NEW YORK (MainStreet) — It has been revealed that this summer's "smash and grab" cyber attack against JPMorgan Chase affected 76 million households, according to a Thursday securities filing. The country's largest bank, which manages $2.4 trillion in assets, had previously claimed the August 19 breach compromised only 1 million accounts. The larger-than-anticipated scale of this hack may give consumers concern over the security of their money, especially in light of the fact that the FBI has investigated that the incident is reportedly a possible case of Russian retaliation for U.S.-backed sanctions enacted over the crisis in Ukraine.
In part, the consumer anxiety derives from the onslaught of breaches that have happened in the last year: the Target hack before last Christmas, which resulted in 40 million stolen credit and debit card numbers, and last month's Home Depot hack, said to have infiltrated 56 million accounts. But unlike the penetration of security infrastructure at big box retailers, the JPMorgan security breach reveals vulnerabilities in our financial system that was previously assumed to be well-guarded. What's more, a bank hack could have graver consequences than with a store hack, with potentially more personal information available to be culled.
Investigators are also considering the possibility that the JPMorgan attack is connected to a series of data breaches at European banks, Bloomberg reported. These infiltrations are said to have exploited "a similar vulnerability," and required enough technical expertise to raise the possibility of government involvement. The timing has also raised suspicions: since Vladimir Putin's government became heavily involved in Ukraine's civil conflict, there has been a reported increase in cyber attacks on U.S. banks launched from Russia and Eastern Europe.
While most phishing perpetrators attempt to disguise their efforts and extend the shelf life of their attacks, the effort against JPMorgan was fearless – disregarding stealth measures and launching a multi-pronged attack that wasn't concerned about the threat of detection.
Researchers at Proofpoint, a data security firm, discovered the large-scale attack, which apparently originated in Moscow. Proofpoint saw 150,000 emails in its system alone on the first day of the attack. Other email systems have not reported numbers affected.
The attack began with a typical ploy: an email urging the recipient to click to view a secure message. The graphics were clean and believable, with the JPMorgan logo and none of the common typos and clunky language found in many phishing efforts.
Clicking to the read the message, users were redirected to a "JPMorgan Chase & Co." login page.
If the user doesn't suspect foul play and enters his login information, an "error" message will direct them to download a "Java update." In reality, the download is banking Trojan malware.
But here is where the attack gets even more insidious. Once users landed on the login page to access the "secure message" – even if they became suspicious and decided not to enter their credentials – banking Trojan malware was already being uploaded to their computer.
"What's notable is that this is one of the first times we've seen an attacker include exploit code on a credential phishing page," Proofpoint says on its blog. "Usually we see attackers use a Traffic Distribution System (TDS) to direct traffic to either a phishing site or [an] exploit site, but not both. We refer to this as a multivariant attack."
The researchers say that the malware used in these attacks was not detected by any of the leading antivirus providers at the time of the attack.
"It looks like they sent it out to lots of people in hopes that some of them might be JPMorgan Chase customers, because there are a lot of them," JPM spokeswoman Trish Wexler told CNBC shortly after the attack was revealed in against. "We are seeing this as a very small incident." In retrospect, that seems a dangerous underestimation.
"Loading a website with multiple attacks increases the probability of detection, so this attack appears to be the digital equivalent of a 'smash and grab' type attack," Proofpoint says. "The attackers don't appear worried about stealth, instead they targeted a large number of users with a multi-pronged attack knowing that it would likely be quickly detected and shut down. This could indicate a shift in attacker behavior from stealthy attacks designed to run for a long time to brute force attacks that hit victims quickly by throwing the kitchen sink of attacks at them."
The security firm has detected other active phishing campaigns that appear to have been launched by the same attackers, each attempting to install the credentials-stealing banking Trojan. One such attack has been embedded in a PDF invoice purportedly from ADP, the payroll services company -- as well as a "submission notification" from Companies House, a corporate registration company based in the U.K.
--Written by Hal M. Bundrick for MainStreet