A web server belonging to a state-operated Chinese bank is hosting phishing sites targeting U.S. banks and financial institutions. Phishing e-mails sent on Saturday (March 11) targeting customers of Chase Bank and eBay were directed to sites hosted on ip addresses assigned to The China Construction Bank (CCB) Shanghai Branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution.
The attack on Chase offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service (free.allforms.mailjol.net) operated by an Indian company but hosted in the U.S. at NetAccess.
The URL in the phishing email uses an IP address rather than a domain, typically a strong indicator of a phishing site. As a result, the Netcraft Toolbar assigns the site a high risk rating. The spoof site, a template of which has been in use since September, pulls images and style sheets from the chaseonline.chase.com web site. Many bank sites are configured to prevent logos and other images on their server from being displayed on other web sites - a practice known as "hot-linking" or "bandwidth leeching" - to prevent phishing sites from using the institution's own images and bandwidth to scam customers. Any third-party sites appropriating logos can be detected through web site referrer statistics.
The same IP address at CCB Shanghai was used Saturday to host a page spoofing the eBay login screen. The China Construction Bank is a state-owned commercial bank with more than 14,000 branches across China. Last October CCB became the first of China's "Big Four" state-owned banks to be listed on the Hong Kong Stock Exchange.
Both attacks have been blocked by the Netcraft Toolbar, a free phishing protection tool for Internet Explorer and Firefox users. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL.