Up to 10 million customers of retail giant JD Sports Fashion may have had their details compromised. This includes customers of JD sports, Size?, Millets, Blacks, Scotts, and MilletsSport, and relates to any orders placed between November 2018 and October 2020.
A JD Sports spokesperson said that the attackers may have had access to customer PII (Personally Identifiable Information) including:
- Full name
- Billing & Delivery addresses
- email address
- Telephone numbers
- Order details
- Final 4 digits of payment card used
The spokesperson also said that JD Sports has no reason to believe that customer passwords had been compromised as they are held on a different system to the one breached.
The JD Sports group is currently in the process of contacting all the affected customers to advise them to be vigilant of potential fraud, and cases of phishing and SMSishing attacks, especially ones purporting to come from JD Sports, or any of the groups brands.
What is phishing?
Phishing is a type of cyber attack whereby the attacker(s) tries to trick people into giving sensitive information (such as passwords or financial information) by posing as a trustworthy entity, typically via an email.
In the message, there will often be a “call to action” in that the email will encourage the victim to log-in to an account by clicking a button or a link in the message.
The link will take the victim to a fake copy of the website whereby the attackers will now be able to harvest the victims credentials to use at their leisure.
Often, these emails come with the threat that an account will be deactivated if the victim does not respond within a short time-frame (often 72 hours).
What can you do?
If you receive an email which you think is suspect, then do not click any links. YOu can check what the link will do by copying the link address and pasting it into a website called urlscan.io
urlscan will execute the URL you provide in a sandbox virtual machine and analyse the actions performed. It will identify any IP addresses used when accessing the URL along with countries involved, and whether or not it is being identified as a scam site, or malicious in other ways (malware, etc.). You will also be able to see a screenshot of the intended website.
What is SMShing?
SMSishing (or “smishing”) is a type of phishing attack that uses text messages instead of emails to steal sensitive information from victims.
The attacker(s) sends a text message posing as a trustworthy entity (such as a bank or a government agency) and asks the recipient to click on a link or call a phone number. The hackers objectives are to get the victim to provide personal information, login credentials or financial details.
The goal of SMSishing is the same as phishing – to trick people into giving sensitive information that can be used for malicious purposes.
What can you do?
As with phishing attacks, the advise is to never click any suspicious links, or call and numbers listed in a suspect txt message.
If you receive an SMS message which you believe to be fraudulent, you can forward the message to 7726 which is the UK national txt number for suspected SMS fraud.
