Security researchers have discovered a new credential phishing attack disguised as an email message from Bank of America.
The message, discovered by cloud security firm Armorblox, tricks users into providing email addresses and passwords for online bank accounts.
Users were told that inactive email addresses would be recycled unless they updated and confirmed their bank details via an online portal.
"The email claimed to come from Bank of America and asked readers to update their email addresses," wrote Armorblox co-founder and architect Chetan Anand in a blog post.
"Upon clicking on the link, the target was taken to a credential phishing page that resembled the Bank of America home page and was designed to force the target to enter their account credentials.
Anand explained that the malicious message bypassed email security controls and did not follow more traditional phishing attack tactics.
First, cyber fraudsters refrained from sending mass emails and instead used "spear phishing" tactics. Because the messages were sent to a select group of people, they were able to slip through email filters.
The message originated from a personal Yahoo account named "Bank of America," but because it was sent via SendGrid, it did not fall through authentication checks such as SPF, DKIM, or DMARC.
According to Anand, recipients were also fooled by the zero-day link and the convincing look-alike site: "The attacker created a new domain for the link in this email attack, so it got past the filter that was created to block known malicious links.
"The final credential phishing page was painstakingly crafted to resemble the Bank of America login page. The page's superficial legitimacy would pass the visual test of most busy readers who want to "update their email address" as soon as possible and then get on with other business.
However, a closer look at the email message clearly shows that it was not sent by Bank of America.
Also, after providing account information to the phishing page, users were asked to answer three security challenge questions.
The phishing page appears more legitimate because Bank of America also asks security questions upon login by default.
Like a good example of social engineering, this email message uses psychological tactics to persuade people to provide legitimate credentials.
Anand says: "The wording and topic of the email was intended to induce urgency in the reader due to its financial nature. Asking readers to update their bank e-mail accounts so that they are not recycled is a powerful incentive for anyone to click on the URL and do so.
If you receive such an email, do not reply directly. Instead, call Bank of America and ask if they sent the email.
Speaking to Tom's Guide, Anand said: "With the enforcement of single sign-on and 2FA across organizations, adversaries are now launching email attacks to bypass these measures. This credential phishing attack is a good example. [First, the attack phishes for Bank of America credentials. Second, it phishes responses to security challenge questions.
"Asking security challenge questions not only legitimizes the attack, but also provides the adversary with important personal information about the target.
Comments