Skip to main content

Phishing: more clever, more evil, every day

This phishing scam, targeted at customers of Chase bank, is simple and direct. Fear it. Well, at least be aware of the general tendency of phishing scams to exploit basic human trust relationships with increasing sophistication. They get better and better every day, and they are building up quite a library of clever tricks.
  • It looks like it came from your bank.
  • The text is simple, direct, clear, and free from glaring grammatical errors.
  • It appears to be a simple request. The apparent source of the email is obscured.
  • It appears to be from: Chase Online Services Team
  • It exploits the HTML processing ability of most modern email clients to obscure the actual target of the "click here" link (which I've removed, but which was obviously something other than
Here's the simplest, most direct, most likely to succeed phishing scam email I've seen to date:
Dear Chase Member: We have processed your request to change your e-mail address, based upon the information you supplied. Beginning immediately, we will send all future e-mail messages, excluding Alerts, to you at Any e-mail addresses that receive Alerts about your accounts will need to be updated separately. If you did not request this e-mail address change or have any questions, please cancel this action and reactivate your account by clicking here. Please do not respond to this confirmation e-mail. Sincerely, Online Services Team
Phishing scammers don't use their own systems to harvest data for identy theft and credit card fraud. They use systems that belong to other people, which they have taken over without the knowledge of the owner. Often they take over large numbers of systems with worms or botnets. Intrinsic Security is working with Internet Service Providers to help stop botnets. Help us spread the word by linking to our site from your blog. Link to Intrinsic Security - join the antibotnet campaign.


Anonymous said…
Thanks for this post. I just got that email and tried to respond, so it got me a minute too late, before looking up that persons fake email and finding this blog.
thanks again though!

Popular posts from this blog

Verified by Visa (Veriphied Phishing?)

If you have used a Visa card to make a purchase online lately you may have encountered a relatively new program, Verified by Visa . I've encountered it twice. The system is an interesting attempt by Visa to reduce online fraud and identity theft. It's a noble effort, but the user experience is unsettling, and the security implications are not exactly crystal clear. Here's what happened to me, both times the system was activated. I was redirected away from the domain at which I was shopping, to a URL which was: not the domain where I was shopping, not the domain of the bank that issued my card not I've been telling people for years that if anything like that happens to you, close your web browser immediately and do not under any circumstances enter any personal information into the form, because this is a sure sign of a man in the middle or phishing scam. (Never mind that all the best phishing scams now-a-days look like the actual domai…

Hacker 0x80 0wn3d by FBI (Arrested after Accidental Outing by Washington Post) [1]

What can the botmaster 0x80's impending misfortune [1] teach us about information security? Quite a bit. What the botmaster and the reporter didn't count on is a security risk known as "the aggregation problem" or "point and click aggregation". It's not surprising, as even practicing security professionals are often unaware of this problem, or vaguely aware of the concept but not the name. Information Security dictionaries online generally lack the terms, and don't mention them in their discussion of "disclosure" either. The aggregation problem happens when a series of small facts, any one of which if disclosed present a minimal security risk, combine to present a greater security risk when disclosed together. When aggregated, information from publicly available sources may accidentally disclose information that was intended to remain confidential. As it happens, an IETF glossary contains a definition of the basic term. RFC 282…

Splunk acquires Phantom Cyber

I hope it doesn't come across as too cynical, the observation that most acquisitions in the tech domain fail to produce anything useful and often as not wind up killing a promising upstart technology, even if only by accident.

I have hope for this one, though. Splunk strikes me as a likely exception. This acquisition of fresh ideas and talent might breathe new life into a solid, if somewhat staid, security company.

Splunk’s data analytics gets a security boost with $350 million acquisition of Phantom Cyber