MULTI-FACTOR AUTHENTICATION- Beware of MFA Fatigue Attacks

While Multi-Factor Authentication (MFA) has become a premier tool to protect your accounts from being hacked by a cybercriminal, hackers are trying to find ways to overcome its benefits and use it to enter your accounts.

One typical attack is for a cybercriminal to obtain the ID and password for one of your accounts then try to sign in. If the account is set up with MFA then it will send a code or ask for confirmation to open up the account. If you do not approve the login, the cybercriminal will continue to try to login repeatedly hoping that you will become annoyed or “fatigued” enough to give up and allow the login to continue.

Krebs on Security reports that it has received reports of criminals using this technique with a twist against Apple customers. The cybercriminals will try the classic MFA fatigue attack. But if their victim doesn’t approve a login, they will call the victim up claiming to be from Apple support. They tell the victim that they are under attack and that Apple support needs to “verify” a one-time code. Of course, the code is the standard MFA notification with a code to enter or a selection to approve or disapprove logging in.

The attack on Apple systems may take advantage of bugs unique to Apple. Krebs on Security observes that changing your account phone number to a VOIP phone number might help. Also, using an email alias could also help. See the Krebs on Security article below for details.

If you receive a notice to approve a login and you are not logging into your account, then obviously you should deny the request. Someone is trying to get into your account that you do not want in there. If the notifications are persistent and numerous, after the attack subsides (assuming that it does stop) change the password to your account to another strong password. Changing your password should prevent someone with your old password from trying to login in the near future.

 

Krebs on Security:

https://krebsonsecurity.com/2024/03/recent-mfa-bombing-attacks-targeting-apple-users/

 

National Cybersecurity Alliance:

https://staysafeonline.org/resources/multi-factor-authentication/

 

Wikipedia:

https://en.wikipedia.org/wiki/Multi-factor_authentication_fatigue_attack

 

 

VACATION SECURITY- Is It Safe to Use a Room Safe?

Frommer’s, a web site that gives advice about travel locations, methods, and accommodations, recently posted an article about the safety of in room hotel safes.

The article noted videos going around social media showing methods that could be used by a thief to break into these common accessories that are provided by many hotels. In an effort to nail down actual statistics to show how much of a problem theft from in room safes really is, Frommer’s could not find much information from major hotel chains or law enforcement. While Frommer’s did not find much information to document justification of any major trends in the theft of hotel safe contents, it notes that the fear of theft is logical for travelers.

Frommer’s research developed the following recommendations,

·         Place your documents in the hotel safe in the hotel’s office.

·         Many hotel safes have you enter a unique numeric code each time you enter the safe. Be sure not to use an obvious code such as 0000 or 1234. If the safe has a preset code, be sure that it is not a simple code like 1234. If it is, ask hotel management if they can change the code for you.

·         Place an external lock on the safe such as from Milockie (https://www.amazon.com/Milockie-370111-Hotel-Safe-Lock/dp/B0042WWMA8?&linkCode=sl1&tag=pageviewcount-20&linkId=cde22f448fc1ed7924e0127df3ae2594&language=en_US&ref_=as_li_ss_tl). This adds a layer to enter the safe. You can remove the external lock with a code or a key that only you have, then enter the safe with the code that is programmed into the safe’s lock. This way, a third party cannot enter the safe with a house key or code.

·         Take a portable safe with you that can be made of plastic or a soft knife proof material. You can place it in your suitcase while you are away from the room, or you can attach it to an immovable object such as a bed frame with an often-supplied heavy-duty cable and a padlock.

·         Put your valuables in your suitcase and lock it. This assumes that staff will not want to rummage through your dirty laundry to find your valuables.

 

Another recommendation that Frommer’s makes is to take pictures of important documents such as your passport, credit and insurance cards, and your driver’s license then save them to your phone and save copies to your cloud account. That way, if you lose the paper copies you have photocopies that you can show to officials on your phone or if you have lost your phone, you can show them on a laptop or notebook computer.

 

  

 

Frommer’s:

https://www.frommers.com/tips/hotel-news/are-hotel-room-safes-safe-the-surprising-truth-behind-online-fears?utm_medium=flipdigest.ad.20240312&utm_source=email&utm_content=article&utm_campaign=campaign

 

 

 

 

IRS TAX SCAMS- Watching Out for IRS Impersonators

We are hot in the tax filing season. Here are some last-minute tips to ensure that you can avoid a scammer and that your personal information remains secure while you file your income taxes.

 

·         File early. OK, it might be too late for this tip during this tax season, but you can think about filing early for next year. The idea is to file your return before cybercriminals have the time to file a fake return in your name and collect any refunds that should belong to you.

