Sunday, April 17, 2016

Chase Alert E-Mail Phishing Same

A couple e-mails came into my one of my inboxes today that I wanted to quickly share. These e-mails contained subjects lines like this "Chase Alert! [2568828843]" and contained an e-mail body which read the following:

This e-mail has been sent to EMAILADDRESS@hotmail.com by JPMorgan Chase & Co. Online Banking Chase ALERT: Due to an unusual number of failed login attempts, your online banking access has been temporarily suspended. To restore your account access please click: Log On to Chase Online and proceed with the verification process. IMPORTANT NOTE: If we do not receive the appropriate account verification within 24 hours, you will need to visit a Chase branch to restore your account access. Sincerely, Chase Online(SM) © Copyright JPMorgan Chase & Co. 2016

The links in these e-mails have a URI structure similar to these:
hxxp://snacktast.info/99212afb7404efc9f6acd3f17238db46/index.php hxxp://snacktast.info/b9cc2a03f094783974f35b51bf7464e4/index.php 

A quick look at virustotal shows indicators that this site is a phishing site. https://www.virustotal.com/en/url/462fc3b660a9a5d0d0de48a76b641d4567aea5e4e8f53019b871cd49d3cbf6d2/analysis/1460917680/

Curious to see what the phish looks like, I fired up my VM and clicked around a little.


Here's some screen shots.


Unlike other similar scams I've seen in the past, this one does not redirect you to the real Bank website, instead, it simply prompts for you to enter your password, in the background the user/password information is being posted to the attackers server.