Tag: CERN

It Might Be Our Data, But It’s Not Our Breach

Image: Shutterstock.

A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm’s analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn’t theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company.

Milwaukee-based cybersecurity consultancy Hold Security said it intercepted a 1.6 gigabyte compressed file on a popular dark web file-sharing site. The largest item in the archive is a 3.6 gigabyte file called “dbfull,” and it contains 28.5 million records, including 22.8 million unique email addresses and 23 million unique SSNs. There are no passwords in the database.

Hold Security founder Alex Holden said a number of patterns in the data suggest it relates to AT&T customers. For starters, email addresses ending in “att.net” accounted for 13.7 percent of all addresses in the database, with addresses from SBCGLobal.net and Bellsouth.net — both AT&T companies — making up another seven percent. In contrast, Gmail users made up more than 30 percent of the data set, with Yahoo addresses accounting for 24 percent. More than 10,000 entries in the database list “none@att.com” in the email field.

Hold Security found these email domains account for 87% of all domains in the data set. Nearly 21% belonged to AT&T customers.

Holden’s team also examined the number of email records that included an alias in the username portion of the email, and found 293 email addresses with plus addressing. Of those, 232 included an alias that indicated the customer had signed up at some AT&T property; 190 of the aliased email addresses were “+att@”; 42 were “+uverse@,” an oddly specific reference to a DirecTV/AT&T entity that included broadband Internet. In September 2016, AT&T rebranded U-verse as AT&T Internet.

According to its website, AT&T Internet is offered in 21 states, including Alabama, Arkansas, California, Florida, Georgia, Indiana, Kansas, Kentucky, Louisiana, Michigan, Missouri, Nevada, North Carolina, Ohio, Oklahoma, Tennessee, Texas and Wisconsin. Nearly all of the records in the database that contain a state designation corresponded to those 21 states; all other states made up just 1.64 percent of the records, Hold Security found.

Image: Hold Security.

The vast majority of records in this database belong to consumers, but almost 13,000 of the entries are for corporate entities. Holden said 387 of those corporate names started with “ATT,” with various entries like “ATT PVT XLOW” appearing 81 times. And most of the addresses for these entities are AT&T corporate offices.

How old is this data? One clue may be in the dates of birth exposed in this database. There are very few records in this file with dates of birth after 2000.

“Based on these statistics, we see that the last significant number of subscribers born in March of 2000,” Holden told KrebsOnSecurity, noting that AT&T requires new account holders to be 18 years of age or older. “Therefore, it makes sense that the dataset was likely created close to March of 2018.”

There was also this anomaly: Holden said one of his analysts is an AT&T customer with a 13-letter last name, and that her AT&T bill has always had the same unique misspelling of her surname (they added yet another letter). He said the analyst’s name is identically misspelled in this database.

KrebsOnSecurity shared the large data set with AT&T, as well as Hold Security’s analysis of it. AT&T ultimately declined to say whether all of the people in the database are or were at some point AT&T customers. The company said the data appears to be several years old, and that “it’s not immediately possible to determine the percentage that may be customers.”

“This information does not appear to have come from our systems,” AT&T said in a written statement. “It may be tied to a previous data incident at another company. It is unfortunate that data can continue to surface over several years on the dark web. However, customers often receive notices after such incidents, and advice for ID theft is consistent and can be found online.”

The company declined to elaborate on what they meant by “a previous data incident at another company.”

But it seems likely that this database is related to one that went up for sale on a hacker forum on August 19, 2021. That auction ran with the title “AT&T Database +70M (SSN/DOB),” and was offered by ShinyHunters, a well-known threat actor with a long history of compromising websites and developer repositories to steal credentials or API keys.

Image: BleepingComputer

ShinyHunters established the starting price for the auction at $200,000, but set the “flash” or “buy it now” price at $1 million. The auction also included a small sampling of the stolen information, but that sample is no longer available. The hacker forum where the ShinyHunters sales thread existed was seized by the FBI in April, and its alleged administrator arrested.

