A phishing scam where unwary users are lured into filling out a bogus survey has been traced to a hacked web server of a state-owned Chinese bank.
According to Netcraft, this is the first time that phishing gangs have used the infrastructure of one bank to attack the customers of another. Phishing emails were sent last Saturday targeting customers of Chase Manhattan Bank and eBay. These customers were directed to sites hosted on IP addresses assigned to the China Construction Bank (CCB) Shanghai Branch.
"The phishing pages are located in hidden directories with the server's main page displaying a configuration error. This is the first instance we have seen of one bank's infrastructure being used to attack another institution," said Rich Miller at Netcraft.
The attack on Chase customers offers recipients the chance to earn $20 by filling out a user survey which presents a series of questions about the usability of the Chase online banking site, followed by a request for user ID and password, so the $20 "reward" can be deposited to the proper account. The form also requests the victim's bankcard number, PIN number, card verification number, mother's maiden name and Social Security number. Any data submitted is then sent to a free form processing service on a server in India.
Experts said this type of attack could potentially herd us towards an era dominated by mutual suspicion.
"The bottom line is that people need to reassess their risk strategies and seriously take on board that the game has entered a new phase," said Phil Gould, U.K. country manager of web security company Deny All. "As the famous Chinese curse goes: may you live in interesting times."