Saturday, January 28, 2006

Chase Customers Being Phished?

This e-mail was discovered floating around yesterday. When I reported it to Chase, a person in their security department admitted to me that they already knew about it.

If you read below the mail directs you to a site, which asks for your login information and password. This is something no bank will do.

This appears to be a phishing attack directed towards Chase customers to steal their personal and financial information. Phishing is becoming one of the main ways personal and financial information is stolen, which makes people victims of identity theft.

Here is a copy of the e-mail, note I have disabled the link and I wouldn't recommend trying to look at it. There is no telling what malicious software (malware), also know as scumware someone could get if they weren't properly protected.

Subject: CHASE MANHATTAN BANK
From: "Chase Team"

Date: Fri, 27 Jan 2006 10:13:10 -0600 (CST)

Dear Chase Member,

Your account has been randomly flagged in our system as a part of our routine security measures. This is a must to ensure that only you have access and use of your Chase account and to ensure a safe Chase experience. We require all flagged accounts to v erify their information on file with us. To verify your Information at this time, please visit our secure server webform by clicking the hyperlink below:

xxxx//www.chase.com/cgi-bin/webscr?cmd= login

(https disabled for safety reasons)

Thank you for using Chase Manhattan Bank!The Chase Manhattan Bank Team
--------------------------------------------------------------------------------
Please do not reply to this e-mail. Mail sent to this address cannot be answered. For assistance, log in to your Chase account and choose the "Help" link in the footer of any page.

To receive email notifications in plain text instead of HTML, update your preferences here.

Chase Email ID PP478

This e-mail also made it past the Spam Filter of the person, who received it.

I've sent this into a couple of the security labs for analysis. Since Chase confirmed to me they knew about it and no one will ever solicit anyone for their log in information and password via a e-mail, I decided to send this out.

My question is if Chase knows about it, what are they doing to warn their customers?

Here is an excellent resource from the Anti Phishing Working Group (APWG) on how to avoid being phished: How to Avoid Phishing Scams.

1 comment:

Anonymous said...

Any response on this one?
--
hoovertom@yahoo.com