If you are a current or former Chase customer and familiar with those periodic "a secure message from Chase" email notifications, this one would've better caught your attention, if not your spam filter's. Thankfully for me, it was sent to a Gmail address I had not used with Chase online banking since 2014 or so. This instantly indicated the attackers had prior knowledge of my Gmail address having been used with Chase online banking in the past. A simple web search for "Chase hack" revealed . Data from these leaked dumps, which may be and may keep perpetually floating on the web, is valuable to hackers. It is where attackers and spammers can deduce knowledge of Chase's current and previous customers from, and target them. an earlier data breach which had impacted households in 2014 over 76 million This is one of the sources where attackers obtained email addresses of Chase customers from—including my own, though this can't be surely declared just yet. likely The phishing email Contents of the attached HTML form present in the phishing email: The email message in question instructs an unsuspecting user to "download the attached form" which is a plain HTML file mimicking real world Chase banking website. The form prompts the user to enter their Chase online banking credentials. It then follows with additional prompts under the pretence of "identity verification" to procure additional information from the user, such as debit card number, address, social security number, drivers license number, PINs, and other vital pieces of information. The information is then submitted to the hacker, assuming the user follows through the prompts. Further prompts made by the phishing webform: Government of Peru (GOB.PE) servers But, spamming happens all the time. You'd ask, why is this a big deal? That's what spam filters are designed for; to deter emails like these from reaching customers. spoofed What's interesting about this particular phishing campaign is, it originates from : perhaps via compromised credentials of one or more employees, or via malware that's taken over someone's Outlook mailbox. Government of Peru's email servers A simple look at the email headers showing the originating IP address, along with SPF and DMARC checks having been passed, are enough indicators that security measures implemented by Government of Peru have been compromised. Additionally, it is worth noting that Government of Peru sysadmins have not implemented DKIM, a crucial technology for email integrity verification. Much like a handwritten address on a paper envelope can be forged, the address field in an email message can similarly and trivially be spoofed by an attacker. Technologies like coexist to ensure the field cannot be so easily spoofed and pave a means for the recipient email servers to verify the authenticity of an incoming message. From From SPF, DKIM and DMARC From Should any of these security checks fail or not "align" with the security policies laid out by the email servers (in this case, Government of Peru), the mailbox provider (in this case, Gmail) reserves the right to treat the message as spam, phishing, or discard it altogether. sender In this case, although Gmail did mark the incoming message as spam, given its language and an inelegant imitation of Chase, all And that isn't a good sign. security checks have gracefully passed. Email headers further revealing the IP addresses of the originating message: A simple look at reveals that the attacker apparently based in Chicago, Illinois (probably behind an anonymising proxy or VPN provider; indicated by the 212... IP) is sending email via hacked Government of Peru's mail servers ( ) which appear to have been compromised via malware, or a case of hijacked credentials. email headers 190.119.194.145 What's worse? Whether this is a case of credentials of a single government employee having been compromised, or a crafty malware that's taken control of the Peruvian government servers remains a mystery. However, this is problematic on so many levels. The phishing campaign being a poor imitation was caught by Gmail's spam filters. But that may not always be the case.  This is just of the ways a country's official servers can be exploited. Chase one The hijacked email address in this case appears to belong to an employee. is Peru's official family welfare body for the vulnerable members of the public including women, elderly and children. You can imagine how much more damaging a sophisticated phishing campaign with the seal of Peruvian government can be, given this security breach. INABIF INABIF Shortly after the discovery of this phishing campaign staff and "webmaster" were notified via email in both Spanish in English, although I have not heard back from them yet. INABIF Suffice to say, should you receive a phishing email like this, always pay attention to the email address (while being aware it can easily be spoofed) and do not click on any links or attachments within the message. It might also be  a good idea to get yourself familiarised with . From how to detect and deter phishing (C) 2020. at . All Rights Reserved. Ax Sharma Central Previously published at https://central.to/hackers-are-using-government-of-peru-servers-to-send-chase-phishing-emails/

Discovery

Instantly

Target

My other blog: Security Report

Book a call

Read My Stories

Too Long; Didn't Read

Questions about cloud security? Get answers here.

Hacked Peruvian Government Servers are Sending Phishing Campaigns to Chase Bank Customers

Too Long; Didn't Read

Companies Mentioned

Ax Sharma

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

Hacked Peruvian Government Servers are Sending Phishing Campaigns to Chase Bank Customers

Too Long; Didn't Read

Companies Mentioned

Ax Sharma

About Author

TOPICS

THIS ARTICLE WAS FEATURED IN...

RELATED STORIES