·         Use an IP PIN. An Identity Protection PIN is a unique six-digit number that the IRS issues to taxpayers that ask for one. The IP PIN acts as a second method to verify you as you. If your Social Security number has been involved in a data breach, the National Cybersecurity Alliance (NCA) recommends that you apply for an IP PIN. The pin is a number that only you and the IRS know. You should not share it with anyone, and you should guard it like you do for your other sensitive personal information.

·         Enable MFA. This is being repeated by cybersecurity professionals (for some it might be ad nauseum) but it is important to enable Multifactor Authentication for each of your online accounts. The purpose is to deter cybercriminals, who may have harvested your ID and password to any of your accounts, from gaining access to your accounts with only your password. If you did not initiate a login to one of your accounts and you receive a code through a text message or your authenticator app then you should not approve the login. Be aware that there have been cases where hackers have attempted to login to accounts multiple times within a short period of time until the legitimate account holder gives up and approves the login. Also, some scammers try to convince their victims to respond to a code. Never give anyone an MFA code!

·         Watch out for scammers. Scammers frequently impersonate IRS agents or employees. They will contact you via email, text, or phone. Sometimes scammers will also send a letter via mail claiming to be from the IRS. The IRS says that it will not initiate contact via email, text, or phone. It initially contacts taxpayers via the U.S, Mail. In instances where it contacts a taxpayer by phone or a visit at a home or business, the IRS has sent multiple notices via the mail. Also, the IRS will not demand immediate payment to be paid to any other entity than the U.S. Treasury.

 

Red flags to look out for include,

 

·         Requests for data such as bank account information, Social Security numbers, login credentials, or mailing addresses.

·         Communications that try to impose a sense of urgency by scaring you or coercing you into acting right away.

·         Attachments included in any message. Opening an attachment can endanger your computer to malware or viruses.

·         Impersonating tax preparers. Scammers also impersonate employees from TurboTax and H&R Block.  Tax preparers will not initiate contact with you through phone, email, or text message asking for your login information.

 

The danger of scammers impersonating the IRS is throughout the year, not just during the income tax filing season. Keep these tips in mind if you receive an unexpected email, text message, or phone call from someone claiming to be from the IRS.

 

 

National Cybersecurity Alliance:

https://staysafeonline.org/resources/tax-time/?utm_medium=email&_hsmi=294494209&_hsenc=p2ANqtz-8BDIU5Vp2-NZRrQmJAQPwkxZzpaP_qI5FsNzQPaxpeZ7QdlQMFT5nyCMNshIwd7dZrXVF3cybm-pea2ssBoR5xlKng8g&utm_content=294494209&utm_source=hs_email

 

NBC News:

https://www.nbcnews.com/tech/security/s-need-know-tax-season-scams-rcna139839

 

IRS:

https://www.irs.gov/newsroom/tax-scamsconsumer-alerts?s=09

https://www.irs.gov/businesses/small-businesses-self-employed/tax-scams-how-to-report-them

 

 

 

 

 

SNOHOMISH COUNTY SHERIFF’S OFFICE- Protecting Your Home While You Are Away on Vacation

The latest issue of the Snohomish County Sheriff’s Office’s crime prevention newsletter, “Partners in Crime Prevention,” is posted. This issue provides tips on how you can protect your home while you are away on vacation.

You can check it out at the following link,

Snohomish County Sheriff’s Office:

https://www.snohomishcountywa.gov/ArchiveCenter/ViewFile/Item/7128

 

 

 

SCAMS- Knowing How Government Agencies Will Communicate with You

Government agencies have specific ways that they communicate with the public. Often, however, scammers will send emails, text messages, social media messages, or phone calls in mass and see who responds. As part of National Consumer Protection Week (March 3 through March 9) and Slam the Scam Day (March 7) the Social Security Administration is conducting an education campaign about imposter scams that pretend to be from the Social Security Administration. This includes what the Social Security will do and will not do.

Social Security says that it will never:

 

·         Threaten you with arrest or legal action because you don’t agree to pay money immediately.

·         Suspend your Social Security number.

·         Claim to need personal information or payment to activate a cost-of-living adjustment (COLA) or other benefit increase.

·         Pressure you to take immediate action, including sharing personal information.

·         Ask you to pay with gift cards, prepaid debit cards, wire transfers, cryptocurrency, or by mailing cash.

·         Threaten to seize your bank account.

·         Offer to move your money to a “protected” bank account.

·         Demand secrecy.

·         Direct message you on social media.

 

Social Security also points out that scammers are known to:

 

·         Use legitimate names of Office of Inspector General or Social Security Administration employees.

·         “Spoof” official government phone numbers, or even numbers for local police departments.

·         Send official-looking documents by U.S. mail or attachments through email, text, or social media message.

