All organizations should consider working with a cyber threat intelligence firm to send test “Phishing” emails to random employees on a regular basis. This will test employee vulnerabilities to provide subsequent remediation plans. Training and instruction from cyber professionals are always cheaper than absorbing the costs of remediation, paying ransoms or having confidential data exposed or auctioned to the highest bidder.
Researchers at two security firms are tracking separate phishing campaigns that targeted customers of Wells Fargo and Bank of America, according to a pair of reports. A report from security firm Armorblox says researchers discovered a phishing campaign that was targeting a select group of Bank of America customers to ensure that the malicious emails would bypass various security tools to reach the intended victim.
Abnormal Security researchers are investigating a much larger campaign aimed at Wells Fargo customers. The criminal hackers are imitating the bank's security team and alerting victims with a fake message indicating if they do not update their security key, they will lose access to their account.
In both cases, the victims are directed to malicious domains where they are asked to input their credentials, which are then harvested by the hackers. While neither report indicated if these campaigns had been successful, the Abnormal Security researchers note that the Wells Fargo phishing emails may have reached as many as 20,000 inboxes.
While separate, the two phishing campaigns show that bank customers' credentials remain valuable to criminals, either to take over an account or sell account credentials to other cybercriminals through underground forums. Financial institutions have always been one of the highest-profile targets for cyberattacks. The attack landscape is no better or worse today than it was at the beginning of the year for financial institutions already dealing with targeted attacks. Remember Willie Horton, the infamous bank robber when asked why he robbed banks, his reply was, “That is where the money is.”
Recently, Congressional lawmakers heard expert testimony about new waves of threats targeting the US financial sectors, which include phishing attacks that can spread malware and do other damage.
In the Bank of America campaign discovered by Armorblox earlier this month, the hackers sent phishing emails to customers asking them to update their email addresses. If the victim clicked on a malicious link embedded in the message, they were taken to a domain designed to look like the actual Bank of America login page, according to the report. This fake domain is controlled by the criminals and collects usernames and passwords if those credentials were inputted into the fields. The phishing emails were sent through a personal Yahoo account via SendGrid. The messages were also sent in small batches, which may explain how the bad actors skirted Microsoft’s security tools as well as secure email gateways.
The phishing emails also bypassed authentication procedures, such as the Domain-based Message Authentication, Reporting and Conformance, DMARC, as well as DomainKeys Identified Mail and Sender Policy Framework. Although the sender's name of Bank of America was impersonated, the email was sent from a personal Yahoo account via SendGrid. This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC. The malicious domain additionally used various art and design elements found on other Bank of America sites. Since the domain had only been registered as of 01 June 2020, this could have helped the phishing campaign bypass security as well.
In the Wells Fargo phishing campaign, the hackers attempted to steal customers' data, such as usernames, passwords, PINs and account numbers. In this case, victim users would receive phishing emails that appear to come from the Wells Fargo security team that asks customers to update their security key. Included in the email is an ICS calendar file that is supposed to store scheduling information. If the victim opens the calendar file, it contains a link to SharePoint page, which then asks the target to open yet another webpage. This final page is the malicious domain controlled by the bad actors and it is designed to look like a legitimate Wells Fargo website. If customers' data is inputted, it is collected by the attackers. The cybersecurity report also highlights that the calendar invite file is designed to encourage victims to click and asks that they open it up on their mobile device. Very tricky.
While both phishing campaigns used various technical techniques, the threat research teams noted that these cyber-attacks, especially the one aimed at Bank of America customers, also utilized social engineering techniques to lure victims. Exploiting ‘human nature’ can be just as destructive as exploiting cyber vulnerabilities. Technical safeguards such as email filters and authentication checks can help prevent certain phishing emails from reaching your inbox, but not all. Determined bad actors will invariably still find ways to ensure their lures reach their targets, such as the case with more targeted spear-phishing attacks.
Since it is always Open Season for Phishing:
- Look closely are all email transactions, especially those dealing with financial and proprietary information. Some emails have only one letter off or were spoofed.
- Use 2-Party authentication for all e-communications and data transfer.
- Never be afraid to pick up the phone and talk directly with a person sending an email who is requesting money or sensitive information.
- Have close working relationships with your C-Suite, Physical Security, Cyber Security (IT), HR and in this case the financial units. What can you do to better protect your organization today?
- Proper data back-up and off-site storage policies should be adopted and followed.
- Institute cyber threat and phishing training for all employees, with testing and updating.
- Phishing is normally the first step in a broader attack campaign.
- Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
- Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.
- RedXray customers can receive up to $100,000 in ransomware coverage at no additional expense to them.
- Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.
Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives. Internal monitoring is common practice. However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting. Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization.For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com