Bank of America scam is stealing account passwords -- what to do

1. Habitation
2. News
3. Security

Banking company of America scam is stealing account passwords -- what to do

(Prototype credit: Tero Vesalainen / Shutterstock.com)

Security researchers have found a new credential-phishing assault that masquerades equally an email bulletin from Bank of America.

The message, unearthed by cloud-security business firm Armorblox, tricks users into providing the email addresses and passwords for their online depository financial institution accounts.

• Downloading the best antivirus can help you to avert phishing scams
• VPN: add a layer of extra protection thanks to a virtual individual network
• Merely In: Apace evolving keylogger malware has some security experts worried

Users were told that inactive e-mail addresses would be recycled unless they updated and confirmed their banking details via an online portal.

"This email claimed to come up from Banking concern of America and asked readers to update their electronic mail accost," wrote Chetan Anand, co-founder and architect of Armorblox in a blog mail.

"Clicking the link took the targets to the credential phishing page resembling the Banking company of America home page, designed to make targets part with their account credentials."

 Bypassing security checks

Anand explained that the malicious message bypasses email security controls and doesn't follow the tactics of more than traditional phishing attacks.

First, the cyber crooks refrained from sending a mass email, instead using a "spear phishing" tactic. The message was sent to a select number of people, which helped it slip past email filters.

Although the bulletin came from an individual Yahoo business relationship with the name "Bank of America", it was sent via SendGrid and wasn't picked up by authentication checks similar SPF, DKIM, and DMARC.

Recipients were also duped by a nix-day link and convincing lookalike website, according to Anand: "The attacker created a new domain for the link in this e-mail set on, and so it got by whatsoever filters that were created to block known bad links.

"The final credential phishing folio was painstakingly made to resemble the Bank of America login page. The superficial legitimacy of this page would pass nearly center tests from busy readers that want to get on with their other work duties after 'updating their email address' as before long as possible."

Yet, when you accept a closer await at the email message, information technology'due south clearly not been sent by Bank of America.

After providing their account information to the phishing page, users were also asked to answer three security-challenge questions.

This makes the phishing page expect more legitimate considering the Depository financial institution of America also asks for security questions upon login by default -- only information technology likewise means that the attackers volition then have the answers to your security questions.

Like all skilful examples of social technology, the email message used psychological tactics to convince people to provide legitimate credentials.

Anand said: "The e-mail linguistic communication and topic was intended to induce urgency in the reader owing to its fiscal nature. Asking readers to update the e-mail account for their bank lest it become recycled is a powerful motivator for anyone to click on the URL and follow through."

If yous get such an e-mail, don't respond to it directly. Instead, call Bank of America and inquire them if they sent information technology.

• Read more than: Secure your data prophylactic with the best Usa VPN

"Provides adversaries with vital personal information"

Speaking to Tom's Guide, Anand told us: ""With the enforcement of Single Sign On and 2FA, across organizations, adversaries are now crafting email attacks that are able to bypass these measures. This credential phishing attack is a good example.

"Firstly, it phishes for Banking concern of America credentials, which are likely not to exist included under company SSO policies. Secondly, information technology also phishes for answers to security challenge questions, which is frequently used every bit a second/additional form of authentication.

"Asking security challenge questions non merely increases the legitimacy of the set on, but too provides the adversaries with vital personal information about their targets."

• Read more: Protect your company with the best business VPN

Nicholas Fearn is a freelance applied science announcer and copywriter from the Welsh valleys. His piece of work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Adjacent Web, T3, Android Fundamental, Estimator Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Source: https://www.tomsguide.com/news/bank-of-america-phishing-email

Posted by: clancyforcer.blogspot.com

Share this post