But cached copies of the auction, as recorded by cyber intelligence firm Intel 471, show ShinyHunters received bids of up to $230,000 for the entire database before they suspended the sale.

“This thread has been deleted several times,” ShinyHunters wrote in their auction discussion on Sept. 6, 2021. “Therefore, the auction is suspended. AT&T will be available on WHM as soon as they accept new vendors.”

The WHM initialism was a reference to the White House Market, a dark web marketplace that shut down in October 2021.

“In many cases, when a database is not sold, ShinyHunters will release it for free on hacker forums,” wrote BleepingComputer’s Lawrence Abrams, who broke the news of the auction last year and confronted AT&T about the hackers’ claims.

AT&T gave Abrams a similar statement, saying the data didn’t come from their systems.

“When asked whether the data may have come from a third-party partner, AT&T chose not to speculate,” Abrams wrote. “‘Given this information did not come from us, we can’t speculate on where it came from or whether it is valid,’” AT&T told BleepingComputer.

Asked to respond to AT&T’s denial, ShinyHunters told BleepingComputer at the time, “I don’t care if they don’t admit. I’m just selling.”

On June 1, 2022, a 21-year-old Frenchman was arrested in Morocco for allegedly being a member of ShinyHunters. Databreaches.net reports the defendant was arrested on an Interpol “Red Notice” at the request of a U.S. federal prosecutor from Washington state.

Databreaches.net suggests the warrant could be tied to a ShinyHunters theft in May 2020, when the group announced they had exfiltrated 500 GB of Microsoft’s source code from Microsoft’s private GitHub repositories.

“Researchers assess that Shiny Hunters gained access to roughly 1,200 private repositories around March 28, 2020, which have since been secured,” reads a May 2020 alert posted by the New Jersey Cybersecurity & Communications Integration Cell, a component within the New Jersey Office of Homeland Security and Preparedness.

“Though the breach was largely dismissed as insignificant, some images of the directory listing appear to contain source code for Azure, Office, and some Windows runtimes, and concerns have been raised regarding access to private API keys or passwords that may have been mistakenly included in some private repositories,” the alert continues. “Additionally, Shiny Hunters is flooding dark web marketplaces with breached databases.”

Last month, T-Mobile agreed to pay $350 million to settle a consolidated class action lawsuit over a breach in 2021 that affected 40 million current and former customers. The breach came to light on Aug. 16, 2021, when someone starting selling tens of millions of SSN/DOB records from T-Mobile on the same hacker forum where the ShinyHunters would post their auction for the claimed AT&T database just three days later.

T-Mobile has not disclosed many details about the “how” of last year’s breach, but it said the intruder(s) “leveraged their knowledge of technical systems, along with specialized tools and capabilities, to gain access to our testing environments and then used brute force attacks and other methods to make their way into other IT servers that included customer data.”

A sales thread tied to the stolen T-Mobile customer data.

A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm’s analysis of the data suggests it corresponds to current and former customers of AT&T. The telecommunications giant stopped short of saying the data wasn’t theirs, but it maintains the records do not appear to have come from its systems and may be tied to a previous data incident at another company.Read More

Summer of exploitation leads to healthcare under fire

May 2021 was a tough month for the Healthcare and Medical sector–the most notable threat trend at the time was the heavy use of a new popular exploit against Dell systems, leading to immense effort by attackers to utilize the exploit before it became less effective due to patching.  

During this period, hospitals in central Florida were hit with malicious attacks that disrupted their operations and forced them to conduct business via pen and paper. In addition, a hospital system in Southern California was forced to modify how it did business due to a cyberattack. The San Diego-based health system quickly moved its information technology program offline, to reduce the damage done by the attack. However it also put a roadblock in the way of legitimate employees and customers trying access their medical information online.

Figure 1. United States Healthcare and Medical Threat Family Detections by Month

After the spike in May, CVE 2021-21551 detections dropped to about a quarter of the original numbers, and remained there throughout the year, except for another spike in February 2022. It seems the primary target for these attacks were healthcare and medical organizations in Pensacola, FL, but detections for New York, Wisconsin and New Jersey weren’t far behind.

