New phishing email campaigns have been discovered by a cyber research company that impersonates Chase Bank to steal banking login credentials.
These campaigns use a social engineering ploy that starts with an email apparently coming from the bank that claims that there is something wrong with the victim‘s account. Even the tech-savvy researchers that watch these malicious messages and scams had to pause for a moment because the phishing email has been crafted looking very legitimate.
Spoofed Chase Bank credit card statement
The first phishing campaign includes a credit card statement with the subject “Your Credit Card Statement is Ready“ with “JP Morgan Chase“ as the sender‘s name. The message has adopted the look and layout very similar to actual emails from Chase Bank, including links to view the victim‘s bank statement and make payments. Clicking on the main link provided by the hackers will take the user to a spoofed Chase Bank login portal that will ask to enter the bank account credentials, which will get captured by the cybercriminals.
The domain used by the cybercriminals to launch this campaign was hosted by NameSilo, a legitimate hosting service company, but one where threat actors can quickly and cheaply use to set up shop configs to launch this malicious campaign. The phishing emails have bypassed the spam filters of Microsoft Exchange Online Protection and MS Defender for Office 365 after getting assigned with a Spam Confidence Level of –1. The grade assigned is based on the security analysis that the email is coming from a safe sender, sent to a safe recipient, or the email originated from a server on the allowed IP list.
Spoofed bank account is locked campaign
In this second campaign, the cyber-attackers impersonate the Chase bank fraud department and tells the recipients that their accounts have been locked and restricted due to unusual login activity detected by their system. They used the subject line “URGENT: Unusual sign-in activity“ and “Chase Bank Customer Care“ as sender name on the email. The message content itself contains a link for the victims that will “help“ the victims confirm their account to restore their account access back to normal. Clicking the provided link naturally takes the user to a fake login page that asks them to input their bank login credentials and info.
Same as the first campaign, this email earned a Spam Confidence Level of –1 from MS Exchange Online Protection and MS Defender for Office 365. It successfully reached the inboxes of their target victims without any warning notification.
Social Engineering is the cybercriminal‘s key to successfully trick and employ tactics to fool unsuspecting victims. In these phishing emails, the subject lines, where the email came from, the sender’s name, layout, the legitimate overall look of the contents, and situations to convey and put pressure on victims to take prompt action on the urgent event is being presented. Brand impersonation is another critical factor in this attack and their tactic to use a legitimate server domain hosting to bypass Microsoft‘s security systems.