Threat researchers have come across two new phishing scams targeting customers of JPMorgan Chase Bank. Both attacks deployed social engineering and brand impersonation tactics to steal customers' login credentials. While one scam involved an email that appeared to contain a credit card statement, the other impersonated a locked account workflow to falsely inform victims that access to their account had been blocked following the detection of unusual login activity.
Cyber threat researchers said that the first scam "skipped spam filtering because Microsoft determined that the email was from a safe sender to a safe recipient, or was from an email source server on the IP Allow list." The fraudulent email, titled "Your Credit Card Statement Is Ready," appeared to have been sent by "Jp Morgan Chase." Its content was fashioned to resemble genuine communications from the American national bank. "The email contained HTML stylings similar to genuine emails sent from Chase, and included links for the victim to see their statement and make payments," said the researchers.
Victims who clicked the links would be taken to a web page resembling the Chase login portal and asked to enter their banking account credentials. "Attackers often bank on victims not paying enough attention to inconsistencies like the URL not being from the Chase domain for example," said researchers.
"They assume that because we have busy lives and overflowing inboxes, we will click before we think." Researchers found that the malicious website had been registered with budget Arizonian IT service management company NameSilo, which provides hosting, email, and SSL solutions. "Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals looking to launch successful phishing attacks," noted researchers.
In the second attack, cyber-criminals impersonated the Chase Fraud Department with an email titled "URGENT: Unusual sign-in activity" that looked like it had been sent by "Chase Bank Customer Care." Inside the email was a malicious account verification link that victims were told to follow to restore access to their account.
Researchers shared a useful tip for spotting a phishing attack. They said the locked account impersonation attack had different "reply-to" and "from" addresses, "which is a common adversarial technique employed in email attacks."
Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments