Armorblox is now part of Cisco

Threat Research | 9 min read

Blox Tales: Spoofed Wells Fargo Locked Account Workflow


Lauryn Cash
Lauryn Cash

This blog focuses on an email campaign that impersonated a Wells Fargo locked account workflow to steal victims’ banking credentials.

Each Blox Tale will take a look at targeted email scams, outline why they made their way into an inbox, and provide tips and recommendations to protect against such attacks. In this blog, we’ll focus on an email campaign that impersonated a Wells Fargo locked account workflow to steal victims’ banking credentials. We observed variants of this email attack on more than 10,000 customer mailboxes.

Org mailboxes: 10,000+

Email security bypassed: Exchange Online Protection (EOP), Microsoft Defender for Office 365 (MSDO), Proofpoint

Techniques used: Social engineering, brand impersonation, replicating existing workflows, using Hotmail accounts

This email attack bypassed native Microsoft email security controls and Proofpoint. Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the IP Allow list.

A summary of the attack is presented below:

Wells Fargo phishing attack summary Fig: Summary of the Wells Fargo credential phishing scam showing the attack flow

The Email

Recently, the Armorblox threat research team observed multiple emails impersonating Wells Fargo bank attempt to hit our customer environments. The email titles were all variations of ‘1 New Message’ followed by the date and time, in an effort to seem time-relevant and similar to other automated emails that usually inhabit our inboxes. The emails were sent from Hotmail accounts and claimed to come from the Managing Director of Customer Operations at Wells Fargo, asking victims to click a link to confirm their Wells Fargo account.

A snapshot of one of the emails is given below:

Wells Fargo phishing email screenshot Fig: Email impersonating communications from Wells Fargo

The email sender name - Weiisfargo-Msg - is noteworthy. Although clearly not a legitimate sender name when inspected closely, it bears a passing visual resemblance to Wells Fargo. Attackers often use this alphabet switching technique to pass victims’ eye tests while also evading blocklists and filters that are set up to catch specific keywords. In this case, the email was able to bypass both Microsoft and Proofpoint email security.

The Phishing Flow

Clicking the email link takes victims to a page that warns victims that their debit cards have been locked due to a number of unsuccessful login attempts. The page invites victims to click a link to reactivate their Wells Fargo accounts.

Wells Fargo locked account page Fig: Page warning victims that their debit card has been locked

Clicking the link on this page leads victims to the final phishing page, rendered to look remarkably similar (at first glance) to the real Wells Fargo login portal. This page asks for the victims’ banking credentials.

Wells Fargo phishing page final Fig: Final phishing page resembling the Wells Fargo login portal

If you are finding this research interesting, you might also want to check out our recent piece on Chase credential phishing attacks here.

Summary of techniques used

This email attack employed a gamut of techniques to get past traditional email security filters and pass the eye tests of unsuspecting end users.

  • Social engineering: The email title, sender name, and content aimed to induce a sense of trust and urgency in the victims - a sense of trust because the emails claimed to be coming from a trusted bank, and a sense of urgency because the emails dealt with topics that needed quick action taken (restoring account access).
  • Brand impersonation: Both pages in the phishing flow are replete with Wells Fargo branding. Although the URL was patently not a genuine Wells Fargo domain, scammers relied on victims not spending too much time inspecting the page and following through with the requested action instead.
  • Using security themes: The email attack used the guise of locked accounts and security concerns to extract account credentials. As employees want to be good corporate citizens, they will tend to take quicker action on communication that claims to be security-related. The irony hits like Thor’s hammer.
  • Replicating existing workflows: The context for this email attack replicates workflows that already exist in our daily lives (locked account due to unsuccessful login attempts). When we see emails we’ve already seen before, our brains tend to employ System 1 thinking and take quick action.
  • Using Hotmail addresses: All emails observed in this campaign were sent from different Hotmail addresses. Attackers often employ Gmail, Yahoo, and Hotmail to send emails that bypass authentication checks like SPF, DKIM, and DMARC.

Guidance and Recommendations

Here are some points of guidance for individuals or organizations looking to protect themselves against targeted email attacks:

1. Augment native email security with additional controls

The email highlighted in this blog got past Microsoft’s Exchange Online Protection (EOP), with an assigned Spam Confidence Level (SCL) of -1, which means the emails skipped past EOP spam filters. They also bypassed Microsoft Defender for Office 365 (MSDO) and Proofpoint.

For better protection coverage against email attacks (whether they’re phishing, business email compromise, or 0-day credential phishing attacks like this one), organizations should augment built-in email security with layers that take a materially different approach to threat detection. Gartner’s Market Guide for Email Security covers new approaches that vendors brought to market in 2020, and should be a good starting point for your evaluation.

2. Watch out for social engineering cues

Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions. It’s much easier said than done, but engage with these emails in a rational and methodical manner whenever possible. Subject the email to an eye test that includes inspecting the sender name, sender email address, language within the email, and any logical inconsistencies within the email (e.g. Why is my bank sending emails to my work account, why is the URL parent domain different from ‘wellsfargo[.]com’, etc.).

3. Follow MFA and password management best practices

Since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances, and family members.

If you haven’t already, implement these hygiene best practices:

  • Deploy multi-factor authentication (MFA) on all possible business and personal accounts.
  • Don’t use the same password on multiple sites/accounts.
  • Use a password management software to store your account passwords.
  • Avoid using passwords that tie into your publicly available information (date of birth, anniversary date etc.).
  • Don’t repeat passwords across accounts or use generic passwords such as your birth date, ‘password123’, ‘YourName123’ etc.

Stay tuned for more Blox Tales! If you’re interested to learn how Armorblox augments native Office 365 email security, download our whitepaper below.

Get Office 365 Whitepaper

Experience the Armorblox Difference

Get a Demo