Phishing Attack Impersonates Wells Fargo Using Newly-Registered Domain to Steal Sensitive Information
In this phishing attack, the threat actor impersonates Wells Fargo to deceive recipients into believing their account has been temporarily blocked due to attempted unauthorized access. The email, which appears to come from "contact@textilenotice[.]com" (a domain likely created specifically for this attack), informs recipients they can restore their online access by visiting a provided link to Wells Fargo’s website. This link, however, directs the recipient to a phishing website designed to steal sensitive information. By creating a sense of urgency around account security, the attacker aims to manipulate the recipient into quickly complying with the instructions without realizing the email's fraudulent nature. This tactic preys on the recipient’s fear of unauthorized access and the need to secure their account promptly.
Older, legacy email security tools struggle to accurately identify this email as an attack because it does not include malicious attachments, is sent from a newly created domain that can bypass legacy detection filters, and employs sophisticated social engineering techniques. Modern, AI-powered email security solutions detect anomalies in the content, recognize when sender addresses are unknown, and analyze the suspicious creation of the sender’s domain to correctly mark this email as an attack.
Phishing email impersonating Wells Fargo using social engineering tactics to trick recipients into clicking a malicious link
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- No Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Newly Created Domain: The use of the recently created domain "textilenotice[.]com" specifically for this attack helps bypass legacy filters that may not flag new or unknown domains as suspicious.
- Social Engineering Tactic: The email claims there has been unauthorized access, resulting in a temporary account block, creating a sense of urgency that prompts immediate action from the recipient without careful scrutiny.
How Did Abnormal Detect This Attack?
This email attack bypasses traditional security solutions for multiple This attack was detected using AI and ML by analyzing various factors, including the following:
- Content Analysis: Abnormal’s advanced content analysis algorithms flag the urgent message about unauthorized access and the prompt to restore account access as a common phishing tactic.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Domain Creation: The identification of the newly created domain "textilenotice[.]com" triggers Abnormal’s systems to scrutinize and flag the email for potential malicious activities, as this tactic is commonly used in phishing attacks.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.