Security researchers have found a new credential-phishing attack that masquerades as an email message from Bank of America.
The message, unearthed by cloud-security firm Armorblox, tricks users into providing the email addresses and passwords for their online bank accounts.
- Downloading the best antivirus can help you to avoid phishing scams
- VPN: add a layer of extra protection thanks to a virtual private network
- Just In: Rapidly evolving keylogger malware has some security experts worried
Users were told that inactive email addresses would be recycled unless they updated and confirmed their banking details via an online portal.
“This email claimed to come from Bank of America and asked readers to update their email address,” wrote Chetan Anand, co-founder and architect of Armorblox in a blog post (opens in new tab).
“Clicking the link took the targets to the credential phishing page resembling the Bank of America home page, designed to make targets part with their account credentials.”
Bypassing security checks
Anand explained that the malicious message bypasses email security controls and doesn’t follow the tactics of more traditional phishing attacks.
First, the cyber crooks refrained from sending a mass email, instead using a "spear phishing" tactic. The message was sent to a select number of people, which helped it slip past email filters.
Although the message came from an individual Yahoo account with the name “Bank of America”, it was sent via SendGrid and wasn’t picked up by authentication checks like SPF, DKIM, and DMARC.
Social engineering tactics
Recipients were also duped by a zero-day link and convincing lookalike website, according to Anand: “The attacker created a new domain for the link in this email attack, so it got past any filters that were created to block known bad links.
“The final credential phishing page was painstakingly made to resemble the Bank of America login page. The superficial legitimacy of this page would pass most eye tests from busy readers that want to get on with their other work duties after ‘updating their email address’ as soon as possible.”
However, when you take a closer look at the email message, it’s clearly not been sent by Bank of America.
After providing their account information to the phishing page, users were also asked to answer three security-challenge questions.
This makes the phishing page look more legitimate because the Bank of America also asks for security questions upon login by default -- but it also means that the attackers will then have the answers to your security questions.
Like all good examples of social engineering, the email message used psychological tactics to convince people to provide legitimate credentials.
Anand said: “The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.”
If you get such an email, don't respond to it directly. Instead, call Bank of America and ask them if they sent it.
- Read more: Secure your data safe with the best US VPN
"Provides adversaries with vital personal information"
Speaking to Tom's Guide, Anand told us: "“With the enforcement of Single Sign On and 2FA, across organizations, adversaries are now crafting email attacks that are able to bypass these measures. This credential phishing attack is a good example.
"Firstly, it phishes for Bank of America credentials, which are likely not to be included under company SSO policies. Secondly, it also phishes for answers to security challenge questions, which is often used as a second/additional form of authentication.
"Asking security challenge questions not only increases the legitimacy of the attack, but also provides the adversaries with vital personal information about their targets.”
- Read more: Protect your company with the best business VPN