"Followup phish" targets possible victims of last month's JP Morgan Chase card breach

Filed Under: Data loss, Featured, Phishing

Here's a brief reminder of how cybercriminals use real security disasters to cause follow-up disasters of their own.

You'll probably remember that we wrote, almost exactly a month ago, about a data breach at JP Morgan Chase.

About 450,000 of the 25,000,000 users of Chase's UCARD debit card product had their card data stolen.

That put just under 2% of cardholders in the hot seat, which was bad enough, but left the other 98% in a sort of data security limbo.

Was there a problem or not?

Would Chase's investigations lead to further action or not?

Would they get a warning some time down the track, like many users did in the wake of Adobe's giant breach last year?

With this in mind, we weren't surprised, here at Naked Security, to receive what you might call a "Chase Followup Phish," looking like this:

Dear Chase Paymentech User,

During one of our regular verification procedures we've encountered a problem caused by the recent database breach. Please, take a time to complete the following information on your profile to end our identity verification process. Otherwise your access to Chase Paymentech services will be stopped.

To verify information now, please follow the link:
[CLICK HERE]

The phish isn't terribly sophisticated, as it dumps you at a merchant page, not at a UCARD page.

(Merchants are Chase customers who process payments; UCARD customers are Chase product users who hold a benefit payments card to make purchases.)

Nevertheless, the phish passes casual visual muster, because the HTML, stylesheet and imagery are all ripped off from Chase's own servers:

Actual merchants shouldn't be fooled, because Chase's official merchant login pages look quite different to the phish.

JP Morgan Chase's actual page asks for different information, and uses HTTPS with a certificate officially issued to Chase Paymentech:

Bear in mind that even - perhaps especially! - a bank that has suffered a security lapse won't email you with a clickable link that takes you to a login page.

By forcing you to login under your own steam, the bank is helping to get you out of the habit of relying on links that were sent by an outsider.

So whenever you receive an email link that does go to a login page, like this one, you can immediately be certain is it bogus.

, , , , , ,

You might like

2 Responses to "Followup phish" targets possible victims of last month's JP Morgan Chase card breach

  1. Deramin · 256 days ago

    Well, you can immediately be certain it is bogus, or that the the business you're dealing with is incompetent. I've changed a couple of services over the year because the business actually did send me an email like this, and I immediately no longer wanted to do business with them for any reason.

  2. ... seen both sides now ... · 255 days ago

    Deramin thinks, "I've changed a couple of services over the year because the business actually did send me an email like this, and I immediately no longer wanted to do business with them ... ."

    Alas, every bank I do business with -- BofA, Citi, Chase, Webster, Wells Fargo, and more -- sends me at least one email a month inviting me to "go to [my] account by clicking [here]". The marketing folks have no idea what the security folks are up against ... and conversely :-) .

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog