• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Chase Bank Scams Target Our Own

May 8, 2020 By Trevor Collins

The other day, a WatchGuard employee received a text alert stating that Chase bank had limited access to their account. They right away knew the message was bogus and offered it to us to investigate. We found the link within the message sends the user to a fake Chase login. Fortunately, the employee knew better and didn’t follow the link in the text message, but others might not be as observant. We followed through with the phish in our test environment and found the scam could end in a takeover of the victim’s bank account.

When we first visited this site in our sandbox, at first we saw nothing, just a blank page. Upon further inspection though, we noticed the page contained some HTML code. As it turned out, the web page only displayed content when resized to a portrait window size like in a phone. We don’t know if the scam creators meant to do this to avoid analysis, but a quick resizing of the window allowed us to see the website.

The scammers made the fake website look like the real one, but a careful eye will spot a few differences including the Remember Me and Use token checkboxes as well as the copyright year on the bottom of the page.

While we navigated the website, we monitored the data that the browser transmitted to the web servers with a network monitor called Fiddler. We found that entering the username and password sent this information to the scammer where they keep it on their servers for later use. The scammers still need more information to access your account though. Chase and most other banks require multi-factor authentication, so the scam continues.

 

 

Once “logged in,” the site displayed a notification that the account has been limited and we need to update our phone number to unlock it. The scammer likely uses the phone number field to misdirect the user into thinking a normal account update is taking place. They may also use it to change the phone number on the account or send a fake notification, but we don’t know for sure. We would have to use a real bank account to test this and we understandably didn’t want to do that. We did enter a burner number that we use when investigating scams, and we saw the web page send the number to the scammers, but we never received a message or call.

In the last step we wait for the code; we receive and enter our password again. We know this type of scam well. In the background the scammers likely have a server keeping this information and using it to log into Chase bank. The code we receive comes from the real Chase bank and if you enter this into the scammers website they will pass the code onto the website’s login page to access your account.

 

Since we didn’t use a real Chase account, we never received the code but entering a fake code allowed us through. The password this time may only misdirect the victim into thinking a normal verification is taking place just like the previous phone number field. The message “Please wait for 1 to 2 minutes because the service provider may be overloaded” gives insight into their operation. The scammer’s server likely doesn’t send the login details to the server until after you enter your phone number. It may also take time for their system to make the proper request to the Chase login page. For whatever reason, they need a little extra time to make the request on their side.

After entering a random code and password we once again saw this information sent to the scammers followed by a confirmation message on the scammer’s website. If we entered real bank login details, it wouldn’t take long for the scammers to take money out.

Always watch for text messages or phone calls that ask you for private information. Chase bank warns its users of scams just like this one on their website “Don’t reply to an email, phone call or text message that tell you your account has been compromised, then asks you to give or confirm your personal or account information” Also don’t follow any links directly from an message or email. If the service has as issues with your account, you can resolve it by going directly to the website or calling them directly.

Share This:

Related

Filed Under: Editorial Articles, Research Tagged With: Phishing

Comments

  1. Wilderness says

    May 8, 2020 at 2:00 pm

    “Privet information”: https://en.wikipedia.org/wiki/Privet

    Reply
    • Trevor Collins says

      May 19, 2020 at 3:18 pm

      Thank you, corrected

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • The RCE Vulnerability That Wasn’t
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • CISA Warns of Weaponized RMM Software
  • Cybersecurity News: ACLU Unveils Mass Surveillance Program, (More) Malvertising, and Breaches
  • Law Enforcement Infiltrate and Seize Hive Ransomware Operation
  • Report Roundup
  • Cybersecurity News: Malvertising, Ransomware, and Alleged IRS Breach
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use