A Whale of a Phish – by Ron Benvenisti

In my continuing support to bring insight and awareness about the threats and malicious activity directly targeting our local communities and greater New Jersey , I submit the following.

This evening while logging onto my Chase account, the normal login screen appeared:

Then the following pop-up immediately appeared:

What? This is something even I have never seen. The legitimate login is presented, but is only a façade! If you enter your correct credentials, the crooks capture them and then log you in to your account on the same screen and you have no indication of the criminal activity whatsoever. Whoa!

Like I said, this a whale of a fish and it is spawning and flourishing in New Jersey as part of the latest and likely the most sophisticated Financial Institution Phishing Campaigns I have ever seen.

In my case it was Chase, but sites showing American Express and others are rapidly appearing.

The links are usually transmitted by email but be advised: get yourself some protection like the one I have pictured above from Kaspersky, or another phishing link monitor so you’ll be warned and even actively prevented from moving on to phishing websites that exactly spoof the institution’s legitimate site.

As you can see in the Chase example above, the site provides fields for recipients to enter their accounts’ usernames and passwords and, if that information is submitted, it will be transmitted to the hackers behind the campaign and the visitor will then be redirected to the legitimate company’s login page without any suspicious activity appearing to the user.

I strongly recommend again, get some protection in place because without it your credentials are gone and likely your available balance shortly thereafter.

REMEMBER: Never use links provided in unsolicited emails to visit websites requiring the input of account credentials. Users who receive unexpected or unsolicited email requests from known senders inviting them to click on a link or open an attachment should always verify the sender via another means of communication before taking any action. Enable multi-factor authentication (such as a call or text back with a PIN) on all accounts that offer it to prevent unauthorized access as a result of credential compromise.

Needless to say we will continue to investigate this new variant, but the workload increases by the minute. Please get an anti-phishing site program that is up to date, like the one I use or another that keeps up.

Stay Cyber-Safe this holiday weekend,

Ron

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

11 COMMENTS

  1. I can’t understand why the government doesn’t get to the bottom of this! If somebody shoplifts for a $100 the person is arrested. These types of crimes are far worse and devastating!

  2. Did this happen as a result of clicking on a fake link, and not noticing that the URL was totally wrong? That is the standard phishing strategy that has been going on for years.

  3. @Sar

    Great point!

    Usually I go to the site and my password manager fills it in. This time it wouldn’t. I checked my browser history for some bogus site but came up zilch. The router log shows a different story… it looks like some kind of masked DNS redirect and the Kaspersky password manager saw it and wouldn’t fill in the creds. The truth is, I really just use a bookmark or the password manager so I didn’t notice anything until I got the warning. But at that point it was really Chase. I probably typed in the URL and didn’t go through the password manager. I now consider that was a screw up on my part even though I don’t think it was my fault. 100% Password manager to get to sites from now on for me. No more address bar.

    • Ron, I’m not sure what you mean by a masked DNS redirect. If your DNS server or router got hacked, how would Kaspersky even know the difference?

      As an aside – I’m a bit surprised that you trust Kaspersky after the negative news that has come out about them lately.

  4. @Sar

    Great point!

    Usually I go to the site and my password manager fills it in. This time it wouldn’t. I checked my browser history for some bogus site but came up zilch. The router log shows a different story… it looks like some kind of masked DNS redirect and the Kaspersky password manager saw it and wouldn’t fill in the creds. The truth is, I really just use a bookmark or the password manager so I didn’t notice anything until I got the warning. But at that point it was really Chase. I probably typed in the URL and didn’t go through the password manager. I now consider that was a screw up on my part even though I don’t think it was my fault. 100% Password manager to get to sites from now on for me. No more address bar.

  5. The Kaspersky thing was a rogue NSA insider who brought classified national security info home and put it on his personal computer which had Kaspersky AV on it. It was the Israelis that hacked into Kaspersky since 2015 to mine data that every AV program reports back to their respective manufacturer’s threat and heuristic database. If one knows how they can exploit any basic AV algorithm to use the capability in reverse. That was Israel’s claim to the NSA. Again there is no hard proof of any nation state hacking except Israel’s yet unproven claim that the Russians were hacking the NSA. They just stumbled on the idiot from the NSA who took home stuff and naturally wound up on Kaspersky research servers. All this happened on the open
    public internet where all AV programs communicate back to their respective manufacturers. Israeli claims that Russia used Kaspersky to hack the NSA are ridiculous. An NSA idiot who used his personal computer created this whole fiasco and he could have been using Eset, Symantec, McAfee… anything. The Israeli’s could have hacked any of them. What were the Israelis doing in the first place? Edward Snowden released all the NSA stuff way before that. This Kaspersky nonsense is a glatt Israeli nothing burger. This nation state cyber espionage is constant. Even North Korea has US military secrets. Corruption and stupidity make this happen. Any official communications are transmitted over “dark web” connections that never see the public internet unless some corrupted or stupid idiot brings it home. Can Kaspersky be hacked? Of course. Your android phone is already hacked as well as your Intel processor and operating systems not to mention your internet router. So let’s shut off the grid and hunt and forage and be safe. LOL.

    My use of masked DNS redirect is my imaginative term of what might be some IP spoofing scheme affecting DNS routes. Otherwise I don’t have any other explanation at this point. Any ideas? It’s an ongoing investigation and any help would be appreciated. So far only civilians are affected so notifying IC3 if you got it is the way to go.

  6. @Yungerman

    I would say no, or not yet… however, don’t do it on a free public wi-fi like Barnes & Nobles or Starbucks, etc. Everyone should get a high rated Virtual Private Network (VPN) app that is certified by the Google Play Store or Apple App Store to be safe. They are cheap and set them to run automatically. They encrypt anything you send from your phone or tablet so even if hackers intercept your creds they will be extremely hard to crack if at all and not worth their time. If you travel with a notebook put a VPN on there to. With most home “secure” routers being wide open now I put VPNs on everything.

  7. Wow never heard of a VPN, I just always avoided using others Wi-Fi networks. Do you have any suggestions of a “good” VPN app? How can I tell if it is legitimately certified?
    Thank you!

Comments are closed.