03 April 2006

Phishing Chase Customers

This world is full of criminals and the Internet only makes it easier for these scammers. In recent weeks, I've received many email supposedly from Chase Bank about some accounts my volunteer organization has with the bank. I am the webmaster and tech support person for the org so I'm in charge of handling email addressed to the group mailbox. I know the group has no accounts with Chase, but the scammers simply throw a wide net and it's possible for them to stumble upon a real Chase customer.

One example of these phishing email is shown at right. As typical with these scams, the tone is strong - ACT NOW OR WE WILL CLOSE YOUR ACCOUNT. Or something like that. Up to now, I have never seen a phishing email before, although I have heard enough about them. I did click on the link, Confirm Now, and boy the web site that it took me to sure looks like Chase's own. Back in my mail program, Apple Mail, I selected View/Message/Raw Source and saw the code below. No wonder it looks like a Chase web site, because they actually linked to the real Chase logo etc. from the real web site.

I had to replace all open angle brackets ( < ) with open angle brackets and a space, likewise with close angle brackets. The replacements are necessary to prevent Blogger from interpreting the HTML codes in the scam email. Tell-tale signs include the Received field, which helpfully shows in parenthesis that it may be forged. Next, check out the real URL behind the Confirm Now link. It doesn't really go to chaseonline.chase.com but some other web site, with chaseoneline.chase.com some levels down. I don't know whether these scammers hijack some host servers, but usually when I go to just the IP address portion, I would encounter some top level techie stuff about the web server, e.g. info on Apache or Linux. If this blog entry helps just one unsuspecting Chase customer avoid the phishing, then the time putting this together has been worthwhile. In preparing this entry, I've also created screenshots and such that will be useful in alerting abuse@chase.com
Return-Path: <>
Received: from insite.npsc.edu.on.ca (ip7.npsc.edu.on.ca [] (may be forged))
by vs50.server4me.com (8.11.6/8.11.6) with ESMTP id k2D11Vm73254
for <>; Sun, 12 Mar 2006 17:01:31 -0800 (PST)
(envelope-from survey@chase.com)
Received: from User ([]) by insite.npsc.edu.on.ca with Microsoft SMTPSVC(5.0.2195.6713);
Sun, 12 Mar 2006 20:09:39 -0500
From: "Chase Bank"<>
Subject: ChaseOnlineSM® Security Measures
Date: Sun, 12 Mar 2006 19:06:06 -0600
MIME-Version: 1.0
Content-Type: text/html;
Content-Transfer-Encoding: 7bit
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Message-ID: <>
X-OriginalArrivalTime: 13 Mar 2006 01:09:39.0640 (UTC) FILETIME=[CD7FF380:01C6463A]

< face="Verdana" size="2">< src="http://www.chase.com/ccpmweb/shared/image/chaseNewlogo.gif" width="175" height="26" alt="JPMorgan Chase & Co" border="2" alt="JPMorgan Chase & Co" border="0"><><> Dear JPMorgan Chase & Co Customer,<>< /div >&nbsp;
<> Due to recent fraudulent activities on some of JPMorgan Chase & Co online <>&nbsp; accounts we are launching a new security system to make JPMorgan Chase & Co<>&nbsp; online accounts more secure and safe. Before we can activate it we will be checking <> all JPMorgan Chase & Co online accounts to confirm the authenticity of the holder.
< color="#003399">< /FONT >&nbsp;
<><> As the Primary Contact, you must confirm the service(s) listed below or it will be<> deactivated and deleted.
< /DIV >
<>< color="#003399">< /FONT > < /DIV >
<><> SERVICE: <>ChaseOnlineSM®< /b > with <>Online Bill Pay< /b ><> EXPIRATION:
<>Mar - 15 - 2006< /b >
<><> < onclick="return ShowLinkWarning()" target="_blank" onfiltered="return ShowLinkWarning()" href="">< color="#003399">Confirm Now< /FONT >< /a > < /b >your
<>ChaseOnlineSM®< /b > and <>Online Bill Pay< /b > services.<><> -complete the required information to authenticate and reset your account<><> -make sure your account balance has not been changed<><> -make sure your details have not been changed<><> -review recent transactions in your account history for any unauthorized transfer< /DIV >
<> < /DIV >
<> Thank you for using Bill Pay Service. We appreciate your
business and the opportunity to serve you.
<> If you find any type of suspicious activities please contact us immediately.<> Please include in your message your account number, your account name<> and the unauthorized transfer date & time.
<>&nbsp;< /DIV >
<> Please do not reply to this message. For any inquiries, contact Customer Service.< /DIV >
<> < /DIV >< /DIV >
<> Document Reference: (87051203).<><> Copyright 1996
- 2006 JPMorgan Chase & Co, JPMorgan Chase & Co Copyright © 2006<> < /DIV >< /DIV >< /FONT >

No comments:

Post a Comment