Wednesday, September 9, 2009

Is chase.com hacked???

Time of incident: about 10:30 PM EST
Date: September 8th 2009

My SSN and other sensitive information are compromised over internet. This problem happened when I tried to access chase.com website to pay my credit card bill. Following is step-by-step sequence of events:

1. I typed in chase.com on my laptop/MS internet explorer.

2. Entered login id and password for my account on chase.com website

3. Next page gave a form to fill up that read "To continue, please enter the information below to help us verify your identity." The webpage asked me to enter following information:
a) First name
b) Last name
c) Date of birth
d) SSN
e) Mother's maiden name
f) Card number
g) Card expiration date
h) Card CVV2
i) ATM Pin URL:
https://mfasa.chase.com/auth/fcc/login Screen Shot:


4) I got suspicious about the webpage since chase.com should not ask all of this details so I closed the window and open a new one

5) On the new window I repeated step 2 and 3 and got the same web page. So I believed on the website and ENETERED ALL THE INFORMATION ASKED ABOVE
6) Next webpage asked me to enter my email id and email password. Then I got sure that chase can not ask email id and password. But that was too late as I have already given all the information. :(

Next I contacted chase over the phone and they confirmed that the information asked on the webpage is never asked by the bank. I provided screen print and URL to them on abuse@chase.com .

Bank's stand is that their website is safe and not hacked. They claim my computer may have virus for this phishing. However I have antivirus running all the time and my internet connection is secure.

I can now go to chase.com and pay my bills etc on the same computer and it does not give the same phishing web page.

I am concerned that my identity is compromised and if chase.com is hacked then millions of others are also at risk.

I have also contacted IC3 which is the govt agency for internet fraud complains.

28 comments:

Tekkari said...

I also got that message, When I use opera I can log on to chase.com with on problem. I think it is a scam.

Unknown said...

The same is currently occurring to me.

Unknown said...

Interestingly, if I block the doubleclick.net scripts on that page from running, the issue goes away...

Unknown said...

Sunil, any updates? The same thing just happened to me and now I'm pretty worried.

LC said...

I am running into the same issues today, but I caught myself before entering the information. Any updates would be appreciated! Thanks!

Unknown said...

This morning, when accessing www.chase.com on our Windows computer just once, we accidently entered the wrong username, but the right password. We were directed to a page that claimed that we had attempted to log in unsuccessfully too many times and the account was locked. The page offered a link for unlocking, which scarily brought up a page asking for SSN and other such personal info. We left the page.

This evening, from my Mac, I attempted the same and got the same message. In the end, it turns out we were entering the wrong Username (duh). Entering the correct username and password worked.

So why didn't we just get messages that the username and/or password didn't match their records? Why tells us something false, like the too many log in attempts? And then ask for such sensitive info? How about just giving us a number to call like so many other sites do?

I realize that this episode doesn't quite follow what others have posted here, but certainly does raise at least my eyebrows.

Unknown said...

The SS#/Acc Info request page also pops up after my wife and I login in our User/pass. I am using Kaspersky virus scan.

John Cunningham said...

I had exactly the same thing happen this week on ebay. Somehow that got cleared up and now it happens on Chase.com. Same screen you guys are talking about.
Read one article that said the mfasa.com site is at fault and that it is a trojan hiding in your SYSTEM RESTORE program, which, thus, cannot be cleaned by an antivirus program.
Are we on the right track?
john

Unknown said...

Had, the same issue the solution is a virus scan called MALWARE BYTES. Rids the virus in the system restore.

Unknown said...

got the same screen using firefox and was suspicious at first but when I saw the mfasa.chase.com I figured it must be authentic and completed the first screen like many others. Then my heart stopped when I saw the next screen ask me for my email address and my email PASSWORD ! I tried calling Chase but they are clueless and no help. I did also notice that the secure "lock" goes away after the login screen so the allegedly fraudulent page is unsecure, I wish I picked up on that before. I trusted my virus scan but the hackers are always one step ahead (more like two). Virus or Malware I still blame chase since this only happens AFTER you enter your username and password on Chase.com.

