12/16/2021
I hope everyone is enjoying a safe and happy holiday season. With many of us doing our shopping online, I wanted to share a security update I received from one of my business partners, CATIC (CT Attorneys Title Insurance Company), regarding the protections we all enjoy using multifactor authorizations (MFA) for the many online services we use, most importantly our online banking. MFA is an important security feature that should be used as often as possible, but not surprisingly cybercriminals have figured out a way to pe*****te even this level of security.
Here is some info on cybercriminals' latest attempts to bypass MFA security features:
Multifactor authentication (MFA) is an authentication method used to verify one’s identity through two or more
technological factors. In other words, MFA uses something a user knows (username/password), has (possession-based),
and is (biometric). Similar to all of the behemoth technology companies of the world that promote MFA to their own
users as another layer of defense, CATIC IT Security, too, is a strong advocate of this technique. When you utilize MFA to
log in to your email accounts, or sign into your social media profiles, etc., you are doing your part in not only protecting
your data from unauthorized hands, but you are also making the cybercriminals’ jobs more arduous in their attempts to
obtain your information. The rationale behind frustrating the cybercriminals is the hope that they move on to other
potential victims who do not have any type of MFA enabled to secure their accounts.
Unfortunately, while we all hail MFA as an obliging player in the cyber arena to deter attacks, cybercriminals are swiftly
gaining traction in using various measures to bypass MFA. More specifically, cybercriminals are leveraging SMS message
notifications that involve peer-to-peer (P2P) payment applications, such as Zelle. Within this Zelle phishing scam,
cybercriminals are sending out mass text messages that detail unusual bank transfers. Further into the initial message,
the cybercriminals conclude with a “Reply YES or No or 1 To Decline Fraud Alerts.” The closing segment of this type of
message is crafty, as one might be inclined to respond either way. If a person responds with a “Yes” or “No,” that person
will receive a call from the cybercriminal, which appears to be coming from the person’s bank. To make this scam more
believable, the number is spoofed in order to make it look like the call is coming from JP Morgan Chase, Bank of
America, etc.
Once the cybercriminal has the unsuspecting caller on the line, here is a play-by-play of what typically occurs:
• The criminal asks for the recipient’s username for the bank site, purportedly to verify the person’s identity.
• While already on the recipient’s bank website, the cybercriminal asks the recipient for the passcode that was
sent to the recipient’s mobile device.
o This would occur when the criminal does a “password reset” option, or “forgot password” reminder.
• As the recipient reads the MFA code to the caller, the cybercriminal begins the process of resetting the
password, to lock the legitimate user from access to the bank account.
In attempts to combat this scam, Zelle has decided to make its message notifications slightly more detailed, such as
including a name and monetary figure for a pending transaction. To defeat this “fix” from Zelle, cybercriminals have
quickly pivoted and included names and figures for their bogus transactions via text. While the above scam and MFA
bypass practice seem like a lose-lose-situation, it is still imperative to realize that the battle is far from lost. It has
ubiquitously been noted that nothing will ever be 100% secure. However, this notion should never discourage one from
using MFA. In fact, Microsoft has vehemently argued that MFA can prevent 99.9% of attacks pertaining to phishing,
spear phishing, credential stuffing, etc. To reiterate, when you use MFA, not only are you adding a second layer of
security to your account to protect data, but you are also safeguarding your company’s information and thwarting
possible lateral attacks throughout the organization. Moreover, MFA is easy to activate and is one of the chief elements
in bettering an overall security posture. To avoid scams, such as the one detailed above, please review the tips below:
• Be wary of random text messages from unknown numbers.
o The same can be said for odd text messages with strange URLs in them.
• Ask yourself, “Was I expecting anything from this sender?”
o In this case, were you expecting something from Zelle? Do you even have a Zelle account?
• Be very suspicious of text messages that urge you to act quickly on a matter.
• Look for poor spelling and odd grammatical structures.
*Statistics were derived from krebsonsecurity.com and microsoft.com*
I hope you all have a safe and happy holiday season!