Heavy detections of TrickBot were observed, especially against organizations in York, Pennsylvania during the first three months of 2021. But detections of this threat all over the United States quickly dropped beginning in April 2021 and steadily declined throughout the time period. TrickBot isn’t a stranger to healthcare organizations and has historically targeted them for the sake of launching ransomware or causing operational disruption.

This threat is even a concern to the US Government, which released an alert, through the CISA portal, back in October of 2020, about the danger of the TrickBot organization specifically targeting Healthcare organizations.

Figure 2. United States Healthcare & Medical Family Threat Detections Pie Chart

In August and September, we observed significant spikes of AI behavioral-based detections, which lines up with a series of newsworthy healthcare breaches during the same period. 

For example, a healthcare group in central Indiana was the victim of an attack that lead to a ransomware infection and the loss of information from patients and employees, then released on the dark web. The attack itself occurred in early August and forced organizations to turn away ambulances for several days, an action which led to the death of a person in Germany.

Another attack in early August, this time against a healthcare management firm in Dallas, Texas, resulted in the theft of valuable information, including patient information, health insurance and financial data. 

Securing healthcare and medical organizations

Our recommendations for securing healthcare and medical organizations start with acknowledging that securing these organizations from every possible threat is not possible. Therefore, when considering how to defend against a ransomware attack, be sure to account for getting operations back online after an attack. This includes having plans for operating the business without the use of computers, establishing secure backups of sensitive data off-site and off-line, while still following HIPPA protocol.

Beyond that, this industry has dealt with lots of heavy attacks originating from both attempts to exploit vulnerabilities, as well as spear phishing. Quickly patching vulnerabilities is a high priority, however given that quick patching isn’t always an option, times like these require risk reduction, such as removing non-patchable endpoints from direct Internet access, creating additional layers of authentication to access high value systems, and a thorough review of user accounts and permissions, to tighten up who has access to what.

Finally, many of these organizations utilize mobile stations for inputting or reviewing data. These systems should not be able to do things like using USB drives. They should have screen protectors to prevent unintended information disclosure, and these systems should be completely wiped with a new image on a regular basis, to ensure removal of any hidden rootkit-level threats. 

linux unrara 4r5Wyk

CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting aThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a recently disclosed security flaw in the UnRAR utility to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Tracked as CVE-2022-30333 (CVSS score: 7.5), the issue concerns a path traversal vulnerability in the Unix versions of UnRAR that can be triggered upon extracting aRead More

Bank fraud scammers trick victims with claims of bogus Zelle transfers

It pays to be careful where cold calls from someone claiming to work for your bank are concerned. Scam callers are impersonating bank staff, with suggestions of dubious payments made to your account. One unfortunate individual has already lost around $1,000 to this slice of telephone-banking based fraud. With a little press intervention they were lucky enough to get it back. Sadly most people don’t get that far.

What’s happening, and how can you avoid it?

An unauthorised payment: A scammer’s steps to success

This attack has several steps. Here’s how it plays out:

The scam begins with a call from a supposed fraud team. This is a common confidence trick, it sounds convincing and it has a sense of urgency built in. The call also spoofs the caller ID of the bank, another easy-to-pull-off tactic which makes the call look more plausible.
Setting the recipient of the call off-balance is the aim of the game. And what better way to have them second guess themselves than by referring to technology they may not have used before? In this case, the scammer claims the victim’s bank account has made a fraudulent Zelle transfer of $1,000 to somebody in Texas. Zelle is a US based digital payments network. To the recipient of such a call, it may well just sound like a big scary thing has happened to their money which they don’t fully understand.
Adding some time-based pressure is the final blow. “Hurry up and follow my dubious instructions or you lose all of your money” is a very successful tactic. Victims are dissuaded from calling their bank directly because they would just be “redirected back to the fraud team”. In this case, the victim was told to reverse the transaction by punching in a code given to them by the fraudster. After the first $1,000 vanished, the scammer risked it all on another claim of $5,000 in fraudulent transfers. Thankfully, the victim was having none of it and more losses were averted.

