Threat Actors Impersonate Chase Bank

Threat researchers at Armorblox have come across two new phishing scams targeting customers of JPMorgan Chase Bank. 

Both attacks deployed social engineering and brand impersonation tactics in an attempt to steal customers’ login credentials.

While one scam involved an email that appeared to contain a credit card statement, the other impersonated a locked account workflow to falsely inform victims that access to their account had been blocked following the detection of unusual login activity.

Amorblox researchers said that the first scam “skipped spam filtering because Microsoft determined that the email was from a safe sender, to a safe recipient, or was from an email source server on the IP Allow list.”

The fraudulent email, titled “Your Credit Card Statement Is Ready,” appeared to have been sent by “Jp Morgan Chase.” Its content was fashioned to resemble genuine communications from the American national bank.

“The email contained HTML stylings similar to genuine emails sent from Chase, and included links for the victim to see their statement and make payments,” said the researchers.

Victims who clicked the links would be taken to a web page resembling the Chase login portal and asked to enter their banking account credentials.

“Attackers often bank on victims not paying enough attention to inconsistencies like the URL not being from the Chase domain for example,” said researchers. 

“They assume that because we have busy lives and over-flowing inboxes, we will click before we think.”

Researchers found that the malicious website had been registered with budget Arizonian IT service management company NameSilo, which provides hosting, email, and SSL solutions.

“Services like this are beneficial for millions of people around the world, but unfortunately also lower the bar for cybercriminals looking to launch successful phishing attacks,” noted researchers.

In the second attack, cyber-criminals impersonated the Chase Fraud Department with an email titled “URGENT: Unusual sign-in activity” that looked like it had been sent by “Chase Bank Customer Care.” Inside the email was a malicious account-verification link that victims were told to follow to restore access to their account. 

Researchers shared a useful tip for spotting a phishing attack. They said the locked account impersonation attack had different “reply-to” and “from” addresses, “which is a common adversarial technique employed in email attacks.”

Leave a Reply