Incident Response, TDR

JPMorgan Chase customers targeted in massive phishing campaign

Customers of JPMorgan Chase are the target of a massive multifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint.

The campaign is noteworthy because of how “unsubtle” it is, Kevin Epstein, VP of advanced security and governance with Proofpoint, told on Friday, explaining that roughly 500,000 phishing emails have been sent out so far, with about 150,000 going out in the first wave.

The phishing email looks quite legitimate and asks recipients to click to read a secure and encrypted message from JPMorgan Chase, according to a Thursday post.

Clicking on the email will bring users to a phishing page requesting credentials; however, the phishing page also hosts the RIG Exploit Kit, which aims to take advantage of numerous vulnerabilities to download a variant of Dyre malware that was initially undetected by anti-virus.

Among those vulnerabilities are CVE-2012-0507 and CVE-2013-2465 for Java, CVE-2013-2551 for Internet Explorer 7, 8 and 9, CVE-2013-0322 for Internet Explorer 10, CVE-2013-0634 for Flash, and CVE-2013-0074 for Silverlight, Epstein said.

“The RIG Exploit Kit is mounted in a Russian registry; that doesn't conclusively prove a Russian base, but is suggestive,” Epstein said, adding the exploit kit is hosted out of Moscow, specifically.

Perhaps to ensure the malware is downloaded, if the user enters their credentials on the phishing page, then they will be directed to an error page that suggests downloading and running a Java update named ‘Java_update.exe,' which is actually Dyre, according to the post.

“[The campaign] flies in the face of conventional phishing tactics, which involve focused single exploits concealed behind multiple layers of indirection to avoid detection,” Epstein said. “This is [more of] a physical smash and grab; the attackers relied on speed of delivery and impact.”

Analysis of the infrastructure used to send the emails in the JPMorgan Chase campaign revealed similar phishing attempts believed to be from the same attackers, including an email from ADP containing a weaponized PDF attachment that installs Dyre, and an email from Companies House that contains a ZIP attachment that installs Dyre, the post indicates.

Dyre is primarily for stealing banking credentials. It monitors network traffic and bypasses SSL mechanisms in browsers, as well as surreptitiously modifies network traffic and redirects users back to legitimate sites. The malware uses a technique known as “browser hooking” in order to steal submitted login data just prior to the information being encrypted.

“The safest approach to any email, especially an urgent email, is to not click,” Epstein said. “If your bank is really warning you of a problem, open your browser, go to the main bank website, and log in from there.”

Calling the phone number listed on the website is another option, Epstein said, but he urged not to call the number listed in the email because sometimes attackers prepare for that. “Be suspicious; it's healthier,” he added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.