Home Computer Chase Phishing Email

Chase Phishing Email

by stacy

Blox Tales: Chase Credential Phishing Attacks

Each Blox Tale will take a close look at targeted email scams, explain how they got into inboxes, and offer suggestions and ideas on how to avoid being a victim of such attacks. For the sake of this article, we’ll discuss two email attacks that seemed to be from Chase in an attempt to obtain login information. A credit card statement was alleged to be contained within one attack, while another claimed to be an impersonation of a locked account workflow by alerting victims that their account access had been restricted owing to odd login activity in the other.

Let’s take a closer look at each of the attacks in turn:

1. Spoofed Chase Credit Card Statement

Exchange Online Protection (EOP) and Microsoft Defender for Office 365 were both defeated when it came to email security (MSDO)

Among the techniques employed were social engineering, brand imitation, and replication of established operations.

This email assault was successful because it circumvented native Microsoft email security safeguards. Microsoft awarded the email a Spam Confidence Level (SCL) of ‘-1,’ which meant that it was exempt from spam filtering because Microsoft judged that the email was from a safe sender, was addressed to a safe recipient, or originated from an email source server that was on the IP Allow list.

The following is a synopsis of the incident:

The Email

Illustration of the Chase credential phishing scam, depicting how the assault is carried out.

The Message in an Email
Recently, the Armorblox threat research team discovered an effort to compromise one of our customers’ environments by sending an email imitating Chase Bank. The email was sent to you as ‘Your Credit Card Statement Is Ready,’ and it came from the sender ‘Jp Morgan Chase.’ The email had HTML stylings that were similar to those found in legitimate Chase emails, as well as links that allowed the user to view their statement and make payments.

Here’s what the email looked like in a nutshell:

Figure: An email purporting to be from Chase and containing a credit card statement for review has been intercepted.

The Phishing Page

When victims click on the email link, they are taken to a page that looks similar to the Chase login portal, where they are asked for their banking account details.

Figure: A phishing website that looks like the Chase login gateway.

According to the information on the page, the domain name was likely acquired and hosted by NameSilo, which provides consumers with hosting, email, and SSL solutions. Although services like these are valuable to millions of people throughout the world, they also lower the bar for hackers wanting to launch successful phishing attacks. It’s important to note that the domain’s Whois information is provided below:

Figure 1: The domain’s Whois record details, which demonstrate that NameSilo is the registrar.

On this page, you can find information about relevant threat research on an Apple credential phishing assault that was carried out through the use of the Omnisend email marketing and SMS platform.

2. Spoofed Chase Locked Account Workflow

Exchange Online Protection (EOP) and Microsoft Defender for Office 365 were both defeated when it came to email security (MSDO)

There were several techniques utilized, including social engineering, brand impersonation, utilizing security themes, copying current operations, and sending emails from and replying to other addresses.

The second email attack discussed in this blog pretended to be from the Chase Fraud Department and alerted victims that their account access had been blocked as a result of odd login activity, according to the blog. The email was headed ‘URGENT: Unusual sign-in behavior’ and came from the sender ‘Chase Bank Customer Care’, according to the subject line. The email contains a link that allows victims to validate their accounts to regain access. Particularly noteworthy is that the email used two separate e-mail addresses for the “from” and “reply-to” addresses, which is a frequent strategy used by scammers in email attacks.

This email assault was successful because it circumvented native Microsoft email security safeguards. Microsoft awarded the email a Spam Confidence Level (SCL) of ‘-1,’ which meant that it was exempt from spam filtering because Microsoft judged that the email was from a safe sender, was addressed to a safe recipient, or originated from an email source server that was on the IP Allow list.

In this illustration, an email from Chase Customer Care informs victims of odd login activity in their account.

According to our observations, this email is designed to mimic locked account routines and leverage security themes as social engineering cues to elicit an immediate response from the target audience. It was also intended to collect banking login details from this phishing page, albeit the page has since been taken down.

Summary of techniques used

These email attacks made use of a variety of tactics to get past typical email security filters and pass the eye tests of naïve end users who were unaware of their vulnerability.

Social engineering was used to instill a sense of trust and urgency in the recipients of the emails – a sense of trust because the emails purported to be coming from a reputable bank, and a sense of urgency because the emails contained topics that required immediate action on the part of the recipients (paying credit card bills, restoring account access).
Company branding is used throughout the phishing email and the final phishing website, which is a counterfeit version of the Chase login portal that looks extremely identical to the real page, is used to collect credentials. Even though the URL was not a legitimate Chase domain, scammers counted on victims not spending too much time scrutinizing the page and instead of completing the suggested action.
Using security themes to protect your data: One of the email attacks pretended to be a locked account or a security concern to obtain login credentials. Because employees want to be good corporate citizens, they will be more likely to act quickly when they receive material that claims to be linked to security. The irony is as devastating as Thor’s hammer.
Creating a copy of an existing workflow: Both email attacks take place in a setting that is similar to workflows that we are already familiar with from our daily lives (credit card statements, locked accounts). When we get emails that we have already received, our brains are more likely to engage in System 1 thinking and to take immediate action.
It was discovered that the Chase locked account impersonation assault used various “reply-to” and “from” addresses. This was discovered since it is a frequent adversarial approach used in email attacks.

Related Posts

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More