Spammers are using last month's JPMorganChase data breach in a new phishing attack aimed at getting victims to hand over confidential information.
A data breach is rarely the end of a cyber-campaign. The gang behind the breach may use the information as reconnaissance to launch a more targeted attack, or make money by selling the stolen data. Other criminals take advantage of the confusion with a "piggyback attack" that plays upon victims' fears of the original breach. In any case, users have to remain alert for any sign of fraudulent or suspicious activity.
Last month, JPMorganChase said personal data belonging to about 465,000 UCARD cardholders, or just under 2 percent of the total userbase, were exposed in a data breach. UCARD, a prepaid debit card frequently used by businesses and government agencies to issue tax refunds, unemployment compensation, and other benefits, has about 25 million users nationwide. The financial giant said at the time that it would not issue replacement cards because there was no any evidence of fraudulent activity related to the cards and accounts.
Piggyback Phishing Attack
The users who received a notification letter from Chase knew for a fact they were affected and could do something about it. The other 98 percent were left "in a sort of data security limbo," noted Paul Ducklin, a Sophos researcher. These users had to wait and see if JPMorganChase's investigations turned up additional details or more victims.
Cyber-criminals are targeting these users in a phishing campaign.
This phishing email targets the "Chase Paymentech User" and notifies the recipient of "a problem caused by the recent database breach," Ducklin wrote on Naked Security. The user is asked to click on a link and complete a profile in order to verify his or her identity. The actual phish itself is not "terribly sophisticated," as users are directed to a merchant page, not a spoofed UCARD page, Ducklin said.
Since the attack email uses Chase's own images and stylesheet, they pass "casual visual muster," Ducklin said. And since users are already concerned about the breach and looking for information, they are primed to fall for these scams.
Criminals frequently try to cash in on a security breach by preying on the fears of potential victims in order to trick them into sharing confidential information or taking some specific action. You should always be wary of any communication that asks you to click on a link or provide confidential information. As Ducklin pointed out, it's unlike a financial institution that recently had a security incident would send an email asking you to click on a link that takes you to a login page.
"Whenever you receive an email link that does go to a login page, like this one, you can immediately be certain is it bogus," Ducklin warned.
Just Don't Click
Remember that Chase, or any legitimate business, would never ask for personal information via email. While some companies use email to notify users of a breach (such as Adobe), in the event of a breach where financial or health records are compromised, you will most likely receive a notification and all follow-up communications over postal mail.
"These types of attacks can look amazingly credible, and it's hard for people to spot them as fakes," said Lee Weiner, senior vice-president of products and engineering at Rapid7. So instead of trying to figure out what is real and what is not, people just need to get in the habit of not clicking on links.
Instead, they should "go directly to the site you want using your web browser and then use the site's own navigation to find your page," Weiner said. Or just pick up the phone and call, or walk over to speak to an employee face-to-face.
A data breach is rarely the end of a cyber-campaign. The gang behind the breach may use the information as reconnaissance to launch a more targeted attack, or make money by selling the stolen data. Other criminals take advantage of the confusion with a "piggyback attack" that plays upon victims' fears of the original breach. In any case, users have to remain alert for any sign of fraudulent or suspicious activity.
Last month, JPMorganChase said personal data belonging to about 465,000 UCARD cardholders, or just under 2 percent of the total userbase, were exposed in a data breach. UCARD, a prepaid debit card frequently used by businesses and government agencies to issue tax refunds, unemployment compensation, and other benefits, has about 25 million users nationwide. The financial giant said at the time that it would not issue replacement cards because there was no any evidence of fraudulent activity related to the cards and accounts.
Piggyback Phishing Attack
The users who received a notification letter from Chase knew for a fact they were affected and could do something about it. The other 98 percent were left "in a sort of data security limbo," noted Paul Ducklin, a Sophos researcher. These users had to wait and see if JPMorganChase's investigations turned up additional details or more victims.
Cyber-criminals are targeting these users in a phishing campaign.
This phishing email targets the "Chase Paymentech User" and notifies the recipient of "a problem caused by the recent database breach," Ducklin wrote on Naked Security. The user is asked to click on a link and complete a profile in order to verify his or her identity. The actual phish itself is not "terribly sophisticated," as users are directed to a merchant page, not a spoofed UCARD page, Ducklin said.
Since the attack email uses Chase's own images and stylesheet, they pass "casual visual muster," Ducklin said. And since users are already concerned about the breach and looking for information, they are primed to fall for these scams.
Criminals frequently try to cash in on a security breach by preying on the fears of potential victims in order to trick them into sharing confidential information or taking some specific action. You should always be wary of any communication that asks you to click on a link or provide confidential information. As Ducklin pointed out, it's unlike a financial institution that recently had a security incident would send an email asking you to click on a link that takes you to a login page.
"Whenever you receive an email link that does go to a login page, like this one, you can immediately be certain is it bogus," Ducklin warned.
Just Don't Click
Remember that Chase, or any legitimate business, would never ask for personal information via email. While some companies use email to notify users of a breach (such as Adobe), in the event of a breach where financial or health records are compromised, you will most likely receive a notification and all follow-up communications over postal mail.
"These types of attacks can look amazingly credible, and it's hard for people to spot them as fakes," said Lee Weiner, senior vice-president of products and engineering at Rapid7. So instead of trying to figure out what is real and what is not, people just need to get in the habit of not clicking on links.
Instead, they should "go directly to the site you want using your web browser and then use the site's own navigation to find your page," Weiner said. Or just pick up the phone and call, or walk over to speak to an employee face-to-face.
No comments:
Post a Comment