Phishing emails targeting recent JPMorgan Chase data breach

Last month, I covered the news surrounding the JPMorgan Chase data breach, which impacted two percent of their UCard users, or about 500,000 people. Said previous coverage is here. That story has once again made headlines, as criminals are using the news as a focal point in a new wave of Phishing attacks.

The Chase breach stands out as one of the more unique security stories for me in 2013. It’s interesting because of the notification delay, the fact that the data compromised was being transmitted in the clear at the time of the incident, and the fact that Chase refused to replace the cards impacted by the breach.

Timeline wise, the attack happened in July, Chase detected the breach and fixed the security issues in September, the notification process started in December. While the bank said they planned to notify nearly 500,000 people about the incident, they didn’t fully explain the scope, leaving many to wonder just how far the incident reached. The bank added that since there was no evidence of funds being stolen, the impacted cards would not be replaced.

The attack focused on Chase’s UCard, which are issued by state agencies to process state assistance payments (EBT), child support payments, unemployment payments, state payroll, education assistance payments, and tax refunds. I wasn’t able to confirm all of the states impacted by the breach, as Louisiana was the only state to come forward. However, research into the UCard turned up evidence that it’s issued in Utah, Texas, Connecticut, Illinois, Pennsylvania, Ohio, New York, Missouri, Kansas, and Oklahoma.

This week, researchers at Sophos discovered a new wave of Phishing emails that target UCard users and Chase customers, warning them that their Paymentech services will be halted if action isn’t taken. In this case, the action requested is the release of personal and financial information via a form on a fake Chase website.

At a glance, the Phishing email looks legitimate, because the kit that created it is pulling icons and images from Chase’s servers. For many, the UCard is their lifeblood, so the stress caused by loss of access would be enough for some to follow the link, given that visually the email seems legit.

That level of fear is a classic Phishing tactic, and one that will work in most cases. The fact that it focuses on a recent, newsworthy event, adds a level of legitimacy that some people will be familiar with, so it lowers their guard.

“These types of attacks can look amazingly credible, and it’s hard for people to spot them as fakes, particularly when they are already concerned about the breach and looking for information,” Rapid7’s Lee Weiner told the Hash in an emailed statement.

“It’s crucial for people to be wary of any communication that asks them to click on a link or provide confidential information. If in doubt, go directly to the site you want using your web browser and then use the site’s own navigation to find your page; don’t click on the link in the email.”

If you share this latest development within your organization as an awareness note, it’s important to stress that Chase will never ask for personal information via email. Moreover, in the event of a breach such as the one being referenced by the Phishing email, Chase will always notify customers via postal mail. When in doubt, call the local branch or walk into a branch and speak to an employee face to face.