JP Morgan Infiltrated by Obtaining Just One Employee’s Password

New reports on the JP Morgan Chase case indicate that hackers initially gained access to just a single employee’s password through which they gained access to a vulnerable server. From there, the attackers wormed their way around to the top. It’s worth noting that this server lacked the same security that was standard for the rest of the infrastructure. It’s unclear how the attackers obtained the password.

The main concern now, according to JP Morgan is that the criminals will use spearphishing technique to obtain the rest of the information (such as SSN, passwords, dates of birth). Spearphishing is a targeted phishing campaign that appears to be an authentic email (with your name mentioned, for example) you would expect from Chase, but is anything but that.

Sr. Web Security Researcher at LIFARS, Jaro Nemcok, gives a few general tips for making sure you stay safe even if you are targeted by such a phishing operation:

  • Never send sensitive information via email. Period. Your bank will never ask you for that sort of information via email.
  • Never fill out any forms built into an email.
  • Don’t get pressured into providing sensitive information. Phishing emails often include a warning that your account will be terminated/suspended/deleted to scare you.
  • At least for the time being, it’s a good idea to not click on any links within Chase emails.
  • Since this is a spearphishing threat, the emails will likely look very authentic.
  • If you receive a call from Chase, do not give any information over the phone, ask for the employee name and department, hang up, and call back Chase at the number printed on your credit card and ask the operator to switch you to the department of the employee who called you

All Chase customers should also visit the Chase Security Center, it contains plenty of valuable advice as well.