Bank of America Credential Phishing Explained

By Chetan Anand, Co-founder and Architect, Armorblox

Recently, there was a credential phishing attempt that impersonated Bank of America with an email that asked readers to update their email addresses lest they get recycled. Clicking the link led readers to the credential phishing page that resembled the Bank of America home page.

The Attack

A few days ago, we saw a credential phishing attempt to land in a customer inbox. This email claimed to come from Bank of America and asked readers to update their email address. Clicking the link took the targets to the credential phishing page resembling the Bank of America home page, designed to make targets part with their account credentials. The attack flow also included a page that asked readers for their ‘security challenge questions’, both to increase legitimacy as well as get further identifying information from targets.

A snapshot of the email is given below:

Email where attackers impersonate Bank of America and direct readers to update their email account details


Why The Attack Got Through

This email got past existing email security controls because it didn’t follow the tenets of more traditional phishing attacks.

  1. Not a mass email

This was not a bulk email and only a few people in the target organisation received it. This ensured that the email wasn’t caught in the bulk email filters provided by native Microsoft email security or the Secure Email Gateway (SEG).

  1. Got past authentication checks

Although the sender name – Bank of America – was impersonated, the email was sent from a personal Yahoo account via SendGrid. This resulted in the email successfully passing all authentication checks such as SPF, DKIM, and DMARC.

The email was sent from a personal Yahoo account via SendGrid
  1. Zero-day link and lookalike website

The attacker created a new domain for the link in this email attack, so it got past any filters that were created to block known bad links. The final credential phishing page was painstakingly made to resemble the Bank of America login page. A screenshot is presented below:

Credential phishing site made to resemble the Bank of America home page

The superficial legitimacy of this page would pass most eye tests from busy readers that want to get on with their other work duties after ‘updating their email address’ as soon as possible.

Upon closer inspection, it’s evident that the domain is not owned and hosted by Bank of America. The domain – nulledco[.]store – was created on June 1. The screenshot below shows the certificate’s common name for the webpage, which is nulledco[.]store and not Bank of America.

The certificate’s common name makes it evident that this is a new domain created for the attack
  1. Security challenge questions increase legitimacy

After readers filled in their account credentials, they were led to a page asking them three ‘security challenge’ questions. This tactic greatly increases the legitimacy of the attack in the eyes of the readers, because Bank of America also asks for security questions upon login by default. If a reader follows through the entire attack chain, adversaries would gain access to not only their account credentials but also the answers to their security questions.


After filling in the account credentials, readers are led to a page asking them to enter their security challenge questions
  1. Socially engineered

Unlike spray-and-pray email fraud attempts, this email was expressly created and sent to trigger the required response. The sender name impersonated Bank of America, making the email likely to get past eye tests when people glanced through it amidst hundreds of other emails in their overflowing mailboxes. The email language and topic was intended to induce urgency in the reader owing to its financial nature. Asking readers to update the email account for their bank lest it get recycled is a powerful motivator for anyone to click on the URL and follow through.

How Armorblox Detected The Attack

Armorblox was able to detect the email attack based on the following insights:

  1. Language, intent, and tone

Armorblox language models have been trained on tons of data and further customised to suit every customer environment. These models analysed the email body and detected many financial topics within the text. Armorblox also detected that there was an unusual request made in the email (which is a common trait in business email compromise attacks).

  1. Brand impersonation

Armorblox brand impersonation detectors flagged that the sender name was ‘Bank of America’ but the parent domain name of the sender was Yahoo.

  1. Low communication history

Armorblox detected that the sender email in question had a low communication history with the victim’s email account. While not a violation in itself, this insight is critical when compared with other unusual signals and can catch highly targeted attacks.

  1. Low domain frequency

Armorblox ML models have three tiers – a global model, an organisation-specific model, and a mailbox-specific model. While the mailbox-specific model was able to detect low communication history between the sender and the receiver, the organisation-specific model also detected that the attacker’s domain had not communicated with the target company as a whole.

Based on the insights above, along with many other detection signals, Armorblox flagged the email as a credential phishing threat. The email was automatically quarantined based on predetermined remediation actions for the credential phishing detection category.