Unknown said...

i called chase and this is a virus. do not put any of the information!!@

Unknown said...

I feel like a complete moron for putting this information in. It didn't pass the "sniff test" but I still entered it anyways after seeing the URL be "mfasa.chase.com". This is nuts.

Unknown said...

This Chase issue is on my computer as well and it is also affecting my capital one account! I have tried Malwarebytes, manual removals, Mcafee. avast safe mode scans and I cannot stop it from happening.....the banc is in complete denial mode and uninterested in resolving the issue I need help?????????please.....

Unknown said...

I had this problem, and I tried a lot of things and it persisted for days. I used Symantec Endpoint Protection in normal mode and Malwarebytes and I removed a lot of things, but the problem remained. The ultimate solution for me was to scan in safe mode with Symantec Endpoint Protection (although I believe other symantec products will work as well). Note that you must update the virus definitions in normal mode prior to scanning in safe mode. It turns out it was the Boot.Mebroot trojan (This is the Symantec name for it). The only way to fix it was to get my Windows XP CD ROM and use the windows recovery console to restore my Master Boot Record. You must log in as the administrator to do this. This solution is described on the symantec website for this trojan.

GrannyB said...

Ok, but color me stupid, I'm not sure how to use the Console Recovery for XP.

Chase doesn't seem to think it's a problem...I DO!

Unknown said...

This is being caused by malware that has at somepoint taken over your DNS settings and replaced your normal DNS server settings with those of a malicious DNS server. The result is when you manually type "chase.com" or rather then your computer being told to go to the legitemate ip of 1.2.3.4 for example, it tells your computer to go to x.x.x.x, the ip address of an identical phishing site.

Check "tcp/ip settings" in "network connections" located inside the control panel. if your DNS server IP is set to "manually assign DNS settings", and you did not specifically set this BINGO you just discovered a big problem!

Anonymous said...

any news on what happened to your identity ? credit cards got opened ?

I received a similar page from paypal and thought that paypal got screwed. Then later in the day at chase I have arrived at the same page as your's and it took me the whole day to get rid of the problem.

malware bytes didn't do it, norton didn't, I tried a bunch of stuff to look for what's weird. Using google-chrome it didn't happen, so my only indication that I was still infected was logging in to the chase account with firefox. The phishers must have received MANY MANY confirmations of my password.

Highjackthis did find a weird reference to a file called exzuu.exe, that kept being re-inserted into the registry. I renamed the file and put a dummy file that was read-only but on top of it I also did another scan with another random malware scanner I found online and deleted some more trojans.

but now everything works. so I'm not sure if I'm in the clear, and I'm scared as I logged into many other sites in between the paypal incident and the chase site.

missaface said...

I just got the same thing, and, fortunately or not, my email (hotmail)was recently hacked so I'm extra-suspicious of everything that goes on that doesn't seem right with my computer and thought better of entering in all my info. I Googled that URL (https://mfasa.chase.com/auth/fcc/lo) and it came up with all these support forums talking about viruses, being hacked, etc...so I knew I was onto something.
Other things that clued me: in the upper right-hand corner it gives the date as August 4th, which it isn't, even on east coast time (I'm in Central Time), it's still the 3rd everywhere in this country for another half-hour.

I ran Malwarebytes a few weeks ago, trying to get my computer running better. I'd read good reviews of this on CNET. Lo and behold, the very next day, my hotmail had been hacked and everyone I know received email from me telling them to buy Viagra from some Canadian pharmacy (I'm most surprised some of them actually clicked on the link which was total gibberish!) Coincidence? I'm no computer wiz, I just read stuff in online forums and look for solutions, but I wonder if that has anything to do with my email being hacked, and subsequent malfunction/inability to install the latest version of McAfee, and then my internet went all wonky (I use Firefox) and wouldn't open at all, until at last I had to restore my whole system to a date in early June. WTF? Obviously, I have problems...but anyway, the Chase business is nuts.

Unknown said...

Folks, NEVER NEVER EVER enter that type of information on your computer without first verifying if this is standard practice for the company. I have gotten a few of these requests from Paypal, Chase, Amazon, Citi. They were all bogus.

