JPMorgan customers have been targeted in an email "phishing" campaign that attempts to collect credentials and simultaneously infect PCs with a virus for stealing passwords from other institutions.
The campaign, dubbed "Smash and Grab," was launched earlier this week with a widely distributed email that urged recipients to click to view a secure message from JPMorgan, according to security researchers with corporate email provider Proofpoint Inc and confirmed by the bank.
"It looks like they sent it out to lots of people in hopes that some of them might be JPMorgan customers, because there are a lot of them,” said bank spokeswoman Trish Wexler. “We are seeing this as a very small incident.”
She said the bank believes most of the spam was stopped by fraud filters at large ISPs, adding that the email looked realistic because the attackers used a screen grab from an authentic email sent by the bank.
Users who click on a malicious link are asked to enter credentials for accessing accounts with JPMorgan. Even if they did not comply, the site attempted to automatically install the Dyre banking Trojan on their PCs, according to Proofpoint.
Dyre is a recently discovered piece of malware that seeks credentials from customers of Bank of America, Citigroup and the Royal Bank of Scotland, according to email security firm Phishme.
Proofpoints VP of threat research said it is unusual for spammers to infect PCs with malware in the same campaign that is seeking to persuade users to provide banking credentials because that increases the odds of detection.
"Usually when they do credential phishing, that is all they do. In this case they are throwing in the kitchen sink," Horn said.
Proofpoint identified about 150,000 emails from the group to its customers in the Fortune 500 and higher education.
Horn said that Proofpoint quickly identified the spam and was able to stop it infecting customers, but was not sure how effective it was in infecting others.
Horn said that his firm was unsure who was behind the emails, though much of the campaign's infrastructure was in Russia and Ukraine and the group's tactics were consistent with those of Eastern European cybercrime gangs.