Threat actors are impersonating Chase Bank in two phishing attacks that can slip past Microsoft Exchange security protections in an aim to steal credentials from victims — by spoofing real-life customer scenarios.
Researchers from Armorblox recently discovered the attacks, one of which claims to contain a credit card statement, while the other informs users that their online account access has been restricted due to unusual login activity, according to a post on the Armorblox blog posted Tuesday.
The first set of emails went out to 9,000 inboxes in an Armorblox customer’s environment and the other reached 8,000, Preet Kumar, senior manager of customer success at Armorblox, wrote in the post.
Both attacks managed to bypass two Microsoft Exchange security protections–Exchange Online Protection (EOP) and Microsoft Defender for Office 365 (MSDO)–on their way to customer inboxes, she said.
“These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users,” Kumar wrote.
In the first scenario, threat actors sent an email titled “Your Credit Card Statement Is Ready” with the sender name “JP Morgan Chase” with HTML stylings similar to genuine emails sent from Chase, according to the report. The email included links for the victim to see their statement and make payments.
“Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the ‘IP Allow’ list,” Kumar wrote in the report.
The links take potential victims to a phishing page that resembles the Chase login portal and asks for their banking account credentials, she said. Researchers surmised that the URL for the page was likely purchased and hosted using NameSilo, which provides hosting, email and SSL solutions to customers.
“Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals looking to launch successful phishing attacks,” Kumar observed.
Chase Customer Care Scam
The other phishing attack begins with an email titled “URGENT: Unusual sign-in activity” and claimed that the sender was “Chase Bank Customer Care,” Kumar said.
The email included a link that claimed to be for customers to verify their account to restore access and used a common tactic by scammers to use different “from” and “reply-to” addresses.
As with the other email, clicking on the link would lead to a phishing page that would try to get users to type in their credentials, according to the post. However, in this case, the page already was inactive by the time researchers investigated the campaign, they said.
The account-verification email also eluded Exchange detections and was deemed safe with a “1” rating on the Spam Confidence Level, Kumar noted.
How to Spot Phishing Emails
However, there are some clear telltale signs that both emails are suspicious if receivers of such messages know what to look out for, researchers said, outlining them in the post.
They include the aforementioned use of different ‘reply-to’ and ‘from’ addresses; the use of a page that looks like it’s legitimately from Chase but with a URL that does not match the company’s website name; and a security theme that requires someone to fill in private security details by taking secondary action, they said.
“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” Kumar wrote. “It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible.”
The attacks are not the first time Chase customers have been targeted in phishing attacks, and it likely won’t be the last. The bank was one of several–including Royal Bank of Canada and TD Bank–targeted in an SMS phishing campaign revealed in February 2020 that used bogus security text messages to target users of online banking apps.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.