Chase Bank: A Spamtrap is “an Amazon.com Business Rewards Visa cardmember”?

Chase Bank is sending advertising emails to an email address that has been closed for many years, claiming that the owner is “an Amazon.com Business Rewards Visa cardmember”. The ESP is Acxiom Digital.

This is really bad, for reasons that have little to do with spam itself. I wish that Chase had just bought an e-pended list or hired an e-pender, and was just blasting spam at hapless email addresses who had no idea why they were receiving that email. However, the email that I am reporting, although a bulk advertising email, also contained specific sensitive personal information that is not associated with the spamtrap email address, but that I strongly suspect *is* associated with a real human being who has a real Chase credit card. :/ Chase clearly either does not confirm email addresses associated with actual credit card accounts, or ignores bounces.

In either case, Chase’s poor email management processes have led to a security breach. What are the security implications for Chase customers?

Sending IP: 67.59.179.33

Spam Sample:

Actual Headers:

Received: from client-h-33.delivery.net (client-h-33.delivery.net [67.59.179.33])
        by <xxx> (Postfix) with ESMTP id <xxx>
        for <xxx>; Tue, 15 Nov 2011 12:xx:xx -0600 (CST)
DomainKey-Signature: <xxx>
DKIM-Signature: <xxx>
Received: from [209.11.xx.xx] ([209.11.xx.xx:xx] helo=<xxx>)
        by <xxx> (envelope-from <Chase@emails.chase.com>)
        (ecelerity 2.2.3.46 r(<xxx>)) with ESMTP
        id <xxx>; Tue, 15 Nov 2011 10:xx:xx -0800
Date: Tue, 15 Nov 2011 10:xx:xx -0800 (PST)
From: "Amazon.com Rewards Visa Card" <Chase@emails.chase.com>
Reply-to: Chase@emails.chase.com
To: <xxx>
Message-ID: <xxx>
Subject: Cardmember Exclusive: Earn 10 points for every $1 spent on digital downloads at Amazon.com
Errors-to: Chase@emails.chase.com
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="---=<xxx>"
X-eid: <xxx>
X-pid: <xxx>

Readable Email:

From: Amazon.com Rewards Visa Card <Chase@emails.chase.com>
To: <spamtrap>
Subject: Cardmember Exclusive: Earn 10 points for every $1 spent on digital downloads at Amazon.com
Reply-to: Chase@emails.chase.com

You are receiving this e-mail because you are an Amazon.com Business Rewards Visa cardmember.

An exclusive offer just for cardmembers. Earn 10 points for every $1 spent on all digital download purchases at Amazon.com.

View in your web browser.
http://chaseamazon.r.delivery.net/r/r?<xxx>

<removed>

E-mail Security Information
E-mail intended for: <xxx>.
For your account ending in: <xxx>.

If you are concerned about the authenticity of this message, please click the link below or call the phone number on the back of your credit card and reference the Chase Library Code: <xxx>.
http://chaseamazon.r.delivery.net/r/r?<xxx>

<removed>

Note: If you are concerned about clicking links in this e-mail, the Chase Online services mentioned above can be accessed by typing chase.com/creditcards directly into your browser.

3 Responses to Chase Bank: A Spamtrap is “an Amazon.com Business Rewards Visa cardmember”?

  1. BTW, I just spoke by phone with a contact at Acxiom Digital. They’re on it, and also on the Sprint transactional email that I blogged about a couple of weeks ago. They probably won’t be able to tell me much, which is fine; I will see when spamtrap hits cease and that will tell me what I need to know. 🙂 Hopefully the result will be fewer security breaches due to bad email practices by two of their customers.

  2. An update: today a different spamtrap was emailed another marketing email from Chase that also contained a user name and the last four digits of a credit card number. :/ This marketing email was for a differently branded credit card — a Chase Freedom(r) card. This time the email was sent, not via Acxiom Digital, but via Bigfoot Interactive/Epsilon.

    This confirms what I was quite sure of to begin with — the security issue is not with (any of) their ESPs, but with Chase itself. Chase appears to allow people to sign up for credit cards with any email address at all and does not confirm that the individual provided an email address that they own. Since this spamtrap has not had a real user attached to it since before mid-2008, and rejected all email from late 2009 to early 2011, Chase also appears to ignore bounces.

    Worst, Chase includes sensitive personal information (A full name and the last four digits of a credit card number) in these emails, although they are essentially marketing, not transactional, emails. In this day and age of identity theft, that shows an astounding lack of understanding of the security risks that this poses.

    At this point, if I had a credit card through Chase, I would cancel it as soon as I found a replacement.

  3. Another update: Chase is still sending email to the same spamtraps, with the same confidential information as before. The most recent also contained the balance of the user’s reward money/points (not sure how the program works). :/ I am SO not impressed with the care this company takes with its users private information.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Go back to top