Researchers: Fraudsters Using Various Methods to Steal Credentials
Researchers at two security firms are tracking separate phishing campaigns that are targeting customers of Wells Fargo and Bank of America, according to a pair of reports.
A report from security firm Armorblox says researchers discovered a phishing campaign that has targeted a select group of Bank of America customers to ensure that the malicious emails can bypass various security tools in order to reach the intended victim.
Meanwhile, Abnormal Security researchers are investigating a much larger campaign aimed at Wells Fargo customers. The fraudsters are imitating the bank's security team and alerting victims with a fake message that if they don't update their security key, they will lose access to their account.
In both cases, the victims are directed to malicious domains where they are asked to input their credentials, which are then harvested by the fraudsters. While neither report indicated if these campaigns had been successful so far, the Abnormal Security researchers note that the Wells Fargo phishing emails may have reached as many as 20,000 inboxes.
While separate, the two phishing campaigns show that bank customers' credentials remain valuable to fraudsters as either a way to take over an account or sell account credentials to other cybercriminals through underground forums.
"Financial institutions have always been one of the highest profile targets for cyberattacks," Chris Morales, head of security analytics at security firm Vectra, tells Information Security Media Group. "The attack landscape is no better or worse today than it was at the beginning of the year for financial institutions already dealing with targeted attacks."
Earlier this week, Congressional lawmakers heard expert testimony about new waves of threats targeting the U.S. financial sectors, which include phishing attacks that can spread malware and do other damage (see: Congress Hears of Fresh Cyberthreats to US Financial Firms).
In the Bank of America campaign discovered by Armorblox earlier this month, the fraudsters sent phishing emails to customers asking them to update their email addresses. If the victim clicked on a malicious link embedded in the message, they were taken to a domain designed to look like the actual Bank of America login page, according to the report.
The domain, however, is controlled by the fraudsters and collects usernames and passwords if those credentials were inputted into the fields, according to the report.
The phishing emails were sent through a personal Yahoo account through SendGrid. The messages were also sent in small batches, which could explain how they bypassed Microsoft security tools as well as secure email gateways, according to the Armorblox report.
The phishing emails also bypassed authentication checks such as the Domain-based Message Authentication, Reporting and Conformance - or DMARC - as well as DomainKeys Identified Mail and Sender Policy Framework, according to the report.
"Although the sender name - Bank of America - was impersonated, the email was sent from a personal Yahoo account via SendGrid," ArmorBlox Co-founder Chetan Anand noted in the report. "This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC."
Additionally, the malicious domain used various art and design elements found on other Bank of America sites, and since the domain had only been registered as of June 1, this could have helped the phishing campaign bypass security as well, the report notes.
"Upon closer inspection, it's evident that the domain is not owned and hosted by Bank of America," according to the report. "The domain - nulledco[.]store - was created on June 1. The screenshot below shows the certificate's common name for the webpage, which is nulledco[.]store and not Bank of America."
In the Wells Fargo phishing campaign that Abnormal Security found, the fraudsters attempt to steal customers' data, such as usernames, passwords, PINs and account numbers.
Victims receive phishing emails that appear to come from the Wells Fargo security team that ask customers to update their security key. Included in the email is an ICS calendar file that is supposed to store scheduling information, according to the report.
If the victim opens the calendar file, it contains a link to SharePoint page, which then asks the target to open yet another webpage. This final page is the malicious domain controlled by the fraudsters and is designed to look like a legitimate Wells Fargo website. If customers' data is inputted, it's collected by the attackers, researchers note.
The report also notes that the calendar invite file is designed to encourage victims to click and asks that they open it up on their mobile device.
"Here, the attacker is attempting to exploit a setting where the event will automatically be added to a user's calendar," according to Abnormal Security. "Most of these programs will send an automatic notification to the user and attackers hope that potential victims will click on the event and follow the malicious link. As a result, these attacks are more likely to be seen by recipients."
While both of these phishing campaigns used various technical techniques, Alex Guirakhoo, threat research team lead at security firm Digital Shadows, noted that these attacks, especially the one aimed at Bank of America customers, also leverage social engineering to lure victims.
"Exploiting human nature can be just as, if not more, impactful than exploiting vulnerabilities," Guirakhoo tells ISMG. "Technical safeguards such as email filters and authentication checks can help prevent certain phishing emails from reaching your inbox. However, determined attackers will invariably still find ways to ensure their lures reach their targets, such as the case with more targeted spear-phishing attacks."
Managing Editor Scott Ferguson contributed to this report.