The URL in the phishing email uses an IP address rather than a domain, typically a strong indicator of a phishing site. As a result, the Netcraft Toolbar assigns the site a high risk rating. The spoof site, a template of which has been in use since September, pulls images and style sheets from the chaseonline.chase.com web site. Many bank sites are configured to prevent logos and other images on their server from being displayed on other web sites – a practice known as “hot-linking” or “bandwidth leeching” – to prevent phishing sites from using the institution’s own images and bandwidth to scam customers. Any third-party sites appropriating logos can be detected through web site referrer statistics.

The same IP address at CCB Shanghai was used Saturday to host a page spoofing the eBay login screen. The China Construction Bank is a state-owned commercial bank with more than 14,000 branches across China. Last October CCB became the first of China’s “Big Four” state-owned banks to be listed on the Hong Kong Stock Exchange.

Both attacks have been blocked by the Netcraft Toolbar, a free phishing protection tool for Internet Explorer and Firefox users. Once the first recipients of a phishing mail have reported the target URL, it is blocked for toolbar users who subsequently access the URL.