Credential phishing Charles Schwab account holders with 2FA bypass

Sublime’s Attack Spotlight series is designed to keep you informed of the email threat landscape by showing you real, in-the-wild attack samples, describing adversary tactics and techniques, and explaining how they’re detected.

EMAIL PROVIDER: Google Workspace

ATTACK TYPE: Credential Phishing, Brand Impersonation

The attack

As phishing attempts evolve, so do their bells and whistles. Modern attacks typically include redirection through CAPTCHA and convincing login pages. In a recent Charles Schwab credential phishing attempt that Sublime prevented, we saw the use of 2FA as part of the authentication process. Here’s the how the attack works:

• The target receives a fake Charles Schwab notification email. The email states that they are a victim of fraud.
• When they click Review Now to learn more about the fraud, they are sent through a fake Cloudflare browser challenge and then to a fake Schwab login.
• The target enters their account login information, starting the credential harvesting process.
• After entering their account login information, they are then prompted for their phone number for 2FA.
• After the target supplies the phone number, the attacker uses the number in the real Schwab login to trigger a legitimate authentication SMS to the target.
• Once the target receives the code via SMS or phone call, they enter the code into the fake login. The attacker will collect this authentication code and complete the login on their end.

Detection signals

Sublime's AI-powered detection engine prevented this attack. The top signals in these attacks are:

• Suspicious sender: The sender domain's TLD ends in ".jp", which is commonly abused to conduct attacks.
• Credential theft: Language in the message appears to engage the user in order to steal credentials.
• Unusual sender domain: The sender's domain doesn't match any link domains found in the body of the message.

Additionally, the Sublime Core Feed contains a wide and growing range of brand impersonation Detection Rules, including Charles Schwab.

Prevent credential phishing with Sublime

Sublime detects and prevents credential phishing, brand impersonation, and other email-based threats.  Start your free account today, managed or self-managed, for out-of-the-box coverage for these types of attacks with the ability to customize their handling for your environment.

Read more Attack Spotlights:

• Hiding a $50,000 BEC financial fraud in a fake email thread
• Callback phishing via invoice abuse and distribution list relays
• Hidden credential phishing within EML attachments

‍