On Thursday, 2th of October JPMorgan Chase gave further details of the data breach it first reported to have occurred in mid-August. The latest estimates as they reported in their SEC filing , are that information from 76 million households and 7 million small businesses has been compromised. Given that there are only 117 million households in the US, this breach means the majority of the US population has been affected in some way.
The information that was compromised was stated to be User contact information i.e. : name, address, phone number and email address – and internal JPMorgan Chase information relating to such users. However account numbers, passwords, user IDs, dates of birth or Social Security numbers, were not comprised according to the filing.
While its definitely re-assuring that direct financial information was not lost, the information that was leaked is still damaging. As we’ve covered in the Snapchat breach at the start of 2014, the leak of phone information can be used to help target and optimise any mobile phishing attacks.
Coincidentally, the day before JPMorgan Chase gave details on the breach (the 1st of October), we recorded a SMS Bank phishing attack targeting several thousand mobile subscribers in Florida. The SMS message that was sent was of the following type:
JPMorgan Chase Bank, N.A. notification:You have a new message regarding your Chase account. Please tap the link bellow to read it: [url=http://tinyurl.com/]http://tinyurl.com/[/url][REDACTED]
When the user clicked on the tinyurl link, this would redirect to a web address that looked similar to the mobilebanking url used by Chase, where they would be presented with the below fake Chase login screen: The attack then relies on unsuspecting users entering their bank details. While the login is fake, a common feature of these type of attacks is that the other links in the screen (FAQs, Contact Us etc) are to real Banking websites.
Once the attack was detected, it was blocked within our carrier customers - although some subscribers of other carriers may have received the SMS phishing text. As always, if you have received a suspicious text message, do not enter your bank details, and inform your carrier that you received the spam message. Since the attack we communicated with tinyurl and requested them to disable the link which they have done, and also have informed Chase about the fraud.
The crucial question is whether these two incidents (the breach reported on the 2nd & the JPMorgan Chase SMS phishing spam on the 1st) are related. Our estimation is that it is doubtful the two are connected. SMS Bank phishing attacks are unfortunately quite common and persistent, many bank brands are targeted over time, so targeting of JPMorgan may just have been a coincidence. In addition this attack was relatively quite small, and so far we do not see any indication that this attack was executed in a way different from normal from these attackers.
That is not to say that we haven’t or won’t see attacks in the future that use this information. As others have stated, the acquisition of information related relating to the majority of households in the US will be of immense value to phishers. It’s likely that if the attackers do decide to sell on their information for use in phishing attacks, the sudden appearance of millions of contact details is likely to lead to a drop in the price of this information in the criminal underground due to oversupply (something that potentially been observed in other breaches), leading to targeted phishing attacks becoming cheaper to execute, and so more people being at risk of fraud. So while the original breach may not have directly lead to an increase in fraud, the information leaked has already increase the risk of being targeted indirectly. This one may affect us for quite some time.