Blog

No items found.

Darktrace email finds: Chase fraud alert

Darktrace email finds: Chase fraud alertDefault blog imageDefault blog image
13
Jul 2020
13
Jul 2020

In a previous blog, we analyzed a phishing attack that impersonated QuickBooks, an accounting software, in an attempt to install malware across an organization. This blog demonstrates another recent threat find where the brand of a trusted financial organization was leveraged to launch an email attack.

With an annual revenue of over $100 billion, Chase is the second largest issuer of credit cards in the US. It is unsurprising that this well-known, trusted brand is used by attackers in phishing attacks. With the recent surge in e-commerce transactions, together with increased scrutiny regarding digital security, consumers are on high-alert when it comes to the security of their banking details. A ‘fraud alert’ from a financial institution triggers stress and anxiety, and recipients may rush to take action, forgetting security training and clicking on links even if they appear to be suspicious. By playing on human emotions, attackers increase their likelihood of success.

The anatomy of an attack

An attacker appears to have invested a significant amount of research and preparation into crafting a legitimate-looking Chase fraud alert.

Figure 1: A partial recreation of the malicious email

In the phishing email above the recipient is asked to confirm that a listed transaction is legitimate. The notification, whether received through email, text message, or an app, will usually include the name of the vendor, date and time of the transaction, and the amount of money. The attacker has gone to the trouble to replicate this, listing specific suspicious transactions.

Attackers often leverage well-known brands like Chase to indiscriminately target a large pool of inboxes. They are statistically likely to find a Chase customer without having to go through the effort of actually hacking Chase’s CRM.

But while emails like these bypass legacy tools and often fool the human recipient, they are easily detected by Antigena Email’s contextual understanding of anomalous activity and stopped by its autonomous response.

How AI caught the fake fraud alert

In this case, as soon as the spoofed fraud alert hit the inbox, Antigena Email detected that the email was unusual, giving the email an 100% anomaly score.

100%

Mon Jun 22 2020, 10:38:34

From:Chase Fraud Alert <chase@fraudpreventino.czh.com>

Recipient:Kirsty Dunhill <kirsty.dunhill@holdingsinc.com>

Action Needed: Confirm you made these purchases

Email Tags

Suspicious Link

New Contact

Unknown Correspondent

Actions on Email

Lock Link

Hold Message

Figure 2: Darktrace’s AI surfacing the email as 100% anomalous

With this high anomaly score indicating a highly unusual email, Antigena Email automatically held it back from the user’s inbox.

The sender’s domain, ‘fraudpreventino’, is visually similar to ‘fraudprevention’ – the domain of the legitimate website – so the look-a-like could be easily misread as legitimate by a user.

However, in Antigena Email dashboard’s advanced tab, we see the metrics for KCE and KCD are both 0, indicating that this is a new email address that has not previously corresponded with either the recipient or anyone else within the organization. Additionally, we can see that DKIM failed and there is no SPF record, and so there were no records to validate the authenticity of the email.

Figure 3: The Threat Visualizer shows the emails have failed SPF and DKIM checks

Antigena Email detected other unusual aspects of the email indicating that it was an attack. The email contained a number of anomalous links and there was an inconsistency between the displayed link address and the actual destination of the hyperlink.

The display link in this particular email was a newly registered domain at the time the email was sent. Not surprisingly, this domain is now being identified as a malicious page. However, at the time the email was sent, the domain was not listed on ‘deny lists’ and would have slipped past spam filters or legacy security tools.

Upon clicking the link, the user would have been presented with a fraudulent Chase login screen. This is a common credential harvesting technique – when the user enters their credentials, they unknowingly hand over this information to the attacker.

Figure 4: The fake Chase login screen with credential harvesting malware

The website has now also been recognized as malicious, with users now presented with a warning encouraging them to think twice before entering sensitive information.

Figure 5: The page is later recognized as harmful by the web browser

It is not clear how long the fake login page was in existence before it was added to ‘denylists’, but what is certain is that Antigena Email was able to prevent the attack by holding back the email even without any threat intelligence on the attacker technique, ensuring no damage was done.

Figure 6: Antigena Email recognizes when a malicious link is hidden behind a misleading button

In addition to this button, the attacker also took time to add many legitimate Chase links and images. By padding the email with mostly valid content and links, the attacker attempted to deceive legacy email security tools into perceiving the email as benign. Notice below that these all link to the legitimate address for ‘fraudprevention,’ which itself was used as the source of the altered domain name for the sender.

Figure 7: The full list of links contained in the email

Defending against sophisticated phishing attacks

Attackers continue to leverage social engineering tactics to play on human error and fear in increasingly targeted phishing attacks, crafting nuanced misspellings in their domain names, padding emails with legitimate links, and creating a false sense of urgency. Self-learning AI that can spot and stop threats with both machine speed and precision becomes a critical tool at a time when humans have become even more susceptible as people’s stress and anxiety levels have become heightened by global disruption.

Of course, in this attack there is an irony in that the order of operations is directly inverted: first comes the notification, then comes the fraud. But with Antigena Email, attacks like this are stopped in their tracks, protecting employees and organizations from harm.

Like this and want more?

Receive the latest blog in your inbox
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
INSIDE THE SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
AUTHOR
ABOUT ThE AUTHOR
Mariana Pereira
Director of Email Security Products

Mariana is the Director of Email Security Products at Darktrace, with a primary focus on the capabilities of AI cyber defenses against email-borne attacks. Mariana works closely with the development, analyst, and marketing teams to advise technical and non-technical audiences on how best to augment cyber resilience within the email domain, and how to implement AI technology as a means of defense. She speaks regularly at international events, with a specialism in presenting on sophisticated, AI-powered email attacks. She holds an MBA from the University of Chicago, and speaks several languages including French, Italian, and Portuguese.

USE CASES
No items found.
PRODUCT SPOTLIGHT
No items found.
COre coverage
No items found.
This Article
Darktrace email finds: Chase fraud alert
Share
Twitter logoLinkedIn logo

Related Articles

No items found.

Good news for your business.
Bad news for the bad guys.

Start your free trial

Start your free trial

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Get a demo

Flexible delivery
You can either install it virtually or with hardware.
Fast install
Just 1 hour to set up – and even less for an email security trial.
Choose your journey
Try out Self-Learning AI wherever you most need it — including cloud, network or email.
No commitment
Full access to the Darktrace Threat Visualizer and three bespoke Threat Reports, with no obligation to purchase.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.