Blox Tales: Chase Credential Phishing Attacks
Each Blox Tale will take a look at targeted email scams, outline why they made their way into an inbox, and provide tips and recommendations to protect against such attacks. In this blog, we’ll focus on two email attacks that impersonated Chase in an attempt to steal login credentials. One attack claimed to contain a credit card statement, and the other impersonated a locked account workflow by informing victims that their account access had been restricted due to unusual login activity.
Let’s go through the attacks in greater detail:
1. Spoofed Chase Credit Card Statement
Org mailboxes: ~9,000
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO)
Techniques used: Social engineering, brand impersonation, replicating existing workflows
This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the IP Allow list.
A summary of the attack is presented below:
Fig: Summary of the Chase credential phishing scam showing the attack flow
The Email
Recently, the Armorblox threat research team observed an email impersonating Chase Bank attempt to hit one of our customer environments. The email was titled ‘Your Credit Card Statement Is Ready’ with the sender name ‘Jp Morgan Chase’. The email contained HTML stylings similar to genuine emails sent from Chase, and included links for the victim to see their statement and make payments.
A snapshot of the email is given below:
Fig: Email impersonating Chase and claiming to contain a credit card statement for review
The Phishing Page
Clicking the email link takes victims to a page resembling the Chase login portal that asks for their banking account credentials.
Fig: Phishing page resembling the Chase login portal
The domain for the page was likely purchased and hosted using NameSilo, which provides hosting, email, and SSL solutions to customers. Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals looking to launch successful phishing attacks. The Whois record for the domain is given below:
Fig: Whois record details for the domain showing NameSilo as the registrar
You can read related threat research on an Apple credential phishing attack that was executed using Omnisend, an email marketing and SMS platform, here.
2. Spoofed Chase Locked Account Workflow
Org mailboxes: ~8,000
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO)
Techniques used: Social engineering, brand impersonation, using security themes, replicating existing workflows, different ‘from’ and ‘reply-to’ addresses
The second email attack covered in this blog impersonated the Chase Fraud Department and informed victims that their account access had been restricted due to unusual login activity. The email was titled ‘URGENT: Unusual sign-in activity’ with the sender name ‘Chase Bank Customer Care’. The email has a link where victims can verify their account to restore access. Notably, the email employed different ‘from’ and ‘reply-to’ addresses, which is a common technique used by scammers in email attacks.
This email attack bypassed native Microsoft email security controls. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the IP Allow list.
A snapshot of the email is given below:
Fig: Email impersonating Chase Customer Care informing victims of unusual login activity
This email follows the tenets of other phishing campaigns we have observed that spoof locked account workflows and use security themes as social engineering cues to induce quick action from victims. This phishing page here aimed to extract banking login credentials as well, although the page has since been taken down.
Summary of techniques used
These email attacks employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.
- Social engineering: The email titles, sender names, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to be coming from a trusted bank, and a sense of urgency because the emails contained topics that needed quick action taken (paying credit card bills, restoring account access).
- Brand impersonation: The Chase credential phishing email is replete with company branding and the final phishing page spoofs the Chase login portal, looking strikingly similar to the real page. Although the URL was patently not a genuine Chase domain, scammers relied on victims not spending too much time inspecting the page and following through with the requested action instead.
- Using security themes: One of the email attacks used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related. The irony hits like Thor’s hammer.
- Replicating existing workflows: The context for both email attacks replicates workflows that already exist in our daily lives (credit card statements, locked accounts). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Different ‘reply-to’ and ‘from’ addresses: The Chase locked locked account impersonation attack had different ‘reply-to’ and ‘from’ addresses, which is a common adversarial technique employed in email attacks.
Guidance and Recommendations
Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:
1. Augment native email security with additional controls
Both emails highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of -1, which means the emails skipped past EOP spam filters. For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is my bank sending emails to my work account, why is the URL parent domain different from ‘chase[.]com’, etc.).
3. Follow MFA and password management best practices
Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.
If you haven’t already, implement these hygiene best practices:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.