Am I protected?

It’s trickier than ever to deal with a case of banking fraud. Banks and payment systems increasingly put the onus on the individual to not get caught out by deception. If you bank online and send people money, you’ll likely have gone through a fraud check flow.

This is where the site asks you to confirm who you’re sending money to and why. If you select “romance” (for example), you’ll be warned about romance scams and eventually you’ll tick a box to confirm that you recognise the risks. If something goes wrong, on your own head be it.

This is almost note for note what happened to the person in the news story above. The bank said that because the victim “authorised” the payment, no protection was in place. This is clearly not an accurate reading of what happened, and the money request was clearly fraudulent. Even so, this is what you may have to contend with should you wander into a fraud situation.

Watch out for red flags

There’s several aspects of this attack common to many others which may indicate a fraud attempt.

They don’t want you to call the bank back. If you do this, the fraud falls to pieces. A genuine member of staff would have no issue with you calling them yourself.
Pressure tactics. If a bank calls you out of the blue and claims that they’re powerless to stop something without your assistance, be very cautious. Is your bank really unable to perform a basic banking action?
Knowing your date of birth, address, and other information doesn’t mean the caller is genuine. They may have obtained the data from a phish, or a security breach.
Referencing third party payment apps may be another red flag, especially if they talk about technology you’ve not used before.

Ransomware protection with Malwarebytes EDR: Your FAQs, answered!

We get a few questions about ransomware protection and how our Endpoint Detection and Response software can protect you from ransomware. In this post, our security experts answer some of your most frequently asked questions about ransomware and how our EDR can help—let’s get started.

Q: When considering an EDR solution, what anti-ransomware features should I be looking for?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“First, it should quickly identify and isolate systems that are infected with ransomware. Second, it should detect ransomware-like behavior and automatically kill and remove the threat from the system. Third, it should provide options for file recovery (in case something does get encrypted). Fourth, it should have features that are valuable for detecting and thwarting malware in general, such as exploit prevention, behavioral detection of never-before-seen malware, malicious website blocking, and brute force protection.”

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Ransomware stems from the exploitation of trust. We know that in society and computer systems, trust is essential and foundational for communication productivity and growth. What’s needed is encapsulated in a principle called trust-but-verify! In the context of EDR, trust-but-verify means the algorithmic “detection” part of EDR must employ heuristics to look for anomalous encryption that deviates from known-good encryption. This is the trust-but-verified part of a modern EDR tool. To make the EDR tool a solution, it must offer four essential functionalities:

Contain threats, allowing time to investigate and document.
Easy, non-vendor-specific language describing detected suspicious activity.
Precision instrumentation for eradicating malware, potentially unwanted programs, and potentially unwanted changes.
Instrumentation to search for indicators across the rest of your managed endpoints for early signs.”

Q: Other than the percentage of malware-detected efficacy, what other factors should I consider when acquiring an anti-ransomware solution? 

Robert Zamani, Regional Vice President, Americans Solutions Engineering at Malwarebytes:

“Other than efficacy, you need to look also at integration—the EDR must become part of your system. It should not be a standalone solution; it should be usable and not complex. Have a “single pane of glass”—with Malwarebytes cloud-based Nebula platform, for example, you have access to an intuitive UI which helps you gain visibility into all activity across your entire organization. If I could summarize it into a single sentence, you don’t want just a next-gen solution; you need a solution that any IT professional will understand without specialized cyber-forensic knowledge.”

Q: How is detecting ransomware different from other malware?

