March 14, 2006

A Chinese bank's server is hosting spoofed sites that phishers are using to dupe customers of American banks and e-tailers, a U.K.-based Internet monitoring company said Sunday.

According to Netcraft, this is the first time one bank's network has been used by criminals to steal information from another bank's customers.

The identity theft attack started Saturday when e-mails were sent to Chase Bank customers that directed them to a site hosted on IP addresses assigned to a Shanghai branch of the China Construction Bank Corp. (CCBC). The spoofed Chase and eBay sites were tucked away in hidden directories, and the CCBC's server's main page displayed a configuration error, said Netcraft.

The Chase attack takes a new phishing tack: rather than directly con gullible users into giving up account passwords or PINs by pretending to be a message from customer support, the e-mail poses as a survey of Chase's online banking sites.

Anyone who fills out the survey will supposedly receive $20 for their trouble. Naturally, the survey is bogus. Among the fields to fill out are several demanding Chase card number, PIN, Social Security number, and other private information.

"Scammers are looking for new ways to fleece the unwary, and this time [they] have come up with a new twist: asking people to help in a survey for a cash reward," said Graham Cluley, senior technology consultant for Sophos, a British security company, in a statement.

Astute users will likely notice that the URL in the phished message is a raw IP address, not a domain. That, said Netcraft, is a strong sign of a phish.

The same CCBC Shanghai server was also used Saturday to host a page that spoofed the eBay log-in screen. China Construction Bank Corp., one of the country's "Big Four" state-owned banks, has more than 14,200 branches across China.