Discover Card Users Hit With E-Mail Scam

Users of Discover Financial Services' Discover Card were targeted by an e-mail scam this week designed to trick them into giving out their personal information, including user identifications, account numbers, passwords, Social Security numbers, mothers' maiden names, card numbers, and expiration dates.

But this scam differed from the e-mail scams that have targeted users of companies such as PayPal, eBay, and Yahoo.

On Thursday, a reader e-mailed Computerworld saying she had received a suspicious-looking HTML e-mail that purported to be from Discover Card.

The e-mail, which actually came from someone whose e-mail address was secure19@warshawsales.com said: "Due to your inactivity your account has been put On Hold. To remove this status you have to Log In to your account and review Discover Privacy Policy."

Spoofed Sites

Usually, scam artists set up a spoof Web site to try and trick users into providing their personal information. Spoofed sites look official and generally mimic a company's actual site.

But whoever sent out the bogus e-mail linked directly to content on Discover Card's actual Web site and wrapped the form seeking users' information in a hidden submission. That redirected the information to an e-mail address at warshawsales.com, according to Russ Cooper, a security consultant at TruSecure in Herndon, Virginia. Cooper said Discover is one of TruSecure's clients.

By setting up the scam that way, the contents of the form--a user's personal information--went to the scammer and weren't submitted to the Discover Card site. "I've never seen this done before," Cooper said.

Searching for the Source

The Warshaw Sales domain name was registered with Mountain View, California-based domain name registrar Verisign on March 10 and taken down on March 13 at the request of the registrant, a wholesaler that sells domain names to other parties, according to Verisign spokesperson Pat Burns.

The domain was originally hosted by Fort Lauderdale, Florida-based Web hosting company, Affinity Internet. Affinity spokesperson Michelle Van Jura said the company was made aware of the Warshaw Sales site and shut it down early March 12.

Cooper said he tracked the Warshaw Sales e-mail to IP addresses in Newfoundland and Ontario.

Cathy Edwards, a spokesperson for Riverwoods, Illinois-based Discover, confirmed that the e-mail was a scam. Edwards said Discover is aware of the situation and is taking steps to combat it, although she wouldn't go into detail for security reasons.

"Discover has now modified the graphics that were being linked to in the e-mail so that now when you view the Web page, what you see is a big flashing yellow 'Alert' and the words 'Fraudulent e-mail call 1-800-DISCOVER,' and the two buttons that used to say 'Log In' and 'Password Reset' now say 'Fraud' and 'Don't Click,'" TruSecure's Cooper said.