9 Jul, 2018

Chase Bank Phish Kit Now Found in the Wild

The latest phish kit to show up in the world mimics the Chase Bank login page. It is designed to gather the user's Chase bank login credentials, social security number, mother's maiden name, date of birth, and card details, and send them to a pre-set email address.
What is a Phish Kit?
Phish kits are a particular problem. Creating a phishing website is hard, but phish or phishing kits do all of the work for the hackers. A phish kit contains a number of files that can simply be uploaded to the targeted website.
We previously warned about an Office 365 phish kit, which was basically a redirect, stealing your credentials and then redirecting you to the actual Microsoft sites.
The Chase Bank Phish Kit
The latest phish kit to show up in the world mimics the Chase Bank login page. It is designed to gather the user's chase bank login credentials, social security number, mother's maiden name, date of birth, and card details, and send them to a pre-set email address. It also collects IP address and location.

Unfortunately, the phishing site looks very genuine, and may well fool some visitors. The kit itself contains 10 files and zips to just over 2mb, making it a compact package that overwrites index.php to direct people to the Chase bank login page.
The login page:
The kit:
The redirect to verification page to further collect the confidential information (later used for Voice Phishing or "Vishing Call" (Voice Solicitation in which you can extract data over the phone) to reset or change any credentials that you have with Chase Bank):
The module for sending the collected information to cyber criminal's email address:
Keep Yourself Protected From Phishing Kits
Phishing continues to be a problem, and as phish kits make it easier for more and more scammers to redirect people, there are a number of things to bear in mind at both the consumer and site owner level.
This Joomla malware is caused by an improper access check within the Joomla! API. Rather than validate the requestor's credentials, the check provides API access for anyone - no authentication is needed. This leaves the system open to potential hackers.

So what can the hackers do from there? Any number of things, including:
As a Consumer:
  •  Never click on a link in an email from your bank or other high profile, no matter how genuine it looks and no matter how much you were expecting it. Instead, go directly to the URL by typing it in or using your bookmarks. Links in email are the primary way phishers "hook" people. PayPal and Bank of America are often major targets.
  •  If you find yourself on a website other than the one you expected, do not enter any personal information, even if the URL looks right. Back out. If possible, contact the owner of the website you were trying to get to, as they may be compromised. Sometimes phishers will use a web address that looks very close to where you intended to go such as, say, faceboook.com.
  •  Be wary when a bank or other site asks you to verify your information. The only checks they generally do are occasional multi-factor authentication. No legitimate financial institution will ask you to enter your full social security number, for example. They're more likely to ask you to answer a security question.
As a Site Owner:
As a site owner, your primary duty is to make sure that phishers do not hijack your site's visitors or use your site as "cover" for their activities. Apart from anything else, this can get your site blocked as "distributing malware" and cost you customers. There are some measures you can take to keep from being hijacked.
  •  Monitor your site for malicious redirects. These can occur because of insecure WordPress themes or an inserted traffic distribution system. Often these redirects will target specific users. In the case of phishing attacks, your site may be used to target people in a specific geographic area. Most phishers will also set up the site such that if you access it from a security company it will give a 404. A smart phisher may also blacklist your own URL so that you never see the malicious redirect. In some cases the first a company knows is when contacted by a customer or a security company. Using a website monitoring service, such as Quttera, can help spot these malicious redirects better.

  •  Educate yourself and your employees so you do not get phished yourself. In some cases, scammers may use email phishing or even targeted "spear" phishing to get your login credentials and then use those to access and hijack your website. Always make sure you are on your own site when you log in, that your site runs secure protocols, and that your security certificate is up to date. Be careful what personal information you post on the internet. Business owners can sometimes be particularly vulnerable because of the need to put information out there for marketing. Encourage your employees to report phishing attempts.

  •  Be careful which WordPress themes you use. Do research to make sure that the theme you choose is not known to have problems. Because WordPress is open source and anyone can make a theme for it, some themes are inadvertently (or even deliberately) insecure.

  •  Take steps to keep your own site from being cloned. If possible, implement EV SSL security on your website. This is also called a "green bar" certificate, as it turns the address bar green in modern browsers, as well as displaying your company name instead of the URL. This makes your own website much harder to fake and helps protect your customers from fraud. Although, we have encountered phishing cases where hackers used SSL certificates as well. If you accept online payments, you need to take extra care to make sure that your customers are protected and that they know they are. This may be less important if your e-commerce is handled by a third-party provider. If it is, then make sure they implement this security measure (most do).

  •  Encourage your customers to report any phishing attempts to you. You may be able to take steps, and you need to know if you have been targeted. If you know that phishing emails are being sent that purport to be from you, warn your employees and customers right away so that they know you are on top of the situation and know not to click on the spurious links.
Protect Your Business With Quttera
As a business, you have a responsibility to your customers. As phishing kits make it easier and easier for scammers to clone websites and set up spurious redirects, you need to take proper security precautions. Quterra can help by monitoring your website for malicious code injections, including if you use WordPress. We can monitor and remove malicious redirects and other malware from your site, allowing you to focus on your core business. Take proper steps to avoid being part of a phishing scam at any level.
The new Chase Bank phish kit is the latest sign that the phishing "landscape" is becoming larger and more complex, and that all companies need to take steps to protect their security.