Last week, researchers at Proofpoint reported an attack campaign, which was dubbed “Smash & Grab,” targeting customers of JP Morgan Chase. Based on intelligence from the Phishlabs R.A.I.D. (Research, Analysis, and Intelligence Division), the “Smash & Grab” operations have been active since at least mid-June using the same phishing and malware combination tactics described in the initial report. Our analysis also indicates a possible connection to cybercriminal actors currently or previously involved in GameOver Zeus operations.
In general, the “Smash & Grab” attacks use email messages to direct potential victims to a phishing page. Visitors to the phishing page are also exposed to an exploit kit that abuses software vulnerabilities to infect victims with malware.
In the cases examined by the R.A.I.D., the initial infection is the Upatre Trojan, which is used primarily as a downloader for secondary payloads that have included Kegotip (a password stealer) and the Dyre Trojan. Dyre is a relatively new banking Trojan. Our research also indicates that the “Smash & Grab” operations included a major campaign against many different targets including JP Morgan Chase on July 31.
The use of the Upatre Trojan suggests that members of the cybercrime crew behind “Smash & Grab” may be connected to GameOver Zeus operations. The Upatre Trojan first made a name for itself last year, when the GameOver Zeus crew began using it as the downloader in their attack campaigns.
Why should you care about the “Smash & Grab” attacks?
“Smash & Grab” is just one example of many ill-intended phishing emails that consistently target consumers, banks, and other industries. Nearly every day, PhishLabs detects malware campaigns that spoof bank email messages to trick users into infecting one’s device - opening the likelihood of becoming a victim of cybercrime. Often, the malware is attached to the email message. Sometimes, the email links to an exploit kit that abuses software vulnerabilities to silently infect the victim with malware. In many cases, the malware itself doesn’t even target the bank. The bank’s name is just used as part of the lure.
It is worth mentioning that it’s not just banks that are targeted or abused in these campaigns. In the past week, PhishLabs has detected over 1400 email templates being used by 20 different spamming botnets. Those templates spoof emails from a wide range of organizations including payroll service providers, government agencies, credit reporting companies, printing and fax services, logistics providers, and many others.
What should you do about these attacks?
Organizations can protect themselves and their customers from these and similar email-borne malware threats in a few ways. One way is implementing Domain-based Message Authentication, Reporting & Conformance (DMARC). This helps to prevent spoofed emails from reaching customer inboxes where the email receiver has also implemented DMARC. If the email receiver doesn’t use DMARC, or if the spoofed “From” address uses a domain not controlled by the organization, malicious email will still get through.
Organizations need to fight back against malicious campaigns like these to send a clear message that these attacks will not be tolerated. The best approach for this is to take aggressive action to take down the cybercriminals’ infrastructure and disrupt their operations. This should include taking action against:
- The spamming botnet sending the emails
- The exploit kits sites that enable the malware infections
- The malware C2s that collect data stolen from the victims
Actively fighting back when customers are targeted is the best way to prevent future attacks. For more information on fighting back, read the How to Fight Back Against Phishing whitepaper.
Photo credit: Originally uploaded by Thielr