Brand impersonation: Chase Bank
Impersonation of Chase Bank and related services to harvest credentials or related information such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license numbers, selfies, and ID card photos.
Sublime rule (View on GitHub)
1name: "Brand impersonation: Chase Bank"
2description: |
3 Impersonation of Chase Bank and related services to harvest credentials or related information
4 such as dates of birth, phone numbers, social security numbers, ATM pin numbers, drivers license
5 numbers, selfies, and ID card photos.
6references:
7 - "https://cyware.com/news/new-phishing-scam-impersonating-chase-bank-asks-for-sensitive-data-including-selfies-53065228"
8type: "rule"
9severity: "high"
10source: |
11 type.inbound
12 and (
13 strings.ilike(sender.display_name,
14 '*chase sapphire*',
15 '*chase card services*',
16 '*united mileageplus*',
17 "echase*"
18 )
19 or strings.ilevenshtein(sender.display_name, 'chase sapphire') <= 2
20 or strings.ilevenshtein(sender.display_name, 'chase card services') <= 2
21 or strings.ilevenshtein(sender.display_name, 'united mileageplus') <= 2
22 or strings.ilevenshtein(sender.display_name, 'echase') <= 1
23 )
24 and sender.display_name not in~ ("chaser", "case")
25 and sender.email.domain.root_domain not in~ ('chase.com', 'united.com', 'transunion.com', 'shopping-chase.com')
26 and (
27 (
28 sender.email.domain.root_domain in $free_email_providers
29 and sender.email.email not in $sender_emails
30 )
31 or (
32 sender.email.domain.root_domain not in $free_email_providers
33 and sender.email.domain.domain not in $sender_domains
34 )
35 )
36attack_types:
37 - "Credential Phishing"
38tactics_and_techniques:
39 - "Impersonation: Brand"
40 - "Lookalike domain"
41 - "Social engineering"
42detection_methods:
43 - "Header analysis"
44 - "Sender analysis"
45id: "c680f1e7-01b9-5b95-897b-65957f4a57aa"