Geek Squad Breach Incident Score: Analysis & Impact (GEE1805018112725)

In this Rankiteo incident briefing, we review the Geek Squad breach identified under incident ID GEE1805018112725.

The analysis begins with a detailed overview of Geek Squad's information like the linkedin page: https://www.linkedin.com/company/geek-squad, the number of followers: 0, the industry type: IT Services and IT Consulting and the number of employees: 6738 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 838 and after the incident was 826 with a difference of -12 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Geek Squad and their customers.

On 27 November 2024, U.S. Consumers disclosed phishing, social engineering and fraud issues under the banner "Holiday Season Scams and Fraudulent Activities Targeting Consumers (2024)".

Scammers are leveraging the holiday season to exploit consumers through sophisticated tactics, including phishing emails (e.g., fake Best Buy Geek Squad notices), warrant scams, AI-generated deepfakes, and voice-cloning tools.

The disruption is felt across the environment, and exposing personal information (via phishing), payment details (if shared with scammers) and voice recordings (for cloning), plus an estimated financial loss of $12.5 billion (2023 U.S. reported losses, 25% increase from prior year).

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like public warnings, media coverage (e.g., 7News) and social media alerts, and began remediation that includes consumer education on scam recognition, encouragement to report scams to FTC and advice to verify requests via official channels, and stakeholders are being briefed through press releases, interviews with law enforcement (e.g., Sgt. John Quarless) and holiday shopping safety guides.

The case underscores how ongoing (law enforcement tracking scam operations), teams are taking away lessons such as Scammers exploit seasonal distractions (e.g., holidays) to increase success rates, AI tools (deepfakes, voice cloning) lower the barrier for sophisticated impersonation and Cryptocurrency demands are a red flag for fraud, and recommending next steps like Verify unsolicited requests via official contact channels (e.g., company websites, not email/phone links), Never share personal or financial information in response to urgent threats (e.g., warrants, overdue bills) and Use multi-factor authentication (MFA) for accounts to mitigate phishing risks, with advisories going out to stakeholders covering FTC consumer alerts, Maryland AG holiday scam warnings and Prince George’s County Police Department advisories.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Phishing: Spearphishing Link (T1566.002) with high confidence (95%), with evidence including phishing emails (e.g., fake Best Buy Geek Squad notices), and email phishing under attack_vector, Phishing: Spearphishing Attachment (T1566.001) with moderate to high confidence (70%), supported by evidence indicating malicious pop-ups under attack_vector (may deliver payloads), and Phishing for Information: Spearphishing via Service (T1598.003) with high confidence (90%), with evidence including spoofed calls under initial_access_broker.entry_point, and phone scams (warrant threats) under attack_vector. Under the Credential Access tactic, the analysis identified Steal Web Session Cookie (T1539) with moderate confidence (60%), supported by evidence indicating payment details (if shared with scammers) implies session hijacking risk and Phishing for Credentials (T1566.002) with high confidence (95%), with evidence including personal identifiable information (PII) shared voluntarily via phishing, and tricking customers into believing they had an outstanding bill. Under the Social Engineering tactic, the analysis identified Phishing for Information: Spearphishing Service (T1598.001) with high confidence (95%), with evidence including scammers impersonated Best Buy’s Geek Squad via fraudulent emails, and aI-generated voice cloning and deepfakes in parallel scams, Impersonation: Brand Impersonation (T1659) with high confidence (100%), with evidence including impersonated Best Buy’s Geek Squad, and brand impersonation under type, Impersonation: Lookalike Domains (T1659.002) with moderate to high confidence (80%), supported by evidence indicating fraudulent emails likely used spoofed/lookalike domains, and Impersonation: Audio Impersonation (T1659.003) with high confidence (90%), with evidence including aI-generated voice cloning, and publicly available personal data (for voice cloning). Under the Collection tactic, the analysis identified Command and Scripting Interpreter: Visual Basic (T1059.005) with moderate confidence (50%), supported by evidence indicating malicious pop-ups may execute scripts for data collection, Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (70%), supported by evidence indicating malicious pop-ups likely used JavaScript for data harvesting, and Automated Collection (T1119) with moderate to high confidence (80%), supported by evidence indicating aI-generated deepfakes and automated phishing campaigns. Under the Exfiltration tactic, the analysis identified Exfiltration Over C2 Channel (T1041) with moderate to high confidence (85%), with evidence including personal and financial information... extracted via fake support calls/emails, and data sold on dark web such as potential (PII collected via phishing) and Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (70%), supported by evidence indicating cryptocurrency extortion implies obfuscated transaction channels. Under the Impact tactic, the analysis identified Financial Theft (T1657) with high confidence (100%), with evidence including coerced victims into transferring funds (e.g., via cryptocurrency), and $12.5 billion (2023 U.S. reported losses), Resource Hijacking: Cryptocurrency Mining (T1496.002) with lower confidence (30%), supported by evidence indicating cryptocurrency fraud (less likely mining, more likely direct theft), and Impersonation: Business Email Compromise (T1659.001) with moderate to high confidence (80%), supported by evidence indicating fake Best Buy Geek Squad notices (BEC-like impersonation). Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information: Indicator Removal from Tools (T1027.005) with moderate confidence (60%), supported by evidence indicating malicious pop-ups may use obfuscation to evade detection and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (70%), supported by evidence indicating spoofed calls or compromised cloud email accounts for phishing. Under the Lateral Movement tactic, the analysis identified Internal Spearphishing (T1534) with lower confidence (40%), supported by evidence indicating data sold on dark web such as potential could enable follow-on attacks. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.