover, changing the email account to one that the victim isn’t aware of secures the gift card, as this ends up to an unknown destination. The investigation of Weaver hasn’t revealed anything else concerning data access on the compromised accounts, though.
All accounts in the platform have now been reset as a measure of precaution and security. Users are now expected to visit the website and set up different credentials from what they have been using thus far. The platform has automatically assigned a random password for now, and they are also urging the users to contact them at “[email protected]” and request a change of username as well. The information that the attacker already has in their hands is somewhat sensitive, so the recipients of the message are advised to stay vigilant against unsolicited email communications and further phishing attempts.
Trail’s End is a brand of microwave popcorn sold by Boy Scouts of America and Scouts Canada for fundraising purposes. The scouts get to keep 73% of the sales, which they can then redeem in Amazon gift cards as the attackers did. Thus, it is unfortunate to see that Weaver hasn’t taken the step to cover the scouts’ financial losses, although the stuffing attacks were admittedly not the organization’s fault. Maybe this will serve as a lesson on the risks of using the same credentials across multiple online platforms for the youngsters.