[ISN] Chinese Bank's Server Used in Phishing Attacks on US Banks
isn at c4i.org
Mon Mar 13 02:28:45 EST 2006
By Rich Miller
March 12, 2006
A web server belonging to a state-operated Chinese bank is hosting
phishing sites targeting U.S. banks and financial institutions.
Phishing e-mails sent on Saturday (March 11) targeting customers of
Chase Bank and eBay were directed to sites hosted on ip addresses
assigned to The China Construction Bank (CCB) Shanghai Branch. The
phishing pages are located in hidden directories with the server's
main page displaying a configuration error. This is the first instance
we have seen of one bank's infrastructure being used to attack another
The attack on Chase offers recipients the chance to earn $20 by
filling out a user survey which presents a series of questions about
the usability of the Chase online banking site, followed by a request
for user ID and password, so the $20 "reward" can be deposited to the
proper account. The form also requests the victim's bankcard number,
PIN number, card verification number, mother's maiden name and Social
Security number. Any data submitted is then sent to a free form
processing service on a server in India.
The URL in the phishing email uses an IP address rather than a domain,
typically a strong indicator of a phishing site. As a result, the
Netcraft Toolbar assigns the site a high risk rating. The spoof site,
a template of which has been in use since September, pulls images and
style sheets from the chaseonline.chase.com web site. Many bank sites
are configured to prevent logos and other images on their server from
being displayed on other web sites - a practice known as "hot-linking"
or "bandwidth leeching" - to prevent phishing sites from using the
institution's own images and bandwidth to scam customers. Any
third-party sites appropriating logos can be detected through web site
The same IP address at CCB Shanghai was used Saturday to host a page
spoofing the eBay login screen. The China Construction Bank is a
state-owned commercial bank with more than 14,000 branches across
China. Last October CCB became the first of China's "Big Four"
state-owned banks to be listed on the Hong Kong Stock Exchange.
Both attacks have been blocked by the Netcraft Toolbar, a free
phishing protection tool for Internet Explorer and Firefox users. Once
the first recipients of a phishing mail have reported the target URL,
it is blocked for toolbar users who subsequently access the URL.
More information about the ISN