An e-mail scam that tries to con customers of Chase Manahattan Bank into taking part in a fake online survey in return for a fictitious $20 reward has been linked to an Internet server run by the state-owned China Construction Bank.
The scam mail claims that Chase Manhattan's online division is conducting a survey of its users and will credit the accounts of those who take part with $20. The fake e-mail presents customers with a series of questions, followed by a request for user ID and password so the $20 can be deposited to the proper account.
The form also requests the victim's card number, PIN number, card verification number, mother's maiden name and social security number.
Online security firm NetCraft has linked the attack to a Web server belonging to China Construction Bank.
NetCraft says the scam was directing customers to sites hosted on IP addresses assigned to China Construction Bank's Shanghai branch. The phishing pages are located in hidden directories with the server's main page displaying a configuration error.
The security firm says this is the first instance it has seen of one bank's infrastructure unwittingly being used to attack another.
However China Construction Bank has said that it has found no evidence so far that its systems were used by the phishers.
Meanwhile Internet security vendor SurfControl says it has intercepted several different variants of the spam mail, each utilising a different server, including some located in the US.
The firm says the source code for each survey page is very similar, which suggests that criminals are using an off-the-shelf 'phish kit' which enables them to re-use the same source code on a variety of systems.