Cyber criminals are likely developing and selling tools that can harvest credentials and 2FA codes to defraud users, according to the Federal Bureau of Investigation (FBI). The Bureau has registered a recent spike in spear phishing email campaigns targeting consumers of brand-name companies.
The FBI warned Internet users in a public service announcement this week of “recent spear phishing email campaigns targeting consumers of brand-name companies, also known as brand-phishing, through their online User IDs and associated email accounts.”
“Cyber criminals are very likely developing and selling scamming tools to trick consumers of brand-name companies into revealing personal account information to compromise accounts and bypass online security protocols, most notably two-factor authentication (2FA),” the agency notes.
“Once detected, the consumer is redirected to an email scampage of the same email domain to steal their email account login and password information,” the announcement reads. “When cyber criminals gain access to a consumer’s online and email accounts, cyber criminals may be able to intercept emails with 2FA codes that are used to make significant changes to online accounts, update passwords, verify user access, or change security rules and setup before the account owner is notified and aware.”
The FBI says the scammers embroiled in this campaign have adopted a method similar to the ransomware-as-a-service model, selling the tools to affiliates and offering “their own ongoing technical support.”
“Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers,” the Bureau notes.
“Cyber criminals are also motivated to sell these scampage tools to other users, regardless of their programming skills, which generates revenue and adds to the threat from these credential harvesting methods and tactics,” the agency stresses.
Spear phishing persists as a growing risk across the world, according to the agency, and users are urged to report any such scam attempts to the Internet Crime Complaint Center (IC3).
The Bureau urges consumers to keep using 2FA and/or multi-factor authentication (MFA) options, but to avoid using their primary email address for logins. Preferably, users should create a unique username not associated with their primary email address.
Bitdefender Digital Identity Protection (DIP) lets you control your digital footprint by continuously monitoring for data breaches and social media impersonators. Digital footprint monitoring only uses information provided (email address and phone number) when signing up to the service. DIP helps find your private information online in legal and illegal collections of data, and helps you stay on top of new breaches and privacy threats with instant alerts and monitoring.