Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint.
The campaign is noteworthy because of how “unsubtle” it is, Kevin Epstein, VP of advanced security and governance with Proofpoint, told SCMagazine.com on Friday, explaining that roughly 500,000 phishing emails have been sent out so far, with about 150,000 going out in the first wave.
The phishing email looks quite legitimate and asks recipients to click to read a secure and encrypted message from JPMorgan Chase, according to a Thursday post.
Clicking on the email will bring users to a phishing page requesting credentials; however, the phishing page also hosts the RIG Exploit Kit, which aims to take advantage of numerous vulnerabilities to download a variant of Dyre malware that was initially undetected by anti-virus.
Among those vulnerabilities are CVE-2012-0507 and CVE-2013-2465 for Java, CVE-2013-2551 for Internet Explorer 7, 8 and 9, CVE-2013-0322 for Internet Explorer 10, CVE-2013-0634 for Flash, and CVE-2013-0074 for Silverlight, Epstein said.
“The RIG Exploit Kit is mounted in a Russian registry; that doesn't conclusively prove a Russian base, but is suggestive,” Epstein said, adding the exploit kit is hosted out of Moscow, specifically.
Perhaps to ensure the malware is downloaded, if the user enters their credentials on the phishing page, then they will be directed to an error page that suggests downloading and running a Java update named ‘Java_update.exe,' which is actually Dyre, according to the post.
“[The campaign] flies in the face of conventional phishing tactics, which involve focused single exploits concealed behind multiple layers of indirection to avoid detection,” Epstein said. “This is [more of] a physical smash and grab; the attackers relied on speed of delivery and impact.”