Researchers at two security firms are tracking separate phishing campaigns that are targeting customers of Wells Fargo and Bank of America, according to a pair of reports.
A report from security firm Armorblox says researchers discovered a phishing campaign that has targeted a select group of Bank of America customers to ensure that the malicious emails can bypass various security tools in order to reach the intended victim.
Meanwhile, Abnormal Security researchers are investigating a much larger campaign aimed at Wells Fargo customers. The fraudsters are imitating the bank’s security team and alerting victims with a fake message that if they don’t update their security key, they will lose access to their account.
In both cases, the victims are directed to malicious domains where they are asked to input their credentials, which are then harvested by the fraudsters. While neither report indicated if these campaigns had been successful so far, the Abnormal Security researchers note that the Wells Fargo phishing emails may have reached as many as 20,000 inboxes.
While separate, the two phishing campaigns show that bank customers’ credentials remain valuable to fraudsters as either a way to take over an account or sell account credentials to other cybercriminals through underground forums.
In the Bank of America campaign discovered by Armorblox earlier this month, the fraudsters sent phishing emails to customers asking them to update their email addresses. If the victim clicked on a malicious link embedded in the message, they were taken to a domain designed to look like the actual Bank of America login page, according to the report.
The domain, however, is controlled by the fraudsters and collects usernames and passwords if those credentials were inputted into the fields, according to the report.
The phishing emails were sent through a personal Yahoo account through SendGrid. The messages were also sent in small batches, which could explain how they bypassed Microsoft security tools as well as secure email gateways, according to the Armorblox report.
The phishing emails also bypassed authentication checks such as the Domain-based Message Authentication, Reporting and Conformance – or DMARC – as well as DomainKeys Identified Mail and Sender Policy Framework, according to the report.
In the Wells Fargo phishing campaign that Abnormal Security found, the fraudsters attempt to steal customers’ data, such as usernames, passwords, PINs and account numbers.
Victims receive phishing emails that appear to come from the Wells Fargo security team that ask customers to update their security key. Included in the email is an ICS calendar file that is supposed to store scheduling information, according to the report.
If the victim opens the calendar file, it contains a link to SharePoint page, which then asks the target to open yet another webpage. This final page is the malicious domain controlled by the fraudsters and is designed to look like a legitimate Wells Fargo website. If customers’ data is inputted, it’s collected by the attackers, researchers note.