2 phishing attacks have eluded US Exchange security protections & spoof real-life account scenarios in an attempt to deceive victims.
Threat players are impersonating Chase Bank in 2 phishing attacks that can slip past Microsoft Exchange security protections in an aim to steal credentials from victims — by spoofing real-life customer scenarios.
Researchers from Armorblox recently discovered the attacks, 1 of which claims to contain a credit card statement, while the other informs users that their online account access has been restricted due to unusual login activity, according to a post on the Armorblox blog posted Tues.
The 1st set of emails went out to 9,000 inboxes in an Armorblox customer’s environment and the other reached 8,000, Preet Kumar, Senior Manager of Customer Success at Armorblox, wrote in the post.
Both attacks managed to bypass 2 Microsoft Exchange security protections–Exchange Online Protection (EOP) & Microsoft Defender for Office 365 (MSDO)–on their way to customer inboxes, she commented.
“These email attacks employed a gamut of techniques to get past traditional email security filters & pass the eye tests of unsuspecting end users,” Kumar wrote.
Credit Card Statement
In the 1st situation, threat players sent an email titled “Your Credit Card Statement Is Ready” with the sender name “JP Morgan Chase” with HTML stylings similar to genuine emails sent from Chase, according to the report. The email included links for the victim to see their statement & make payments.
“Microsoft assigned a Spam Confidence Level (SCL) of ‘-1’ to the email, which meant it skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the ‘IP Allow’ list,” Kumar wrote in the report.
Banking Account Credentials
The links take potential victims to a phishing page that resembles the Chase login portal & asks for their banking account credentials, she stated. Researchers surmised that the URL for the page was likely purchased & hosted using Name Silo, which provides hosting, email & SSL solutions to customers.
“Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cyber-criminals looking to launch successful phishing attacks,” Kumar observed.
Customer Care Scam
The other phishing attack begins with an email titled “URGENT: Unusual sign-in activity” & claimed that the sender was “Chase Bank Customer Care,” Kumar commented.
The email included a link that claimed to be for customers to verify their account to restore access & used a common tactic by scammers to use different “from” & “reply-to” addresses.
As with the other email, clicking on the link would lead to a phishing page that would try to get users to type in their credentials, according to the post. However, in this case, the page already was inactive by the time researchers investigated the campaign, they explained.
The account-verification email also eluded Exchange detections & was deemed safe with a “1” rating on the Spam Confidence Level, Kumar noted.
Spot Phishing Emails
However, there are some clear tell-tale signs that both emails are suspicious if receivers of such messages know what to look out for, researchers outlined, outlining them in the post.
They include the aforementioned use of different ‘reply-to’ & ‘from’ addresses; the use of a page that looks like it is legitimately from Chase but with a URL that does not match the company’s website name; & a security theme that requires someone to fill in private security details by taking secondary action, they observed.
“Since we get so many emails from service providers, our brains have been trained to quickly execute on their requested actions,” Kumar wrote. “It’s much easier said than done but engage with these emails in a rational & methodical manner whenever possible.”
The attacks are not the first time Chase customers have been targeted in phishing attacks, & it likely will not be the last. The bank was 1 of several–including Royal Bank of Canada & TD Bank–targeted in an SMS phishing campaign revealed in Feb. 2020 that used bogus security text messages to target users of online banking apps.