Developing and Selling Scamming Tools to Harvest Credentials of Brand-Name Consumers
The Federal Bureau of Investigation (FBI) is releasing this PSA to inform the public of recent spear phishing email campaigns targeting consumers of brand-name companies, also known as brand-phishing, through their online User IDs and associated email accounts. Cyber criminals are very likely developing and selling scamming tools to trick consumers of brand-name companies into revealing personal account information to compromise accounts and bypass online security protocols, most notably two-factor authentication (2FA).
What Are Brand-Phishing Emails?
A brand-phishing email is an email cyber criminals send to impersonate the official websites of prominent brands – such as those within the technology, banking, shipping, and retail industries – to trick consumers into revealing sensitive personal account information. Cyber criminals attach malicious URL links or files within their phishing messages that will take a victim to a fake website (scampage) that requires consumers to login to verify information or respond to an activity alert. Links to these scampages are sent through emails, text messages, or via web and mobile applications and may spoof the identity or online address to resemble the genuine site. The scampages may then use login forms or malware to steal users' credentials, payment details, or other personally identifiable information (PII).
How can spear phishing emails bypass 2FA?
Cyber criminals are very likely developing and selling scampage tools that recognize when consumers use their email address as their User ID. Once detected, the consumer is redirected to an email scampage of the same email domain to steal their email account login and password information. When cyber criminals gain access to a consumer's online and email accounts, cyber criminals may be able to intercept emails with 2FA codes that are used to make significant changes to online accounts, update passwords, verify user access, or change security rules and setup before the account owner is notified and aware.
Motives to Target Brand-Name Consumers
As consumers more routinely make purchases, conduct business, and receive support online and through mobile applications, cyber criminals continue to target brand-name consumers due to the sheer number of people using brand-name services and the level of trust and legitimacy associated with these companies.
The FBI has observed cyber criminals selling scamming software and offering these tools with the appearance of their own ongoing technical support. Cyber criminals are financially motivated to develop these scampage tools to enhance their scamming tactics and more effectively harvest the credentials of consumers to compromise and takeover account access. Cyber criminals are also motivated to sell these scampage tools to other users, regardless of their programming skills, which generates revenue and adds to the threat from these credential harvesting methods and tactics.
Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers. Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.
Recommendations
The FBI continues to promote awareness that spear phishing tactics persist as a growing risk across industries in the United States and overseas, and the FBI continues to encourage public reporting through the Internet Crime Complaint Center (IC3) to prevent future crimes and provide support to victims. The FBI similarly encourages private sector partners to remain vigilant, evaluate internal policies, and continue to communicate with their consumers regarding account security protocols.
- Be suspicious of unsolicited contact via email or social media from any individual you do not know personally and/or containing messages enticing you to open a link or attached file.
- When receiving account alerts, rather than clicking a link within an email or text, opt to navigate to the website using the secure URL to review any logs, messages, or notices.
- Closely verify the spelling of web addresses, websites, and email addresses that look trustworthy but may be imitations of legitimate websites, to include the username and/or domain names/addresses (i.e., capital “I” vs small “L”, etc.).
- Use strong unique passwords, and do not re-use the same password across multiple accounts.
- Do not store important documents or information in your email account (e.g., digital currency private keys, documents with your social security number, or photocopies of a driver's license).
- Enable 2FA and/or multi-factor authentication (MFA) options to help secure online accounts, such as a phone number, software-based authenticator programs/apps, USB security key, or a separate email account (with a unique password that does not link to other consumer accounts) in order to receive authentication codes for account logins, password resets, or updates to sensitive account information.
- When possible, do not use your primary email address for logins on Websites. Create a unique username not associated with your primary email address.
- If you believe that you have been victimized contact your local law enforcement agency or your local FBI field office (contact information can be found at www.fbi.gov/contact-us/field-offices.) and immediately report the activity to the FBI's Internet Crime Complaint Center at www.ic3.gov.