New phishing scam exploits JPMorgan Chase victims

A new phishing scam is trying to profit from the fears of 25 million people affected by the data breach revealed last month by global financial services firm JPMorgan Chase.

The scam was highlighted in a 6 January blog post by Sophos senior security advisor Paul Ducklin, who says it shows how “cyber criminals use real security disasters to cause follow-up disasters of their own”.

The fake email targets the 25 million US users of Chase's UCARD debit card. About 465,000 of these people were told by the firm in December that their card data had been stolen, while the rest were left “in a sort of data security limbo”, Ducklin said.

He told SCMagazineUK.com that the new phishing attack exploits that situation. It asks people to provide more information in relation to the data breach and drives them to a credible-looking website.

“People should know about phishing, but this is believable and with the number of people involved they are probably going to hit their target very frequently. Whether by accident or design, this is also perfect timing. This one caught our attention because of the timing and the content.”

Ducklin reminded people of the need to “never log into a website reached by clicking on an email”.

Mike Loginov, chief cyber security strategist for HP ESS, said phishing attacks like the JP Morgan Chase scam are growing increasingly sophisticated in their ability to compromise individuals. He told SCMagazineUK.com: “Cybercriminals are taking phishing attacks to a whole new level by combining pertinent and trusted personal information that makes it even more difficult to spot in a fake email.”

Loginov cited examples of attacks that target high net-worth individuals “initially qualified by the bad guys using compromised credit cards and financial details, and followed with a simple surveillance or research exercise where anecdotal information overheard in a private conversation is utilised as part of the scam”.

The JPMorgan Chase data breach took place last July, but the firm only realised it had happened in September, and then notified people two to three months after that.

Companies use UCARD to pay salaries and US government agencies use it to issue tax refunds and benefits.