If you have entered your information and feel that your personal information may be compromised, I would sign up for the credit protector that is available with any credit card you may already own. They charge you anywhere from 8 - 12 dollars a month for the service but it is completely worth it as it will notify you of any change on your credit score or credit report.

Unknown said...

Folks, NEVER NEVER EVER enter that type of information on your computer without first verifying if this is standard practice for the company. I have gotten a few of these requests from Paypal, Chase, Amazon, Citi. They were all bogus.

If you have entered your information and feel that your personal information may be compromised, I would sign up for the credit protector that is available with any credit card you may already own. They charge you anywhere from 8 - 12 dollars a month for the service but it is completely worth it as it will notify you of any change on your credit score or credit report.

Unknown said...

Also I forgot to mention, the reason that these forms pop up on your computer screen is because you're computer is infected by malware or because your browser has beenhijacked. It is a way for criminals to steal your identity. There is a program on CNET.COM called HIJACK THIS that can point you in the right direction as to fixing your machine, otherwise you'll have to use computer restore to restore your pc to a time before it was hijacked or you must do a full reformat and wipe your drive clean.

PHOnos said...

My problem all started with the recent Chase.com outage. I found a link in a post on CNN Financial that said it would connect to the Chase website even during the outage. I followed it, logon page came up, logged on, then all accounts were shown with correct balances. The only problem was when I followed the link the first thing that showed up before the logon screen was a url of mfasa.chase.com. I thought this was weird so I checked the history. The history went through facebook.com and a whole lot of unix commands. As soon as the Chase website was back up I reported this and got info already posted here. I changed the logon and password on the "real" chase site. Haven't noticed any problems. mfasa.chase.com now goes through to chase by way of cc.bengi.com which is really weird.

PHOnos said...

Correction -- cc.benji.com.

PHOnos said...

Corrected correction -- cc.bengj.com .

cherryblossombbe said...

This same thing happened to me a few days ago. I did the same thing you did got suspitious and loggered off. Then I renetered Chase's official website and got the same thing. I figured I must have mistyped my username or password and it was just a security measure. I gave them my social security number and debit card number. I was then sent a text with a verification code to reset my password. I never even gave them my cell number they had to have gotten it from my account. When I looked at the message later it had Chase's number for mobile banking but with an extra 3 at the end. After I reset it I was automaticly logged into my account. I thought everything was fine until I noticed mfasa.chase.com in my browsiing history. Now whenever I login in it stalls on a blank screen with mfasa.chase.com and a series of random numbers and words before loggining my into my account. After calling Chase I was told it's not standard for them to do that and was given a bunch of text book answers about phishing emails. They didn't seem to understand this happend through there official webstite so no help there. I've been researching it and found alot of similar stories but noone has really said it did anything negative to there account. I noticed alot of the comments are more than a year old but can anyone give me some updates. cherryblossombbe@ymail.com

Kyle said...

FYI, in case anyone ever comes across this post like I did recently, there is another trojan that is now doing this same thing. Forwards you to a site that looks like Chase's activation, but then asks for your debit card #, PIN, social, etc. URL is still chaseonline.chase.com, and the security certificate even appears valid for the site. I ran MalwareBytes, Symantec Endpoint, various rootkit detectors... all of them came up clean.

Then I ran Windows Defender offline scanner from a boot CD and it found TrojanSpy:Win32/Ursnif.gen!K, which was the cause. It was able to successfully remove the infection.

dee dee said...

I had the same problem today, July 14, 2012. Obviously Chase was hacked becasue it only happened on www.chase.com. Also on Chase.com today there is a message with a red exclimation point telling people not to give away their private info if they get a "pop-up" becasue a computer virus might have generated it from individual computers. But why would that message be on chase.com if it were not the source of the problem?

Unknown said...

You obligation secure your fiscal station by keeping a tight check on your credit score will support you avoid bounteous a sleepless nights. Accomplish the most that comes veil the choice of obtaining totally for free credit report and equate doubt - complimentary. See url