
This blog looks at a brand impersonation attack that steals victims’ Charles Schwab account credentials. The email has a social engineered payload, pretending to be a Charles Schwab security message, asking the user to log into their Charles Schwab account to read the message.

In today’s Blox Tale, we will look at a brand impersonation attack that steals victims’ Charles Schwab account credentials. The email has a social engineered payload, pretending to be a Charles Schwab security message, asking the user to log into their Charles Schwab account to read the message. Clicking the link took victims to a splash page that spoofed Charles Schwab branding and contained login links.
The email attacks bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the emails. This means the emails skipped spam filtering because Microsoft determined they were from a safe sender, to a safe recipient, or were from an email source server on the IP Allow list.
Summary:
Mailboxes: ~55,000
Target: A major university located in North America
Email security bypassed: Microsoft email security
Techniques used: Social engineering, brand impersonation, replicating existing login workflows
Fig: Charles Schwab credential phishing attack to steal email credentials
The Email
The email was titled “Update Your Account” and claimed to contain a security message from Charles Schwab along with an email footer exhorting the importance of confidentiality. The sender email name is “Schwab Alerts” a tactic we have observed scammers using before - this creates a trusted sender relationship that might make victims open the email faster.
Phishing Flow
The eMail was sent from a legitimate domain and it was not flagged as malicious by the Microsoft email security product.
Fig: Social engineering combined with workflow spoofing to steal credentials
Social engineering was used by masquerading as a trusted sender with an important message (security message) was used to bait the user to take quick action - open the email and click on the URL to log into a trusted website - Charles Schwab. The landing splash page was a pixel-perfect match with the existing Charles Schwab homepage.
Fig: Clicking the email link leads to a spoofed Charles Schwab login page
The socially engineered attack preys on the victim’s anxiety to check the Security Message from a trusted vendor. The malicious landing page asked the victims to enter their email addresses and password to log into what looked like a legitimate page.
Recap of Techniques Used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting victims.
Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the email claimed to come from a legitimate company (Charles Schwab), and a sense of urgency because it claimed the victim has a security message from the bank. The email included the victim’s name in the title as well, further adding to the targeted nature of the attack.
Brand impersonation: The email content repeatedly references Charles Schwab and the phishing page includes pixel perfect match of Charles Schwab branding that lends it a surface-level familiarity to the real brand. If one stops and thinks about it, there’s something suspicious about the phishing page. But scammers are banking on the fact that victims won’t stop and think about it.
The form factor of devices: The email was sent from an account belonging to an AloPharmacy. A quick scan of the domain address would have alerted the user of fraudulent activity. But unfortunately, a high percentage of the emails are read on mobile devices where the form factor does not allow the display of domain names.
Using security themes: The email used the guise of security messages and security concerns to extract account credentials. As end-users, they will tend to take quicker action on communication that claims to be security-related.
Replicating existing workflows: The context for the email attack replicates workflows that already exist in our daily lives (log into the web portal to read security-related messages). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
The phishing page was hosted on the website AloPharmacy.com. Free online services that make it easy to create websites make our lives easier, but unfortunately, also lower the bar for cybercriminals to launch successful phishing attacks. While writing this threat report we do not know if an account was compromised at AloPharmacy.com or if this website was set up with malicious intent.
Guidance and Recommendations
1. Augment native email security with additional controls
The email highlighted in this blog got past Microsoft email security. For better protection coverage against email attacks (whether they’re spear phishing, business email compromise, or credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2021 and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, the language within the email, and any logical inconsistencies within the email.
3. Follow MFA and password management best practices
Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
Don’t use the same password on multiple sites/accounts. Use a password management software like LastPass or 1password to store your account passwords. Avoid using passwords that tie into your publicly available information (date of birth, anniversary date, etc.).
Don’t use generic passwords such as ‘password123’, ‘YourName123’, etc.
For more email security threat research, news, and industry guidance, sign up for email updates from Armorblox below.