The breach was actually discovered in September, but JPMorgan only went public at the beginning of December. JPMorgan warned that personal data of some 450,000 UCard customers – just 2% of its 25 million UCard users – may have been stolen.
Now scammers are using the uncertainty generated by the announcement to prey on concerned users. Paul Ducklin, head of technology, Asia Pacific at Sophos, describes the issue in Naked Security. "That put just under 2% of cardholders in the hot seat, which was bad enough, but left the other 98% in a sort of data security limbo. Was there a problem or not? Would Chase's investigations lead to further action or not? Would they get a warning some time down the track, like many users did in the wake of Adobe's giant breach last year?"
The scammers were clearly hoping that at least some JPMorgan customers would be expecting an email, and in expecting that email would simply click the link to verify their account details. That's what the current campaign does, says Ducklin. The phish mail states: "During one of our regular verification procedures we've encountered a problem caused by the recent database breach. Please, take a time to complete the following information on your profile to end our identity verification process. Otherwise your access to Chase Paymentech services will be stopped."
Lee Weiner, SVP of products and engineering, Rapid7, calls it a 'piggy-back' attack. “Unfortunately many security breaches offer an opportunity for so-called 'piggyback attacks,'" he warns, "where criminals try to cash in by preying on the fears of potential victims of the breach in order to trick them into sharing confidential information or taking some specific action. These phishing emails are an example of this, with attackers aiming to profit from manipulating the 25 million people affected by last month’s JPMorgan breach.”
It's not a particularly sophisticated phish, says Ducklin. "Nevertheless, the phish passes casual visual muster, because the HTML, stylesheet and imagery are all ripped off from Chase's own servers."
“These types of attacks can look amazingly credible," agrees Weiner, "and it’s hard for people to spot them as fakes, particularly when they are already concerned about the breach and looking for information. It’s crucial for people to be wary of any communication that asks them to click on a link or provide confidential information. If in doubt, go directly to the site you want using your web browser and then use the site’s own navigation to find your page; don’t click on the link in the email.”
It is advice echoed by Ducklin. "Bear in mind that even - perhaps especially! - a bank that has suffered a security lapse won't email you with a clickable link that takes you to a login page... So whenever you receive an email link that does go to a login page, like this one, you can immediately be certain it is bogus."