Special Alert: Guidance on Global Threats
On March 21, 2022, both the White House and the Department of Homeland Security issued statements and guidance about the urgency of all US businesses acting now to protect against cyber attacks.
They both referred to the Shields-Up campaign as a resource for the private sector and stressed the critical importance of shoring up protections.
As our partner, you will always be covered with the best security we can provide. This fact sheet should merely reinforce what we recommend/handle for you.
Click the image to view the White House fact sheet for businesses.
Excerpt from the White House:
“The Biden-Harris Administration has warned repeatedly about the potential for Russia to engage in malicious cyber activity against the United States in response to the unprecedented economic sanctions we have imposed. There is now evolving intelligence that Russia may be exploring options for potential cyber attacks.
The U.S. Government will continue our efforts to provide resources and tools to the private sector, including via CISA’s Shields-Up campaign and we will do everything in our power to defend the Nation and respond to cyberattacks. But the reality is that much of the Nation’s critical infrastructure is owned and operated by the private sector and the private sector must act to protect the critical services on which all Americans rely.
We urge companies to execute the following steps with urgency.”
Excerpt from Secretary of the Department of Homeland Security, Alejandro N. Mayorkas:
“As the Russian Government explores options for potential cyberattacks against the United States, the Department of Homeland Security continues to work closely with our partners across every level of government, in the private sector, and with local communities to protect our country’s networks and critical infrastructure from malicious cyber activity. Organizations of every size and across every sector should continue enhancing their cybersecurity defenses. Organizations can visit CISA.gov/Shields-Up for best practices on how to protect their networks, and they should report anomalous cyber activity and/or cyber incidents to report@cisa.gov or (888) 282-0870, or to an FBI field office. DHS will continue to share timely and actionable information and intelligence to ensure our partners and the public have the tools they need to keep our communities safe and secure, and increase nationwide cybersecurity preparedness.”
1. Fake Law Enforcement or Government Officials
The FBI issued an alert this March warning of scammers impersonating law enforcement or government officials. This is similar to the SEC scam I sent in December, but like many scams that prove to be effective, it is evolving and expanding.
“Scammers will often spoof authentic phone numbers and names and use fake credentials of well-known government and law enforcement agencies. Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring.”
Some of the angles these scams take include the following:
- Your identity was allegedly used in a crime, such as a drug deal or money laundering. You are asked to verify your identity, including social security number and date of birth. You are threatened with arrest, prosecution, or imprisonment if you do not pay to remove charges or assist in the investigation against the “real” criminals.
- You are accused of not reporting for jury duty and being fined, or you missed a court date and there is a warrant for your arrest unless a payment is made.
- Text messages from spoofed Government agencies requesting information regarding passport or driver’s license renewals.
- A notification that your personal information has been compromised and to contact the agency immediately.
- Medical practitioners are contacted to warn of the expiration of their medical licensing, or that their license was utilized to conduct a crime. The scammers will threaten revocation of the license or registration, and the medical professional is compelled to renew their license to protect their professional reputation.
- A romance scam victim begins to realize they are being defrauded and stops communicating with the scammer. Often, the victim is contacted by a law enforcement impersonator attempting to extort the victim to clear their name for participating in a crime or to aid in the capture of the romance scammer.
- A lottery scam victim is contacted by law enforcement to collect taxes and fees. Sometimes the impersonator will state a victim is caught in a scam, and the victim needs to pay to get their money back.
- A victim is contacted regarding a government grant, but must pay taxes and fees to claim their funds.
The goal of all of these approaches is payment.
So what should you do?
Always be suspicious of unsolicited emails, texts, or calls demanding payment.
No matter how official or threatening the person sounds, remember that law enforcement authorities or government officials will never contact members of the public or medical practitioners by telephone to demand payment or to request personal or sensitive information. Any legitimate investigation or legal action will be done in person or by official letter.
Always ask for credentials to validate identity.
Never give personally identifying information to anyone without verifying the person is who they say they are.
The FBI recommends the following steps if you become a victim of this type of scam:
- Cease all contact with the scammers immediately.
- Notify your financial institutions.
- Contact your local law enforcement and file a police report.
- File a complaint with the FBI IC3 at www.ic3.gov.
- Be sure to keep any financial transaction information, including banking records and all telephone, text, or email communications.
2. Customer and Tech Support Fraud
In another bulletin from the FBI this March, we are warned about more impersonators – criminals posing as tech support and customer support.
This is a threat to all businesses and an even bigger risk to those with remote workers using personal devices at home.
If you’ve been a subscriber for a while, you may remember the February 2020 scam of criminals claiming to be from Microsoft offering to ‘help’ update your Windows 7 machine or give you support past its end-of-life. For a fee, of course. Or remote access into your machine. These scams are similar, but they have expanded.
These recent fraud attempts see criminals impersonating well-known tech, financial, or utility companies, offering to fix non-existent technology issues and renewing fraudulent software or security subscriptions.
