POP! goes the phisher

Fraudsters are impersonating online banking websites in order to gain unauthorised access to customers' emails. Most online banking phishing sites simply try to steal whatever credentials are required to gain access to a victim's bank account, but by also gaining access to the victim's email account, the fraudster can prevent the victim from receiving any email alerts regarding account activity.

With access to the victim's emails, the fraudster could also potentially net a much larger haul. These emails will indicate to the fraudster which other banks, shops, social networks and other online services the victim uses. The fraudster can then attempt to compromise the victim's accounts on these services by initiating password resets, which will be sent to the email address he now has access to. In some cases, the fraudster will also be able to change the password of the victim's own email account, thus locking him out and making him unaware that further compromises are taking place.

The following phishing site targeted customers of Chase Bank earlier this month. Like many other phishing sites, it did a good job of looking like the real Chase Bank, although the address bar revealed that it was actually served from a hacked gift store.

Clicking on the Log In to Accounts button takes the victim to the following page, where he is told that a POP email service is required in order to continue. This is purportedly part of a verification measure, and the victim is prompted to enter his email address and email password so the site can log in to the victim's email account automatically.

POP (Post Office Protocol) is one of the most widely supported mail retrieval protocols, which lets an email client download email from a mail server. Many webmail providers (including Gmail, Outlook.com and Yahoo Mail) also allow mail to be retrieved via this protocol.

As soon as the victim clicks the Login button, he is taken to the real Chase Bank homepage which, unsurprisingly, looks rather similar to the original phishing site, albeit with the correct URL in the address bar.

At this point, the victim may simply assume he has to log in again after completing the previous verification step. If he does, he will be taken to his online banking account as expected. Meanwhile, the fraudster could well be helping himself to the victim's emails, starting the process of compromising each of the victim's other accounts one by one.

Chase Bank customers who have enrolled to receive Account Alerts can be notified of account activity via email. By deleting these emails, the fraudster might be able to prevent the victim from becoming aware of any fraudulent transactions until it is too late.

The phishing site used in this particular attack was one of the 8.5 million sites blocked by Netcraft's phishing site feed and has since been taken offline.