Mr Bartlett Blogs
  • Ramblings...
  • OLD_CEFKorg
    • New CEFKorg Page!
    • About Computer Equipment For Kids
    • Alliance of Awesomeness
    • How do I help?
    • The Places We've Been
    • Tutorials
    • Learning Sites
    • Conferences

Chase - Phish

1/12/2012

1 Comment

 
Picture
So, I received an email from "Chase Bank" a few days ago...  If you read the email above there are a few things that are funny about this email:
  1. I'm not a member of Chase bank.
  2. A bank will NEVER ask you to ReActivate through an email..
  3. The Signature at the bottom looks like it was copy and pasted onto the email.
  4. Pay close attention to WHO sent the email.  At first glance it looks like it comes from "chase@emailinfo.chase.com" but it actually sent from "109505-www1.qoodos.com".  Google provides a nice explanation of what 'via' stands for: http://support.google.com/mail/bin/answer.py?hl=en&ctx=mail&answer=1311182
  5. When HOVERING OVER THE "Chase Online" link, it links to something COMPLETELY different than chase bank..  (hXXp://www.jenniferbain.com/images/index/links_images/login.php)
When reviewing emails from ANYONE, pay attention to the details; 
  • Verbiage - Look for misspellings and strange grammar.
  • Overall look and feel - Does the request look strange??  Are they asking you to do something you don't feel comfortable doing??  Like changing your password or providing account #'s/information?  If AT ALL suspicious, contact your bank directly using phone number from your account statements.  DO NOT rely on any information from the 'suspicious' email (phone #s, email addresses, links, etc)
  • Links: DO NOT CLICK ANY LINKS or RESPOND to the email  Notice where the LINKS actually point (WITHOUT CLICKING ON THEM!) (hover over the link and depending on your browser it will display the link/path/url at the bottom, if not, just hover over the link and right click (select copy link location), paste the link into wordpad or the google search bar)
This section we will show what happens when you click on the link in the Chase Phishing email we discuss above.

When I enter the URL in the browser a few things happen:
1.  The Firefox Browser I am using was nice enough to tell me this has been reported as a 'bad' site.  I skip the message to show what the site looks like.
2.  The site appears and shows a site EXACTLY like the 'real' chase bank site.

Notice the following in the video. 

The URL on the site is NOT related to Chase Bank (one strike)
The page is being served over HTTP NOT HTTPS, any banking site will be using HTTPS for anything related to login and account information. (second strike)

Everything looks identical to the chase bank site.  When I hover 'over' the log on icon/button notice it is 'calling' a php file from the server.  This tells me the login is storing data on the malicious server. (strike 3). So behind the scenes you enter your UserID and Password into this page it will save this information and either sell it on the black market or try and use this information to login to your account and do some bad things to your $$.

All other links on the page are redirected to the 'official' Chase Bank Page.

Be safe out there.  DO NOT click on links in emails, documents, or IM without vetting them properly.

1 Comment
www.ssdflashrecovery.com link
7/25/2014 06:42:30 pm

This is an amazing post.

Reply



Leave a Reply.

    Author

    Security Researcher with about 20 years in the Computer Security Field. Going to talk even if no one is listening..

    email: mrbartlett <at> mrbartlett.com

    View my profile on LinkedIn
    Picture

    Archives

    January 2022
    June 2021
    February 2020
    June 2019
    October 2018
    September 2018
    August 2018
    March 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    December 2015
    August 2013
    January 2013
    September 2012
    June 2012
    March 2012
    February 2012
    January 2012
    December 2011
    November 2011
    October 2011

    Categories

    All
    Activation
    Agile
    Backup
    Centos Vmware Interfaces Error
    Collaboration
    Communication
    Computer Security Scans Passwords
    Conferences
    Drones
    Emergency Response
    Exploit Kits
    Exploits
    Life
    Links
    Malware Security Dnschanger
    Organization
    Passwords
    Patches
    Phish Security Email
    Project Management
    Rfun
    Scrum
    Security
    Security Blackhole Exploit Kit Browser Phish
    Security New
    Software Development
    Team
    Windows
    Work

    RSS Feed

Powered by Create your own unique website with customizable templates.