Chase Bank Customers Targeted by Massive Phishing Attack
NEW YORK ( MainStreet) A new trend in cyber attacks may be unfolding: the "smash and grab" campaign. One such attack recently targeted a massive number of JPMorgan Chase customers on August 19. While most phishing perpetrators attempt to disguise their efforts and extend the shelf life of their attacks, this exploit was fearless disregarding stealth measures and launching a multi-pronged attack that wasn't concerned about the threat of detection.
The FBI is looking into cyber attacks on U.S. banks, reportedly as possible cases of Russian retaliation for U.S.-backed sanctions enacted over the crisis in Ukraine. According to Bloomberg , investigators are considering the possibility that recent hacking of JPMorgan is connected to a series of data breaches at European banks. These infiltrations are said to have exploited "a similar vulnerability," and required enough technical expertise to raise the possibility of government involvement. The timing has also raised suspicions: since Vladimir Putin's government became heavily involved in Ukraine's civil conflict, there has been a reported increase in cyber attacks on U.S. banks launched from Russia and Eastern Europe.
Researchers at Proofpoint, a data security firm, discovered the large-scale phishing attack on JPMorgan accounts, which apparently originated in Moscow. Proofpoint saw 150,000 emails in its system alone on the first day of the attack. Other email systems have not reported numbers affected.
The attack begins with a typical ploy: an email urging you to click to view a secure message. The graphics are clean and believable, with the JPMorgan logo and none of the common typos and clunky language found in many phishing efforts.
Clicking to the read the message, users are redirected to a "JPMorgan Chase & Co." login page.
If the user doesn't suspect foul play and enters his login information, an "error" message will direct them to download a "Java update." In reality, the download is banking Trojan malware.
But here is where the attack gets even more insidious. Once users land on the login page to access the "secure message" even if they become suspicious and decide not to enter their credentials banking Trojan malware is already being uploaded to their computer.
"What's notable is that this is one of the first times we've seen an attacker include exploit code on a credential phishing page," Proofpoint says on its blog. "Usually we see attackers use a Traffic Distribution System (TDS) to direct traffic to either a phishing site or [an] exploit site, but not both. We refer to this as a multivariant attack."
The researchers say that the malware used in these attacks was not detected by any of the leading antivirus providers at the time of the attack.