Security Researcher, Engineer, Tech Columnist | https://hey.ax/
If you are a current or former Chase customer and familiar with those periodic "a secure message from Chase" email notifications, this one would've better caught your attention, if not your spam filter's. Thankfully for me, it was sent to a Gmail address I had not used with Chase online banking since 2014 or so. This instantly indicated the attackers had prior knowledge of my Gmail address having been used with Chase online banking in the past.
A simple web search for "Chase hack" revealed an earlier data breach which had impacted over 76 million households in 2014. Data from these leaked dumps, which may be and may keep perpetually floating on the web, is valuable to hackers. It is where attackers and spammers can deduce knowledge of Chase's current and previous customers from, and target them.
This is likely one of the sources where attackers obtained email addresses of Chase customers from—including my own, though this can't be surely declared just yet.
Contents of the attached HTML form present in the phishing email:
The email message in question instructs an unsuspecting user to "download the attached form" which is a plain HTML file mimicking real world Chase banking website.
The form prompts the user to enter their Chase online banking credentials. It then follows with additional prompts under the pretence of "identity verification" to procure additional information from the user, such as debit card number, address, social security number, drivers license number, PINs, and other vital pieces of information.
The information is then submitted to the hacker, assuming the user follows through the prompts.
Further prompts made by the phishing webform:
But, spamming happens all the time. You'd ask, why is this a big deal? That's what spam filters are designed for; to deter spoofed emails like these from reaching customers.
What's interesting about this particular phishing campaign is, it originates from Government of Peru's email servers: perhaps via compromised credentials of one or more employees, or via malware that's taken over someone's Outlook mailbox.
A simple look at the email headers showing the originating IP address, along with SPF and DMARC checks having been passed, are enough indicators that security measures implemented by Government of Peru have been compromised.
Additionally, it is worth noting that Government of Peru sysadmins have not implemented DKIM, a crucial technology for email integrity verification.
Much like a handwritten From address on a paper envelope can be forged, the From address field in an email message can similarly and trivially be spoofed by an attacker. Technologies like SPF, DKIM and DMARC coexist to ensure the From field cannot be so easily spoofed and pave a means for the recipient email servers to verify the authenticity of an incoming message.
Should any of these security checks fail or not "align" with the security policies laid out by the sender email servers (in this case, Government of Peru), the mailbox provider (in this case, Gmail) reserves the right to treat the message as spam, phishing, or discard it altogether.
In this case, although Gmail did mark the incoming message as spam, given its language and an inelegant imitation of Chase, all security checks have gracefully passed. And that isn't a good sign.
Email headers further revealing the IP addresses of the originating message:
A simple look at email headers reveals that the attacker apparently based in Chicago, Illinois (probably behind an anonymising proxy or VPN provider; indicated by the 212... IP) is sending email via hacked Government of Peru's mail servers (126.96.36.199) which appear to have been compromised via malware, or a case of hijacked credentials.
Whether this is a case of credentials of a single government employee having been compromised, or a crafty malware that's taken control of the Peruvian government servers remains a mystery. However, this is problematic on so many levels.
The Chase phishing campaign being a poor imitation was caught by Gmail's spam filters. But that may not always be the case. This is just one of the ways a country's official servers can be exploited.
The hijacked email address in this case appears to belong to an INABIF employee. INABIF is Peru's official family welfare body for the vulnerable members of the public including women, elderly and children. You can imagine how much more damaging a sophisticated phishing campaign with the seal of Peruvian government can be, given this security breach.
Shortly after the discovery of this phishing campaign INABIF staff and "webmaster" were notified via email in both Spanish in English, although I have not heard back from them yet.
Suffice to say, should you receive a phishing email like this, always pay attention to the From email address (while being aware it can easily be spoofed) and do not click on any links or attachments within the message. It might also be a good idea to get yourself familiarised with how to detect and deter phishing.
Previously published at https://central.to/hackers-are-using-government-of-peru-servers-to-send-chase-phishing-emails/