On Friday night I received a fraud alert from Chase, indicating they had flagged a transaction:
Their fraud algorithm is a mystery, although I am patently fascinated by it. My guess is that based on where the card was presented (they won’t say where, just that it was manually entered – so, given over the phone to a Domino’s employee), the amount (I am going out on a limb when I say an $80 charge for pizza is atypical), and my personal history with the merchant (never bought pizza at any Domino’s), it lit up as suspicious.
I immediately phoned Chase fraud services. Four or five times. Their call routing was not working properly that night, and I kept getting dumped “due to extenuating circumstances” before reaching an agent.
And for some reason, the Chase website was not working properly that night with my browser, never actually submitting my logon credentials upon submit; just sitting there.
This built up to infuriating, particularly as additional attempts to run the card at Domino’s for different amounts continued to hit my inbox.
My go-to was to start ranting on Twitter, which was not a good move. Because it caught the attention of a highly opportunistic scammer, who set up a pretty elaborate trap for people doing exactly what I was doing:
This tweet, at quick glance in the context of the evening, had an air of legitimacy. The URL was pretty suspicious. But given that I knew their phones were not working, and that I had an issue logging into the website, I considered that maybe this was some kind of crudely thought-out plan B, and that they were having a shit-hit-the-fan technology issue.
So I clicked, and it looked good.
But I knew it didn’t look good. This was an old Chase UI; I knew Chase had just launched a new one about a month ago.
Suspicions were creeping in, and Netcraft’s details pegged the sketchy meter.
I poured over the source code for the site, and it was all but impossible to tell what was going on from the homepage alone. All of the code looked legit, with elements sourced directly from Chase; no obvious references to nefarious-looking 3rd party sites.
So I entered a bogus username and password, wondering how it would validate. And what a miracle – “jack:jack” was accepted, prompting for further input; basic PII, social security number, the whole deal.
This was the icing on the urinal cake:
Now it’s just super ambitious and comically greedy, but it’s academic at this point, as presumably you’ve already “authenticated” with your actual Chase credentials on the prior screen.
From the looks of it, the malicious Chase twitter handle reached out to about 30 people. Both the handle and the site appear to have ceased activity, but damage done.
I would rate their probability of success as high. I had started typing my username on that site before I paused and pushed my emotions aside, as they were running pretty hot in the context of things that night.
There’s no way every user looks at these situations through an infosec lens. Why would they; that’s not their background. Their card stopped working, they’re freaking out, Chase’s IT systems aren’t working and now they’re pissed, and then this benevolent Twitter account comes to their rescue, and at first glance it looks good enough.
In my opinion, Twitter needs to take some elementary steps to slow this stuff down. Like prevent anyone from using the same avatar as a user with a verified Twitter account. And develop (or if they have it, release it!) a rudimentary fraud algorithm to spot copycat accounts based on profile details that are similar to verified accounts.
Likewise, Chase needs to batten down the hatches and take a better look at their web logging. They can’t be serving up their own web assets to illicit 3rd party domains. Those requests need to be captured and analyzed. That’s a lot of work, but that’s the byproduct of our out-of-control modern web model driven by externally loaded content. Good luck?
603security 