An official warning has been issued by the Federal Bureau of Investigation (FBI) in relation to a spike well known brand being used in spear phishing attacks, focused on tricking people to hand over sensitive data or download malware.

The campaigns work by leveraging the trust that is placed in well-known brands in order to make them complete an action. Typically they include the actual logo of the targeted brand in the same format as real messages from the company. However, they will include links that take those who click on them to a malicious web portal. These web portals will attempt to steal sensitive data. 

Hackers sell scampage tools on the dark web that will allow other hackers to operate successful phishing campaigns. The FBI has confirmed that the scampage tools in question have the ability to spot if a person is their email address as their login ID for a web platform. If this is detected the user is sent to a scam page with the same email domain. The user is then asked to share their login credentials that the hacker can use to access the victim’s email. This in turn allows hackers to receive 2-factor authentication codes, thus rendering this security method useless. With 2FA codes, the cybercriminal can obtain access to accounts and make changes, including updating passwords to lock users out of their accounts or altering security rules before the owner of the account can be alerted.

The FBI release said: “Much like the threat with ransomware-as-a-service, this type of product-as-a-service distribution of scampage and credential harvesting tools presents an increased nationwide risk to private sector businesses and their consumers. Brand-phishing email campaigns and scampage tools that help bypass 2FA security measures represent another aspect to this emerging cyber threat.”

In order to prepare for an attack like this, companies must configure an advanced spam filtering solution to prevent phishing emails and stop them from landing in employee inboxes. Password policies should be set up that make strong passwords mandatory, and reviews carried out to police this and root out commonly used or weak passwords cannot be created on accounts. Employees should be warned to never use passwords on multiple accounts and to see to it that all company accounts have 100% unique passwords. Security awareness training should be conducted for all staff members to make them aware of email security best practices and how to spot  phishing emails and other scams.

Due to the spike in the use of scampage campaigns, all staff members should create a unique username for an account that is not connected to their main email address. 2-factor authentication should be enabled if it is available, and where possible, a software-based authenticator program or a USB security key should be in place as the second factor.