Phishing Campaign Used Chase Fraud Alert as LureMariana Pereira of Darktrace Explains How the Campaign Worked
Fraudsters used phishing emails purporting to be a warning from Chase Bank about "unusual activity" on credit cards in an attempt to steal consumers’ account credentials, according to security firm Darktrace.
The phishing emails contained far more details than most such campaigns, says Mariana Pereira, director of email security products, EMEA, at Darktrace. It’s not clear if the campaign targeting Chase customers, which started in January, is continuing, she tells Information Security Media Group in a video interview.
"The days of tracking email campaigns as we know them may be over,” she says. Phishing emails are now so polymorphic that a campaign doesn’t really have a beginning and an end – with automation, attacks can continue indefinitely with variability, she adds.
Because the attackers continuously added new domains from which they sent the phishing emails, it’s difficult to tabulate how many were sent, Pereira explains.
The fraudsters loaded the emails with legitimate Chase URLs and images, according to Darktrace.
"By padding the email with mostly valid content and links, the attacker attempted to deceive legacy email security tools into perceiving the email as benign," the report states.
But the messages included one typo. "The sender's domain, 'fraudpreventino,' is visually similar to 'fraudprevention' - the domain of the legitimate website - so the look-a-like could be easily misread as legitimate by a user," according to Darktrace.
If a victim clicked on the link in the email, they were led to a fraudulent Chase login screen. Any personal data or information inputted into the fields, such as login credentials, was recorded and harvested by the attackers, the Darktrace report states.
The fraudsters sent messages to a broad range of consumers, hoping to snag those who bank with Chase, according to Darktrace.
"Attackers often leverage well-known brands like Chase to indiscriminately target a large pool of inboxes. They are statistically likely to find a Chase customer without having to go through the effort of actually hacking Chase’s CRM," the report states (see: Zoom-Themed Phishing Campaign Targets Office 365 Credentials).
The researchers found a number of anomalous links included in the email. There was an inconsistency between the displayed link addresses and the actual destination of the hyperlink. In addition, the domain itself was newly registered, which helped disguise that it was malicious, Darktrace says.
But the email's professional appearance made it difficult to identify it as part of a phishing campaign, Pereira says. Artificial intelligence-based tools can help identify these scams by scrutinizing email from unexpected sources as well as looking for inconsistencies and errors in the message, she adds.