Security researchers from Armorblox provided a report on recently discovered phishing attacks where attackers are impersonating chase bank. The phishing attacks can easily bypass any Microsoft Exchange security protection. They are fooling victims, by creating realistic customer situations. Their intimate goal is to steal credentials from the victim.
The phishing attacks are designed to work by creating a realistic situation that could happen with any customer. One attacker claimed to have a credit card statement. The other contacts the users and informs them that their account’s access has been limited to due unusual login activity. No matter what they do, the main goal is stealing credentials.
Microsoft Exchange Security comprises two protections; Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO). The attacks managed to pass both these protections while making their way to customer chats. While giving out the analysis of the attacks, Armorblox gave out pretty higher figures. According to them, The first set of emails went out to 9,000 inboxes in an Armorblox customer’s environment and the other reached 8,000.
According to senior manager of customer success at Armorblox; Preet Kumar’s post;
These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.
Credit Card Statement Spoofed
In the first attempted cyberattack, threat actors sent an email with the title “Your Credit Card Statement Is Ready”. To look legit and to make victims fall for their attack, It comes with the sender name as “JP Morgan Chase” with HTML the font and styles get to be similar to genuine emails which are sent from Chase. The links are attached with the email for the victim to check their account information such as to see their statement and make payments. When the victim clicks the link, it takes them to a malicious page. That page is also designed similar to Chase’s login portal. There they ask for the victim’s bank account credentials. Researchers on this came out to the possibility that the URL page is most likely to be purchased by the offenders and is being hosted using NamsSilo.
“Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender to a safe recipient, or was from an email source server on the ‘IP Allow’ list,”
The manager further noted;
“Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals looking to launch successful phishing attacks,”
Customer Care Spoof
Attackers send messages to customers, disguising themselves as the Chase fraud department. They warn them that their account’s access and reach have been limited because of an unusual login attempt.
Their message is usually titled “URGENT: Unusual sign-in activity”.
The sender section of the message is filled as “Chase Bank Customer Care,”. The email had a malicious link attached. Attackers pretend and fool the customers by showing that the link is for customers to verify their account to restore its reach and access. They also a common tactic that is to use different “from” and “reply-to” addresses.
Clicking on the link automatically takes the user to a phishing page which further instructs them to put their credentials. But according to the post, by that time, the researchers inactivated that page as the investigation.
The account verification email also bypasses the Exchange detections and was deemed safe with a “1” rating on the Spam Confidence Level. The attackers involved in this activity were really evil geniuses. They used the subject lines and sender names also, brand disguising so perfectly keeping in view the brand, style, and layout fonts exact copies of the original. This all performed a key role in users falling victims to this attack.
How To Avoid These Scams
There are some clear telltale signs which indicate that both emails are suspicious. But only if receivers of such messages know what to look out for. They use the aforementioned methodology of different reply-to and from addresses. This makes the use of a page that looks like it’s legitimately from Chase. But URL is different, it does not match the company’s website name. It also missing a security theme that sets out for the users prior to filling in private security details.
“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions, “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible,” said Kumar.
This is not the first and last attack on the Chase customers. Like other banks, it has also been targeted many times with the same message technique. It advised that the users should themselves be cautious of these messages especially do not put any information to any site before confirmation. For more security use these steps;
- Use multi-factor authentication on all accounts.
- Use a password manager.
- Avoid using the same password for multiple accounts.
- Don’t use the date of birth and other personal information as passwords.
- Don’t use generic passwords like 12345, abcde, etc.