JPMorgan Bracing For 'Spear Phishing' Campaign: Sources

JPMorgan Chase (NYSE: JPM) officials are bracing for a massive spear phishing campaign launched by cyber thieves who broke into the bank’s servers in the biggest cyber-attack on a U.S. bank to date. Cyber criminals thought to be emanating from Russia or former Soviet satellite states hacked into numerous JPMorgan computer servers and accessed contact information like names and email addresses for 76 million customers and seven million small businesses.

JPMorgan is saying no bank account information was compromised, but it now fears the hackers will come back for this information in another wave of attacks directly on bank customers. Cyber criminals broke into JPMorgan’s servers in June; the breach was then shut down in August.

While JPMorgan says in a statement it has not yet “seen unusual fraud activity related to this incident," bank insiders are preparing for a spear phishing campaign, whereby JPMorgan customers in coming days could get targeted by an official-looking email complete with the bank’s corporate logo, or they could get a phone call from a fake JPMorgan account executive. The email or caller could, say, tailor the e-mail to the customer with personalized information they downloaded in the first hack to grab their attention.

The fake bank account executive or emailer will then indicate there is an urgent problem with the customer’s account, and then ask for birthdates, Social Security numbers or passwords. The virtual trap could also be set by the official-looking email asking customers to click on a link embedded in the email to, say, update their account information.

But the link takes the unsuspecting victim to a fake but legitimate-looking website, where the customer is then tricked into listing passwords, bank account numbers, Social Security numbers, user IDs, access codes, and PINs. “We would never ask for that personal information on the phone or in emails, it’s information that verifies who you are,” says a bank insider. “The problem is, other banks often ask for this information on the phone or in emails, so customers could be fooled.”

An FBI official warns:  “Once criminals have your personal data, they can access your bank account, use your credit cards, and create a whole new identity using your information.”

The FBI also warns that spear phishing can “trick you into downloading malicious codes or malware after you click on a link embedded in the e-mail.” The criminal can then read everything on your computer or in your account. The malware also “is an especially useful tool in cyber hacking crimes like economic espionage where sensitive internal communications can be accessed and trade secrets stolen,” the FBI says. “Malware can also hijack your computer, and hijacked computers can be organized into enormous networks called botnets that can be used for denial of service attacks.” Government, or state-sponsored, cyber-attacks on other foreign governments, overseas retailers, banks, or other companies typically arise as massive “denial of service” attacks to shut down websites, or theft of trade secrets, not small-bore identity theft, meaning profiteering via fraud.

Bank insiders are talking about individuals either connected to the Russian government, or working in criminal gangs within Russia or countries in the former Soviet Union. These insiders say they don’t believe the Russian government sponsored the attacks in retaliation for U.S. sanctions on Russian companies due to Russia’s incursion into the Ukraine.  However, officials say foreign governments including Russia and the former Soviet satellite states are not doing enough to shut down cyber thieves, and instead are consciously turning a blind eye to this criminal activity.

A JPMorgan official says: “Customers of all banks should be more worried about identity theft, that “someone in Eastern Europe or Russia or elsewhere steals your identity to get a credit card to say, buy a car or any other item.”

This person notes that “JPMorgan along with all other banks has teams of workers specifically monitoring both customer credit and debit card accounts to detect and stop fake charges as well as cyber hacking activity.”

This official also warned: “The way the hackers do it is, they start with small charges on your Visa or MasterCard, $1, $10, $50, to see if their hack works, then they ramp it up and go bigger with a larger hit and run charge.”