Depop Industrial Level Hacking
What is Depop? For those of whom may not be familiar with the popular e-commerce platform, Depop is effectively a market place for users to sell their unwanted fashion and ‘hype-beast’ related gear. Mainly aimed at the younger generations, nowadays it is seemingly used for vintage clothes shopping or finding the item you were unable to obtain on release. Founded in 2011, the application has soared in popularity reaching the dizzying heights of around 18 million users.
With this kind of platform, as with anything that deals with peoples tangible assets or finances, an innate level of risk to users arises. For this reason, Depop is a treasure trove for threat actors to target, preying on the less technically able to fulfil their scams.
As with any cyber-based attack, a key part of understanding the risk is to understand the root cause which enables the risk to come to fruition. Whilst undertaking research and working within this field, I see accounts being compromised regularly. Depop is no different from the rest, it is not immune from common threat vectors attackers would usually take. The following are what I consider to be the two most likely attacks users could suffer, which may result in compromise.
A relatively low complexity attack vector, however, can result in some serious consequences. Once an attacker has established they are going to target your account, typically, one of the first areas which are researched is previously compromised passwords. Websites such as haveibeenpwned.com and dehashed.com contain details of users passwords which have been leaked.
These passwords come from a variety of dumps, however, they always usually have one thing in common. They are weak, easily crackable/guessable and more often than not repeatedly used across many sites. This is where the issue stems from, should your password be compromised and reused, you would be vulnerable to credential stuffing on the sites which you reuse the compromised passwords.
To avoid this issue, it is advised that passwords are never reused in any circumstance. This can be achieved through the use of a password manager. These apps are easy to download, set-up and use across all platforms including, Windows, Mac, iOS and Android. Set a strong memorable passphrase for the manager and let that do the heavy lifting. Setting passwords of upwards of 20 characters, that differ on a per-site basis is a surefire way to solidify your privacy. Should a password become compromised, this ensures that it cannot be used for other accounts, as it is likely an attacker will try this.
Another issue which is talked about on the daily, for good reason, is phishing. Typically attackers would undertake OSINT, for example, scouting out users to target on the application through the use of a dummy account, then attempt to gather email addresses from other sources.
An attacker will utilise the above information to then launch communication-based attacks which appear to impersonate the target application or service. This is usually in an effort to steal credentials via faked login portals.
In turn, this attack can be complex to make believable but in my experience as a security consultant yields fantastic results. People are usually trusting by nature and this is exactly what is being exploited here.
There are a multitude of ways to prevent this issue, these are just some. Always verify the validity of the sender, most phishing attacks come from email-based sources, ensure that the email address which the communication is received from is genuine. This is easily done, in Depop’s case, by checking with their support service (referenced in article one below). The other main-tip, it is unlikely Depop will ever send you communications that require you to follow a link to login. If you ever get such notification, the best way of dealing with this is to log into Depop but through the app or website instead of following email links. TL;DR don’t follow dodgy links.
So, picture that you have been compromised by one of the above methods, what do you do? First of all identify you actually have been compromised, in many examples, such as the one detailed in article three below, attackers attempt to message other accounts. This is either to scam users out of money or gain further information about other accounts whilst masking to an extent their own identity. So more often than not you should see some odd activity, in the form of messaging or new listings on your account.
First things first, CHANGE YOUR PASSWORD. This will invalidate the attacker’s session, locking them back out of your account. Thus, preventing them from doing any more damage. I would follow this up with an email to the Depop support team and even potentially message anyone who may have had communication within the compromised period.
If you want to dig deeper here, finding the root cause of the compromise is a good idea, search online repositories to find your compromised password or find the phishing email that got you burnt. Then take steps to avoid this in the future. For example, report the phishing domain to Depop to aid keeping other users safe.
Now we have discussed some of the potential avenues for compromise, we must also understand how we can stay safe whilst using the app. Both from a non-technical and a technical standpoint.
From a non technical standpoint, users should limit both the amount of information that is available on sites such as this. As a security consultant I know all too well the dangers of sharing personal information online, although people seem nice, there is always a small percentage that are out to cause harm. Call me paranoid, but on sites such as Depop personal information should be kept to a minimum. My advice is as follows:
- This seems like online safety 101, but never give anyone your full address/full name/date of birth over Depop’s chat service no matter how bad they claim to need it. When ordering a parcel online, to reduce the amount of information leaked, having it delivered to click and collect services is always the best way. In turn, whoever may be preying, is left with little to no information of your actual whereabouts. This can be seen dealt with gracefully through the following post. (https://www.instagram.com/p/CHdjnDQBnJm/)
- In addition to the above, when posting photos of items, it is a good idea to take these in-front of ablank background. This way no details of either your personal life or home are disclosed through such medium. You would be surprised about what people can deduce from photos to locate people or publish sensitive information.
From a technical standpoint, there are a large amount of things that can be done to secure your Depop account and online transactions. These are as follows:
- As previously mentioned, set strong passwords and use a password manager to store these. That way you avoid password reuse and the potential pitfalls of credential stuffing attacks. Personally speaking, things such as OnePassword or LastPass are generally good for this, or even Apples keychain. This then enables you to manage passwords more effectively. To go hand in hand with this, always advocate a passphrase over a password, this ensures resilience to other attack techniques (such as cracking compromised hashes or brute force attacks). For more information see article two below.
- Ensure when completing any online transaction, you do so through PayPal goods and services. This automatically gives you buyer protection. Should the item you receive not be as described or not be received at all, PayPal will aid in opening an investigation to get your money back. Unfortunately, when utilising bank transfers or cash, in most cases this is either completely not possible or a lengthy process.
- Although currently, Depop does not offer Two-Factor authentication, should it ever become available, always ensure it is enabled. To mitigate this risk, ensure you are extra vigilant with any emails that appear to be from Depop but may not be and ensure Two-Factor authentication is enabled for things such as PayPal.
- Regularly change your account password every three months or so. This ensures that if compromised in a dump, the window for which the password is valid is kept to a much shorter time, greatly reducing risk.
- Ensure you keep an eye out and subscribe to updates from the aforementioned password compromise sites, prompting password changes should you think your password has been leaked.
To summarise, the threats to Depop accounts are very real and can come in many forms. This means it is on you, the users of the app to maintain the security of your own account. Staying responsible, reporting any threats you may see. This way, maintaining the highest level of assurance for your own privacy.
Is your business an easy target for attackers? If you use web applications like Depop’s you could be in danger, take a look at our Web Application Service today and stay ahead of the attacker.