 

Most governmental agencies will not make initial contact with you through email, text, social media, or with a phone call. And they will not ask for money or your personal information. No matter how dire the person claims your situation is, don’t click on links or return an email, text, or social media message and if they call you hang up. If you want to talk to the agency look up their contact information with a web search.

  

For more information on Social Security imposter scams check out this link,

Social Security Administration:

https://www.ssa.gov/scam/

 

Here is more information about government impersonation scams,

Federal Trade Commission:

https://consumer.ftc.gov/articles/how-avoid-government-impersonation-scam

 

Here is some general information about National Consumer Protection Week from the Better Business Bureau,

Better Business Bureau:

https://www.bbb.org/all/national-consumer-protection-week-partnership

 

 

 

 

UTILITY SCAMS- Beware of Ads

Most scams that we hear about warn of scammers pushing messages to us through email, text messages, and phone calls where the scammers are actively searching for someone to victimize. Malwarebytes Labs, a company that provides products that secure business and personal computer systems from intrusion, says that it has found a trend of fraudsters using online ads to scam people who are looking for help with their utility bills.

The assumption is that the fraudsters will have an easier time of tricking a potential victim if the victim is searching for help instead of receiving a call out of the blue.

The fraudsters will buy ads that show up on search engines such as Google. So far, the ads are only showing up on mobile phone searches. Malwarebytes found ads taken out by fraudsters masquerading as companies providing a legitimate service and ads by legitimate US entities that have been hacked. When someone clicks on a link in the ads, instead of sending them to a website it prompts them to call a phone number.

By calling the number, the scammer has a chance to control the interaction in their favor. Often, they will threaten the caller and try to scare them into making poor decisions, especially if the scammer is offering help with paying an overdue bill. They can also offer a deal that is too good to be true in paying your utility bill. But to get out of trouble, or receive your deal, you need to act right away.

Malwarebytes lists several domains that appear to be promoting utility scam ads (see the Malwarebytes article below).

Malwarebytes recommends,

 

·         Avoiding any ad that you see in your search results. Most ads are marked as “Sponsored” or “Ad” or similar marking. Malwarebytes claims that malicious ads outnumber legitimate ads.

·         Watch out for ads or people you are talking to on the phone, etc. who try to give you a sense of urgency, such as threatening to cut off your power in a few days or a few hours.

·         Never disclose personal details over the phone.

·         Beware of requests for payment by money transfers or prepaid cards.

·         Contact your bank immediately if you realize that you paid a scammer by wire transfer to see if you can stop the payment.

·         Report the scam to the Federal Trade Commission at https://reportfraud.ftc.gov/#/.

 

If you have been victimized by a utility scam, the AARP also recommends that in addition to notifying your bank and the FTC, that you,

 

·         Contact the Washington State Attorney General’s Office, Consumer Protection Office at https://www.atg.wa.gov/file-complaint.

·         Contact that Washington Utilities and Transportation Commission at https://www.utc.wa.gov/consumers/consumer-complaints.

 

 

 

Malwarebytes:

https://www.malwarebytes.com/blog/threat-intelligence/2024/02/massive-utility-scam-campaign-spreads-via-online-ads

  

The following article from AARP lists several ploys that utility scammers use to steal your money,

AARP:

https://www.aarp.org/money/scams-fraud/info-2019/utility.html?intcmp=AE-FWN-LIB4-POS13

 

 

 

 

LYNNWOOD POLICE DEPARTMENT- Concerns About Carjackings

In a video released on Facebook and YouTube, Lynnwood Police Chief Cole Langdon has encouraged community members to be aware of their surroundings to curb carjackings. He noted that the police department has received messages of concern from the public about carjackings in the city. He also noted that the department has seen an uptick in carjackings lately.

Chief Cole recommended that as you go about our day, when you are driving, that you remain aware of your surroundings and be on the lookout for any activity that appears unusual. One activity that you can look for is if someone is intentionally following you. He recommended that if someone appears to be following you, to turn down a different street to see if they continue to be behind you.

If you feel you are being followed by a suspicious vehicle, go to a public place, and call 911. Tell the call taker where you are, what your concern is, and ask for an officer to meet you. The officer can check out the area. Chief Cole also emphasized not to feel embarrassed in calling 911. It’s better to ask for help and find out it is a false alarm than to be a carjacking victim.

A final bit of advice from the chief is not to confront the other vehicle but to extricate yourself from the situation.

Note: Carjackings have made the press in the Puget Sound region lately indicating that they are a growing problem in the area. While Chief Cole’s remarks are targeted at the citizens of Lynnwood, his advice is relevant to all of Snohomish County.

  

 

Lynnwood Police Department:

https://www.youtube.com/watch?v=KngZjmed10w

 

Lynnwood Times:

https://lynnwoodtimes.com/2024/02/18/lynnwood-violent-crime-2024/?s=09