Two phishing attacks elude Exchange
security protections and spoof real-life account scenarios in an attempt to
fool victims.
Threat
actors are impersonating Chase Bank in two phishing attacks that can slip past
Microsoft Exchange security protections in an aim to steal credentials from
victims — by spoofing real-life customer scenarios.
Researchers
from Armorblox recently discovered the attacks, one of which claims to contain
a credit card statement, while the other informs users that their online
account access has been restricted due to unusual login activity, according to a post on
the Armorblox blog posted Tuesday.
The first set of emails went
out to 9,000 inboxes in an Armorblox customer’s environment and the other
reached 8,000, Preet Kumar, senior manager of customer success at Armorblox,
wrote in the post.
Both attacks
managed to bypass two Microsoft Exchange security protections–Exchange Online
Protection (EOP) and Microsoft Defender for Office 365 (MSDO)–on their way to
customer inboxes, she said.
“These email
attacks employed a gamut of techniques to get past traditional email security
filters and pass the eye tests of unsuspecting end users,” Kumar wrote.
In the first
scenario, threat actors sent an email titled “Your Credit Card Statement Is
Ready” with the sender name “JP Morgan Chase” with HTML stylings similar to
genuine emails sent from Chase, according to the report. The email included
links for the victim to see their statement and make payments.
“Microsoft
assigned a Spam Confidence
Level (SCL) of ‘-1’ to the email, which meant it skipped spam
filtering because Microsoft determined that the email was from a safe sender,
to a safe recipient, or was from an email source server on the ‘IP Allow’
list,” Kumar wrote in the report.
The links take
potential victims to a phishing page that resembles the Chase login portal and
asks for their banking account credentials, she said. Researchers surmised that
the URL for the page was likely purchased and hosted using NameSilo, which
provides hosting, email and SSL solutions to customers.
“Services like
this are beneficial for millions of people around the world, but unfortunately
also lower the bar for cybercriminals looking to launch successful phishing
attacks,” Kumar observed.
Chase Customer
Care Scam
The other
phishing attack begins with an email titled “URGENT: Unusual sign-in activity”
and claimed that the sender was “Chase Bank Customer Care,” Kumar said.
The email
included a link that claimed to be for customers to verify their account to
restore access and used a common tactic by scammers to use different “from” and
“reply-to” addresses.
As with the
other email, clicking on the link would lead to a phishing page that would try
to get users to type in their credentials, according to the post. However, in
this case, the page already was inactive by the time researchers investigated
the campaign, they said.
The
account-verification email also eluded Exchange detections and was deemed safe
with a “1” rating on the Spam Confidence Level, Kumar noted.
How to Spot
Phishing Emails
However, there
are some clear telltale signs that both emails are suspicious if receivers of
such messages know what to look out for, researchers said, outlining them in
the post.
They include the
aforementioned use of different ‘reply-to’ and ‘from’ addresses; the use of a
page that looks like it’s legitimately from Chase but with a URL that does not
match the company’s website name; and a security theme that requires someone to
fill in private security details by taking secondary action, they said.
“Since we get so
many emails from service providers, our brains have been trained to quickly
execute on their requested actions,” Kumar wrote. “It’s much easier said than
done, but engage with these emails in a rational and methodical manner whenever
possible.”
The attacks are
not the first time Chase customers have been targeted in phishing attacks, and
it likely won’t be the last. The bank was one of several–including Royal Bank
of Canada and TD Bank–targeted in an SMS phishing
campaign revealed in February 2020 that used bogus security
text messages to target users of online banking apps.
Comments
Post a Comment