Email scammers are trying to dupe online banking customers into handing over sensitive account information using a bogus survey that offers a fictitious $20 reward. The attack, targeted against Chase Manhattan customers, represents the latest evolution of social engineering attacks by phishing fraudsters.

The bogus email purports to be a survey on the usability of the Chase online banking site from the bank's online division. In reality, the emails are nothing to do with the bank and point to a bogus site that attempts to extract user names, passwords, PIN number, card verification number, mother's maiden name and Social Security number from unwary dupes. Any data submitted is sent to a form processing service in India.

Fraudsters have used a website run by a state-operated Chinese bank to host the Chase phishing site. The phishing pages are located in hidden directories within the server of The China Construction Bank (CCB) Shanghai Branch, Netcraft reports (http://news.netcraft.com/archives/2006/03/12/chinese_banks_server_used_in_phishing_attacks_on_us_banks.html), in what it says is the first attempt of one bank's infrastructure being used to attack another financial institution. CCB's site also harboured phishing scams targeting other US institutions, including eBay.

Netcraft said that the Netcraft Toolbar, a free phishing protection tool for IE and Firefox users, blocks all these attacks. ®

Related stories

Barclays scripting SNAFU exploited by phishers (15 August 2006)
http://www.theregister.co.uk/2006/08/15/barclays_phish_scam/
eBay scamming automation primed for fraud (3 August 2006)
http://www.theregister.co.uk/2006/08/03/ebay_scam_automation/
Why phishing catches punters (7 June 2006)
http://www.theregister.co.uk/2006/06/07/why_phishing_works/
Phishers aim to hook MySpace users (5 June 2006)
http://www.theregister.co.uk/2006/06/05/myspace_phishing_attack/
'Smart' phishing attack targets BoI (2 May 2006)
http://www.theregister.co.uk/2006/05/02/boi_phishing_attack/
Phishing goes international (26 April 2006)
http://www.theregister.co.uk/2006/04/26/international_phishing_survey/
Sudoku used as bait for adware download (10 April 2006)
http://www.theregister.co.uk/2006/04/10/yazzlesoduko/
German Postbank uses e-signatures to curb phishing (7 April 2006)
http://www.theregister.co.uk/2006/04/07/postbank_curbs_phishing/
Trojan intercepts bank tokens (24 March 2006)
http://www.theregister.co.uk/2006/03/24/trojan_captures_token/
MS lawsuits aim to reel in phishers (20 March 2006)
http://www.theregister.co.uk/2006/03/20/ms_phishing_lawsuits/
Adult payment firm denies customer records breach (10 March 2006)
http://www.theregister.co.uk/2006/03/10/smut_database_mystery/
Phishing fraudsters aim to outpace site shutdowns (8 March 2006)
http://www.theregister.co.uk/2006/03/08/smart_redirect_phish_attack/
AOL sues mystery phishers for $18m (1 March 2006)
http://www.theregister.co.uk/2006/03/01/aol_phishing_lawsuits/
Police collar AOL phishing suspect (27 January 2006)
http://www.theregister.co.uk/2006/01/27/aol_phishing_suspect_arrest/
Virus poses as MSN Messenger 8 (28 December 2005)
http://www.theregister.co.uk/2005/12/28/messenger_virus/
You're infected so pay us to get infested (21 December 2005)
http://www.theregister.co.uk/2005/12/21/spyware_spam_scam_redux/