This blog focuses on an email campaign that impersonated a Wells Fargo locked account workflow to steal victims’ banking credentials.
Each Blox Tale will take a look at targeted email scams, outline why they made their way into an inbox, and provide tips and recommendations to protect against such attacks. In this blog, we’ll focus on an email campaign that impersonated a Wells Fargo locked account workflow to steal victims’ banking credentials. We observed variants of this email attack on more than 10,000 customer mailboxes.
Org mailboxes: 10,000+
Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO), Proofpoint
Techniques used: Social engineering, brand impersonation, replicating existing workflows, using Hotmail accounts
This email attack bypassed native Microsoft email security controls and Proofpoint. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the IP Allow list.
A summary of the attack is presented below:
Fig: Summary of the Wells Fargo credential phishing scam showing the attack flow
The Email
Recently, the Armorblox threat research team observed multiple emails impersonating Wells Fargo bank attempt to hit our customer environments. The email titles were all variations of ‘1 New Message’ followed by the date and time, in an effort to seem time-relevant and similar to other automated emails that usually inhabit our inboxes. The emails were sent from Hotmail accounts and claimed to come from the Managing Director of Customer Operations at Wells Fargo, asking victims to click a link to confirm their Wells Fargo account.
A snapshot of one of the emails is given below:
Fig: Email impersonating communications from Wells Fargo
The email sender name - Weiisfargo-Msg - is noteworthy. Although clearly not a legitimate sender name when inspected closely, it bears a passing visual resemblance to Wells Fargo. Attackers often use this alphabet switching technique to pass victims’ eye tests while also evading blocklists and filters that are set up to catch specific keywords. In this case, the email was able to bypass both Microsoft and Proofpoint email security.
The Phishing Flow
Clicking the email link takes victims to a page that warns victims that their debit cards have been locked due to a number of unsuccessful login attempts. The page invites victims to click a link to reactivate their Wells Fargo accounts.
Fig: Page warning victims that their debit card has been locked
Clicking the link on this page leads victims to the final phishing page, rendered to look remarkably similar (at first glance) to the real Wells Fargo login portal. This page asks for the victims’ banking credentials.
Fig: Final phishing page resembling the Wells Fargo login portal
If you are finding this research interesting, you might also want to check out our recent piece on Chase credential phishing attacks here.
Summary of techniques used
This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.
- Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to be coming from a trusted bank, and a sense of urgency because the emails dealt with topics that needed quick action taken (restoring account access).
- Brand impersonation: Both pages in the phishing flow are replete with Wells Fargo branding. Although the URL was patently not a genuine Wells Fargo domain, scammers relied on victims not spending too much time inspecting the page and following through with the requested action instead.
- Using security themes: The email attack used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related. The irony hits like Thor’s hammer.
- Replicating existing workflows: The context for this email attack replicates workflows that already exist in our daily lives (locked account due to unsuccessful login attempts). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
- Using Hotmail addresses: All emails observed in this campaign were sent from different Hotmail addresses. Attackers often employ Gmail, Yahoo, and Hotmail to send emails that bypass authentication checks like SPF, DKIM, and DMARC.
Guidance and Recommendations
Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:
1. Augment native email security with additional controls
The email highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of -1, which means the emails skipped past EOP spam filters. They also bypassed Microsoft Defender for Office 365 (MSDO) and Proofpoint.
For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.
2. Watch out for social engineering cues
Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is my bank sending emails to my work account, why is the URL parent domain different from ‘wellsfargo[.]com’, etc.).
3. Follow MFA and password management best practices
Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.
If you haven’t already, implement these hygiene best practices:
- Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
- Don’t use the same password on multiple sites/accounts.
- Use a password management software to store your account passwords.
- Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
- Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.
