soundstripe.net

This may not actually be new, but its the first time I've seen it. Usually I determine whether an e-mail is a scam by making sure that the links in the e-mail actually point to the places they claim (watch the status bar at the bottom of the screen when you hover your mouse). Even if I think it is legit, I always type the address in the address bar instead of clicking the link, in case the scammers think of a way to modify my browser. Today I received an e-mail addressed to a person with my first name and a different last name (though my last name is part of my e-mail address). Right away I knew it was a [phishing scam](http://en.wikipedia.org/wiki/Phishing), but I checked the e-mail out anyway. I was very curious when I found that all of the links that said [www.chase.com](http://www.chase.com) actually did point to the correct locations. The link wasn't directly to a login screen or anything, just straight to Chase's homepage. The support phone number for Chase online (877-CHASEPC) was correct, as was the given numerical translation (877-242-7372). The only part that was incorrect was that it gave me an activation code for my (nonexistant) Chase card. Then I found the scam. The following instructions appeared at the bottom of the e-mail: > If you are currently at Chase Online and in the process of enrolling or logging on, then follow these steps: > > 1. Click "I Have My Code." 2. Enter your 8-digit Activation Code in the field provided. 3. Click "Next." > If you are not currently at Chase Online, then please follow the steps below: > > 1. Go to www.chase.com 2. Enter your user ID in the User ID field. 3. **Enter the 8-digit Activation Code in the Password field.** 4. Click Log On. 5. Follow the online instructions. I must say, this is ingenious! The first instructions (If you are currently logging on, etc) don't matter at all! The scammer simply sits back and waits for someone to follow his instructions, creating a *valid* user account at chase.com--linked to their credit card account(s). If they follow his instructions, they will have used his "activation code" for the password on their account! He comes back after a month or two and tries to log in (from a public computer) using every combination of e-mail address and "activation code" that he sent out, maxing out the credit card of every person who fell for the scam. There is no way to trace this attack, no public URL that can be somehow deactivated. The only possible defense would be for chase.com to implement a password policy that disallowed passwords with no alphabetic characters. They may have done this (I hope they have), but probably not before hundreds of people created accounts which were comprimised *before they were even opened*.