Adam Kujawa, security evangelist and director of Malwarebytes Labs:

“Up until around 2013, most malware infections were problems that could easily be solved ‘after the fact’.  For example, a bank credential stealing bot can infect a system, steal your credentials and commit fraud. Well the bank can clear out those fraud charges, you can change your credentials and you can clean the system, suddenly the whole attack can be treated as an inconvenience rather than a significant disruption, almost like it didn’t happen. Ransomware, on the other hand, immediately encrypts files and sometimes locks down vital system settings used for recovery, as well as deleting locally stored backups, and it’s often used against multiple endpoints at the same time. So, recovery after the fact is nearly impossible without being prepared, or paying the ransom. This kind of threat requires a lot more planning, redundancy and threat monitoring than any other type of malware out there. Imagine regular malware infections as seasonal allergies, while ransomware is like being hit with pepper spray in the face.”

Q: How does Malwarebytes EDR protect against ransomware attacks?

Robert DeStefano, Senior Global Product Marketing Manager at Malwarebytes:

“First, Malwarebytes’ EDR anti-ransomware layer constantly monitors endpoint systems and automatically kills processes associated with ransomware activity. It features a dedicated real-time detection engine that does not use signatures, and doesn’t require updates. Second, our solution uses multiple combined modes of endpoint isolation, so if an endpoint is attacked, it can easily halt malware from spreading and causing harm—minimizing disruption to IT and users during attacks. Third—we give you up to 72 hours of ransomware rollback. We make use of local cache on each endpoint, storing all relevant changes to the device for up to 72 hours. If you’re infected, Malwarebytes simply backs out device changes and restores files that were encrypted, deleted, or modified. You don’t have to lose all that time reimaging an endpoint. And perhaps most importantly, all of this is offered through the ‘single pane of glass’ that Zamani mentioned earlier—meaning you can easily manage endpoints to prevent threats from entering, detect infections that find their way into your environment, and remediate with one click, keeping your servers and workstations secure against ransomware while keeping your end users productive.”

Q: How often and at what intervals are files backed up? How much space does it take?

David Pier, Senior Sales Engineer at Malwarebytes:

“Our file backup is not triggered on a time basis—it’s really driven by our activity monitoring feature. The backups are only going to be created in an instance where Malwarebytes has detected suspicious behavior. And for the second question, data storage space isn’t an issue, as our proprietary dynamic exclusion technology learns ‘good’ behavior of applications and minimizes storage utilization. Additionally, administrators can configure their policies to dynamically manage disk space requirements, based on the remaining available disk space.”

Q: Can you identify when the first infection took place and if the same threat process has been installed across the environment or on other devices, such as malicious scheduled tasks?

David Pier, Senior Sales Engineer at Malwarebytes:

“Yes! You can do this with the Flight Recorder feature of our EDR, which allows you to search event data captured from all of your managed endpoints to investigate and identify indicators of compromise. You can search data like files, registry, processes, and networking activity up to the past 7 days to threat hunt or analyze when a compromise occurred in your environment. You can search through file properties, such as the file hash or the file name, or you could leverage something like searching actual command line arguments that were used by the attacker to try and locate the original infection points.”

Q: How many full time employees are needed to deploy and manage your EDR?

David Pier, Senior Sales Engineer at Malwarebytes:

“That is something we hear very frequently at Malwarebytes; customers are coming from other EDR solutions or other security solutions, and a large concern is your team may only be two to three, maybe five people at most. An EDR solution that you might be interested in may require you to have full-time staff to manage, or configure it. Malwarebytes EDR is not that kind of solution. This is something that we’ve successfully deployed with teams as small as two people managing this. You do not need additional headcount, you don’t need a dedicated SOC to make this program work. That being said, this solution works very well at scale. We have customers with 1000s of endpoints running this solution and effectively using it as an EDR so really, it’s a tool built for customers of any size.”

Q: Would we need a physical server or can this be operated from a cloud-based system?

David Pier, Senior Sales Engineer at Malwarebytes:

“There’s no requirement for any physical architecture,” says Pier. “You could use it entirely cloud-based if you have cloud-based servers or cloud-based VMs. Really the only requirement we have is making sure that your endpoints can reach the Malwarebytes cloud infrastructure, which is all done through HTTPS traffic. So typically, it’s not something you need to customize unless you have a very restrictive network.”

