DiscoverCard users hit with e-mail scam

Computerworld - Users of Discover Financial Services Inc.'s DiscoverCard were targeted by an e-mail scam this week designed to trick them into giving out their personal information, including user identifications, account numbers, passwords, Social Security numbers, mothers' maiden names, card numbers and expiration dates.
But this scam differed from the e-mail scams that have targeted users of companies such as PayPal Inc., eBay Inc. and Yahoo Inc.
Yesterday, a reader e-mailed Computerworld saying she had received a suspicious-looking HTML e-mail that purported to be from DiscoverCard.
The e-mail, which actually came from someone whose e-mail address was secure19@warshawsales.com said: "Due to your inactivity your account has been put On Hold. To remove this status you have to Log In to your account and review Discover Privacy Policy."
Usually, scam artists set up a spoof Web site to try and trick users into providing their personal information. Spoofed sites look official and generally mimic a company's actual site.
But whoever sent out the bogus e-mail linked directly to content on DiscoverCard's actual Web site and wrapped the form seeking users' information in a hidden submission. That redirected the information to an e-mail address at warshawsales.com, according to Russ Cooper, a security consultant at TruSecure Corp. in Herndon, Va. Cooper said Discover is one of TruSecure's clients.
By setting up the scam that way, the contents of the form -- a user's personal information -- went to the scammer and weren't submitted to the DiscoverCard site. "I've never seen this done before," Cooper said.
The Warshaw Sales domain name was registered with Mountain View, Calif.-based domain name registrar Verisign Inc. on March 10 and taken down on March 13 at the request of the registrant, a wholesaler that sells domain names to other parties, according to Verisign spokesman Pat Burns.
The domain was originally hosted by Fort Lauderdale, Fla.-based Web hosting company, Affinity Internet Inc. Affinity spokeswoman Michelle Van Jura said the company was made aware of the Warshaw Sales site and shut it down early March 12.
Cooper said he tracked the Warshaw Sales e-mail to IP addresses in Newfoundland and Ontario.
Cathy Edwards, a spokeswoman for Riverwoods, Ill.-based Discover, confirmed that the e-mail was a scam. Edwards said Discover is aware of the situation and is taking steps to combat it, although she wouldn't go into detail for security reasons.
"Discover has now modified the graphics that were being linked to in the e-mail so that now when you view the Web page, what you see is a big flashing yellow 'Alert'and the words 'Fraudulent e-mail call 1-800-DISCOVER,' and the two buttons that used to say 'Log In' and 'Password Reset' now say 'Fraud' and 'Don't Click,'" TruSecure's Cooper said.

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Knowledge Center.