The recent surge in data breaches is a significant cause for concern, including the publicly exposed database containing more than 184 million records of email addresses, usernames, passwords, and links to account login or authorization webpages. This database included data for many services, applications, and accounts, such as email providers, Microsoft products, Facebook, Instagram, Snapchat, Roblox, financial institutions, health platforms, and government portals from various countries. As a result, data exposed in data breaches or publicly available online enables threat actors to conduct malicious cyber activity, such as social engineering, credential stuffing attacks, account takeovers, identity theft, and financial fraud.

Over the past several weeks, the NJCCIC observed an uptick in reports of threat actors impersonating legitimate organizations in vishing scams and claiming unauthorized charges or unusual activity on the account. To create urgency and fear, they pressure and trick their targets into verifying account information to “credit” the charges or “fix” the issue. They may request the target’s MFA  code, as they likely already have the target’s username and password. If divulged, the MFA code and exposed credentials allow threat actors to access the target’s accounts or devices to make unauthorized withdrawals or purchases for goods or services.

For example, threat actors spoofed a financial institution’s phone number. They claimed the account had been charged and requested the target’s password and MFA code to verify the account information. Once provided, the threat actors accessed the target’s bank account and instead withdrew funds. Reports indicated that threat actors successfully targeted multiple victims and stole funds ranging from $10,000 to $20,000 per victim.

In another example, threat actors impersonated an AT&T representative and claimed there was activity on the account. They further explained to the target that someone was trying to change the mailing address on the account to order a new phone and ship it to a new address. To “fix” this issue, the threat actors requested the target’s email address and MFA code for verification. Instead, the threat actors accessed the target’s account using the provided MFA code and purchased a new phone.

In a more sophisticated scheme, threat actors impersonated a T-Mobile representative and inquired about their target’s recent service. They stated they were losing customers and offered promotional discounts to retain them. To create legitimacy, the threat actors specified that the target qualified for this discount, the phones were fully paid, and the charges would be credited once the promotional discount was activated on the account. They also claimed that the target’s account PIN was not working, so they sent the target a verification code to “fix” the issue. The target did not question the request for the MFA code because it was like a typical legitimate authentication notification, as requested in past interactions. However, in this case, the key difference was that the target did not initiate the phone call, login, or MFA code request.

Once the target provided the MFA code, the threat actors accessed the target’s account. The threat actors continued their promotional discount lure by pressuring the target to choose two phone models. Minutes later, the target received an email notification for an order applied to their account. The target had changed their mind about the models, but the threat actors reassured them that they could make the change after picking up the phones in person. They also offered the target a prepaid return shipping label, claiming the phones would be returned to a T-Mobile warehouse in Philadelphia. However, the target became suspicious after noticing that the return shipping label was sent from a different email address. The target picked up the phones but hesitated to “return” them. The threat actors insisted that the target “return” the phones using the provided return shipping label; otherwise, the target would be responsible for the charges, unlike what was initially discussed as part of the purported promotional discount. The target shipped the phones, contacted the shipping company to hold the package, and was advised that the sender’s and recipient’s contact information were the same.

Recommendations

• Refrain from answering unexpected calls from unknown contacts.
• When receiving unsolicited phone calls, do not respond to any requests for sensitive information, access, or money.
• Immediately reject unexpected MFA code requests or prompt notifications, especially if you have not initiated a login attempt.
• If suspicious inquiries are made by individuals claiming to represent a trustworthy organization, hang up and call the organization back using the official phone number found on their website.
• Block and delete unsolicited or suspicious phone numbers received on cell phones or other devices, if possible.
• Reduce your digital footprint so threat actors cannot easily target you.
• Employ tools such as haveibeenpwned.com to determine if your personally identifiable information (PII) has been exposed via a public data breach.
• Review the Identity Theft and Compromised PII NJCCIC Informational Report if your PII has been compromised.
• Report vishing scams and other malicious cyber activity to the NJCCIC and FBI’s IC3.