Read about how companies used Malwarebytes EDR to fend off ransomware 

To help you understand the ransomware threat and how Malwarebytes EDR can help, we’ve curated a collection of customer case studies that illustrate the common patterns of ransomware protection and recovery across a variety of industry sectors and business sizes. Check out a few of them below!

City of Vidalia gains a ransomware and vulnerability-free zone

Mike Carney Toyota tackles the rising ransomware threat

Alden Central Schools gains peace-of-mind protection against ransomware threats

Phishy calls and emails play on energy cost increase fears

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people’s fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

Identifiers of an attack

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There’s a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

Energy refund scam types

Fake rebates

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we’d say “this is not true”. However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have not been contacted.

In those cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling asking for payment information.

Ofgem impersonators

Fraudsters are claiming to represent Ofgem, Britain’s independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a “secure application” which is really just a phishing website.

Fake energy company refunds

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we’re talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

How to avoid these threats

Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.
If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.
Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!

Phishy calls and emails play on energy cost increase fears

Gas and electricity price concerns are rife at the moment, with spiralling costs and bigger increases waiting down the line. Sadly this makes the subject valuable material for fraudsters, playing into people’s fears with a dash of social engineering to make them worse off than they were previously.

Warnings abound of several energy / cost of living-themed scams doing the rounds. Shall we take a look?

Identifiers of an attack

These attacks target individuals living in countries where oil or electricity prices are a concern. If you have an imminent set of price increases on the horizon, you may be a target. Phone calls, emails, whatever it takes to extract some cash. The UK is a particularly hot flashpoint for these fraud attempts at the moment.

The senders will typically claim to be from an organisation with authority. Maybe an energy watchdog, or a consumer rights group, or maybe an energy company.

Refunds, rebates, and discounts generally are the order of the day. There’s a number of schemes along these lines at the moment due to be rolled out, and you can expect fraudsters to ride on their coat tails.

Energy refund scam types

Fake rebates

This scam involves cold calling and a spin on the (genuine) rebate plan put together by the British Government. Fraudsters inform potential victims that they need to hand over bank details in order to qualify. Normally we’d say “this is not true”. However: There are some cases where people do hand over payment information. Local councils in the UK have reached out to many people pre-emptively to arrange rebate payments. Where the scammers have an angle is that lots of other residents have not been contacted.

In those cases, the onus is on the individual to reach out and apply. They can choose to have the rebate applied to their next local council bill, or have the money paid directly into their bank account. To do this, they need to hand over payment details. The caveat is that the person applying does this themselves, on their local council website. Nobody should be cold-calling asking for payment information.

Ofgem impersonators

Fraudsters are claiming to represent Ofgem, Britain’s independent energy regulator. They claim to be able to help you get a better energy deal and then ask for your payment details. These attacks come via text and email, and have been around for at least a month or so. Some of these also tap into the rebate scam, claiming to offer a “secure application” which is really just a phishing website.

Fake energy company refunds

This is a fairly common scam, just like fake tax refunds during tax season. They are definitely more relevant during the current energy crisis though. In this case, we’re talking fake refunds and a double-threat attack technique. The victim is lured in with emails offering a refund. Once the information is taken by the phishing website, the scammer calls the victim claiming to be working on behalf of their bank. The scammer goes on to highlight several types of fraud to be wary of, all the while trying to extract around $1,200 during the call.

How to avoid these threats

Any email or phone call asking for payment information is not going to be legitimate. You should also never be asked for login details for your online banking or other accounts from a cold-caller.If you receive an unexpected call about energy prices or rebates, Insist on calling “them” back on their official number, taken from an official website, directly. If the caller objects to this, that’s an immediate red flag. A genuine caller would have no possible reason to object to this.Bogus fake energy company websites are very popular and easy to set up. Visit the official website listed in official correspondence only, and pay close attention to URLs sent to you by text or email.

Stay safe out there!

The post Phishy calls and emails play on energy cost increase fears appeared first on Malwarebytes Labs.