Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":843,"date":"2018-08-24T17:57:49","date_gmt":"2018-08-24T17:57:49","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=843"},"modified":"2019-04-17T12:52:15","modified_gmt":"2019-04-17T12:52:15","slug":"jpmorgan-chase-phishing-attack-packs-a-double-whammy","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2018\/08\/24\/jpmorgan-chase-phishing-attack-packs-a-double-whammy\/","title":{"rendered":"JPMorgan Chase Phishing Attack Packs a Double Whammy"},"content":{"rendered":"

$\"9605671\"$ Two words you never want to hear together are \u2018massive\u2019 and \u2018phishing.\u2019 They\u2019re normally followed by \u2018attack,\u2019 and then you could be in for a world of hurt, especially for users who aren\u2019t predisposed to vigilance. So when several media outlets reported this week that US mega bank JP Morgan Chase was hit with a massive phishing campaign, we thought it was worth a look.<\/p>\n

According to SC Magazine<\/a>, customers of JP Morgan Chase, the largest US bank by assets, were targeted in a \u201cmultifaceted phishing campaign impacting mostly people in the U.S., according to security firm Proofpoint.\u201d And the attackers responsible for the would-be cash grab didn\u2019t try to hide their intent. \u201cThe campaign is noteworthy because of how \u201cunsubtle\u201d it is, Kevin Epstein, VP of advanced security and governance with Proofpoint, told SCMagazine.com on Friday, explaining that roughly 500,000 phishing emails have been sent out so far, with about 150,000 going out in the first wave.\u201d<\/p>\n

The phishing email messages look very legitimate, according to SC Magazine. They ask \u201crecipients to click to read a secure and encrypted message from JPMorgan Chase.\u201d Crafting visually-convincing messages is critical to successful phishing attacks. The more convincing the message, the more serious the threat, because not only do these messages catch users in the net of deception, but also because they normally suggest the attacker is technically proficient, and more than likely, smart enough to pull it off.<\/p>\n

Clicking the link in the message directs users to the phishing page, where their JP Morgan Chase banking credentials are required to continue. And here\u2019s where it gets medieval. The phishing page also contains the RIG Exploit Kit, \u201cwhich aims to take advantage of numerous vulnerabilities to download a variant of Dyre malware that was initially undetected by anti-virus.\u201d<\/p>\n

Among those vulnerabilities, Epstein says, are \u201cCVE-2012-0507 and CVE-2013-2465 for Java, CVE-2013-2551 for Internet Explorer 7, 8 and 9, CVE-2013-0322 for Internet Explorer 10, CVE-2013-0634 for Flash, and CVE-2013-0074 for Silverlight. The RIG Exploit Kit is mounted in a Russian registry; that doesn’t conclusively prove a Russian base, but is suggestive,\u201d Epstein said, adding that the exploit kit is hosted out of Moscow.<\/p>\n

If the user enters his or her credentials, they\u2019re redirected to an \u2018error\u2019 page, informing them that they need to download and run a Java update called \u201cJava_update.exe.\u201d This is actually Dyre, and installing the malware will have disastrous consequences. Proofpoint\u2019s post outlining the threat can be found here<\/a>.<\/p>\n

Dyre<\/a> is relatively new. It was discovered in June by researchers with PhishMe. The malware uses a technique known as \u2018browser hooking,\u2019 where user credentials are stolen just prior to the information\u2019s encryption. In addition to its payload, Dyre also monitors network traffic and bypasses SSL mechanisms in browsers. It also modifies network traffic and redirects users back to legitimate websites. What makes it even more dangerous is that this appears to be a new strain of the malware, according to Proofpoint. \u201cAccording to VirusTotal, the version of Dyre used in this attack was not detected by any of the leading antivirus providers at the time of the attack.\u201d<\/p>\n

The campaign\u2019s been dubbed \u201cSmash and Grab,\u201d and what makes it extremely dangerous is its multifaceted approach to targeting victims. Epstein told SC Magazine that the campaign \u201cflies in the face of conventional phishing tactics, which involve focused single exploits concealed behind multiple layers of indirection to avoid detection. This is [more of] a physical smash and grab; the attackers relied on speed of delivery and impact.\u201d<\/p>\n

What\u2019s notable about this attack is the sophistication and multilevel nature of the campaign. Proofpoint notes three distinct themes. \u201cSince phishing campaigns are quite common it wasn\u2019t until we dug a bit deeper that we noticed some interesting things about this particular attack.<\/p>\n

The credential phishing page is also delivering an exploit kit (RIG)<\/li>\n

Submitting credentials results in a fake Java update that\u2019s really banking malware<\/li>\n

The attacker is using the same infrastructure for PDF and zip based attacks in other active campaigns<\/li>\n<\/ul>\n

\u201cBoth of these exploits are attempting to install the recently discovered Dyre banking Trojan that attempts to steal banking credentials,\u201d Proofpoint says.<\/p>\n

The sophistication of the attack is very suggestive of a well-organized and well-funded attacker, and it\u2019s no surprise that the trace fingerprints are Russian in origin. Criminal organizations are usually the prime suspect in cases like this, and while there\u2019s no certainty to the Russian ties or organized crime, the inference isn\u2019t difficult to make.<\/p>\n","protected":false},"excerpt":{"rendered":"

Two words you never want to hear together are \u2018massive\u2019 and \u2018phishing.\u2019 They\u2019re normally followed by \u2018attack,\u2019 and then you could be in for a… <\/p>\n","protected":false},"author":3,"featured_media":844,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,14],"tags":[11,9,10,8,7],"class_list":["post-843","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-spam","tag-allspammedup","tag-bot","tag-botnet","tag-malware","tag-spam","jsn-master"],"_links":{"self":[{"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/posts\/843","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/comments?post=843"}],"version-history":[{"count":2,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/posts\/843\/revisions"}],"predecessor-version":[{"id":1678,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/posts\/843\/revisions\/1678"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/media\/844"}],"wp:attachment":[{"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/media?parent=843"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/categories?post=843"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hidefideas.com\/blog\/wp-json\/wp\/v2\/tags?post=843"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}