They may offer support to resolve such issues as a compromised email or bank account, a virus on a computer, or a software license renewal.
Recent examples:
- Banking support impersonators: You are usually contacted via text or call to indicate a problem with your account. You are persuaded to allow access to your computer and bank account to correct the issue. The scammer uses that access to initiate transfers from the account and others associated with it. By the time you realize what happened, your account is often empty.
- Drivers employed by ride-share or transportation mobility companies: Drivers report being contacted by someone impersonating support staff of their rideshare company with an issue regarding a rider complaint or the driver’s account. The driver is convinced to allow access to their account and all funds in the account are taken by the impersonator.
- Utility, cable, or internet companies: You are contacted by someone impersonating a utility company with claims of an unpaid bill you must pay immediately to avoid shutoff, or you are contacted by a cable, phone, or internet company with offers of great savings.
- Travel industry: Scammers are impersonating customer support of the car rental, airline, and hotel industries with offers of great deals or taking fake reservations. Payment is usually requested by prepaid cards. Unsuspecting victims report to a reservation counter, only to find no car, hotel, or flight reservation exists.
- Always be suspicious of unsolicited calls, texts, or emails with amazing, incredible offers or urgent demands to pay. Criminals want to elicit strong emotions, such as fear or missing out on a deal, and push you into immediate action so you don’t have time to stop and think.
- Remind yourself that legitimate customer, security, or tech support companies will not initiate unsolicited contact with individuals. Microsoft is not going to call you. It’s more plausible that your bank might, but they often prefer to send official business through the mail. And if it is a real call from your bank, you can get off the phone and call back using the numbers on their website to conduct any business you need to.
- Ensure all computer anti-virus, security, and malware protection is up to date and consider installing ad-blocking software to reduce pop-ups and malvertising (online advertising to spread malware).
- Be cautious of customer support numbers in caller ID as they can be spoofed. And if you search independently for a valid customer service number, make sure you do not accidentally choose an Ad. Phone numbers listed in a “sponsored” results section are likely boosted as a result of Search Engine Advertising and could be a fake listing paid for by criminals.
- Never give unknown, unverified people remote access to your devices or accounts.
3. Rethinking ReCAPTCHA Forms
Researchers at Avanan, an email security company, have found new ways that hackers are using CAPTCHA forms to bypass filters and lull us as end-users into a false sense of security.
They report emails, often appearing to be faxes with an attached pdf, sent from a legitimate but compromised domain, being used to try to steal credentials.
How it works is that you receive this email with the attached ‘fax.’ You open the attachment, which takes you to a website. There you see a reCAPTCHA form asking you to click to prove you are not a robot.
Once you click, you are asked to enter your credentials in order to view the document. If you do, you have just given them to the criminals.
The researchers explain why this is effective:
“In this attack, hackers are using CAPTCHA forms to bypass scanners.
Perhaps the most popular CAPTCHA is Google’s reCAPTCHA. Google is inherently trusted by most security scanners, since you can’t just block Google. The reCAPTCHA service makes connections to IP addresses that belong to Google and are already in most allow lists.
One of the main tasks of reCAPTCHA challenges–those annoying image games you have to play before proceeding to a site– is to make content inaccessible to crawlers and scanners that do not pass the verification process; therefore, the malicious nature of the target websites will not be apparent until the CAPTCHA challenge is solved.
Further, because the content of this attachment is a seemingly harmless reCAPTCHA, and the mail client will not be able to solve the CAPTCHA, the email client will have no way of determining the safety of the actual attachment’s content. Adding to the challenge for scanners is that the email is being sent from a legitimate domain, in this case, a compromised university site.
To the end-user, this doesn’t seem like [a scam] but more like a nuisance. Given how often the average user fills out a CAPTCHA challenge, it’s not out of the ordinary. Neither are password-protected PDF documents. Plus, the PDF is hosted on a convincingly-spoofed OneDrive page, adding another veneer of legitimacy.
By providing end-users with innocent enough content, and scanners with enough to be fooled, this is an effective attack for hackers to pull off.”
So how can you stay safe from this?
- Always be careful with unsolicited attachments. In a case like this, consider whether or not it is the normal way you receive faxes. Is the sender correct? Does the sender typically send faxes? Confirm it is legitimate with the sender via chat or phone call if this is not a regular occurrence. If you’re in any way unsure, send it to us to check it out for you. We’re happy to do so.
- Be suspicious of attachments, pdf or any file type, that send you to websites. Using a web browser to view an attachment is different than opening an attachment that then directs you to a website. It should send up red flags.
- Carefully check URLs before filling out CAPTCHA forms. Look for misspellings and numbers used in place of letters to appear to be legitimate sites.
- Question whether a pdf you received should be password protected. It can certainly be valid depending on the contents, but you should confirm with the sender in some other method than email before proceeding.
