register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

VISA - 'Notice from VISA'
21-Dec-2004

Summary
Email title: 'Update or verify your account informations'
Scam target: VISA credit card owners
Email format: HTML email (code can be seen here)
Sender:

Visa Service Department <activate@verified.visa.com>
Sender spoofed? Yes
Phish 'punch line' : 'To ensure your Visa card's security, it is important that you protect your Visa card online with a personal password. Please take a moment, and activate for Verified by Visa now'
Scam goal: Getting victim's VISA credit card number, expiration date, verification number and PIN.
Phish link method a 'Click here' type link
Visible link: 'Activate Now for Verified by Visa' link in the bottom of the email
Link 'masked'? Yes
Actual link to http://usa.visa.com/track/dyredir.jsp?rDirl=http://200.251.251.10/.verified/
Phish website IP:

200.251.251.10
 
E-mail
 

This phish combines some very dangerous tricks, perfect execution and a flaw in VISA's legitimate site to create the most dangerous phish scam yet.

The email message it is being spreaded with looks perfect:

 
 
It is much more convincing that the usual phish stuff. The sender i spofed, and the link is masked. But even further - if the link is examined, it turns out it leads to the following URL: 'http://usa.visa.com/track/dyredir.jsp?rDirl=http://200.251.251.10/.verified/'. And this is a URL that is really on the visa.com page! It turns out that the phishers have used a redirect page on the visa.com site to redirect to the phish server.
 
Web Site
Visible link: 'Activate Now for Verified by Visa' link in the bottom of the email
Link 'masked'? Yes
Actual link to http://usa.visa.com/track/dyredir.jsp?rDirl=http://200.251.251.10/.verified/
Phish website IP:

200.251.251.10
 
The site itself uses a visually perfect address bar spoof, in addition to being very convincing design-wise. The real URL is visible in the properties page. The only other visible phishing clue is the missing padlock icon in the right part of the status bar, which is inconsistent with the 'https' in the forged address bar:
 
 

Notice the lack of a login screen, too.

And to make the things even more convincing, the site checks the credit card number using a commonly available algorhytm. This does not require or reveal any information about the bank account behind the CC, but it would reject a random bogus number, which could make the potential victim trust the site.

After the data is phished, the site will just redirect to the legitimate usa.visa.com, as if nothing has happened.
 
WHOIS information (for IP 200.251.251.10):

inetnum: 200.251.251.0/26
registrar: registo.br, Brazil
aut-num: AS4230
abuse-c: GSE6
owner: Fundação L´Hermitage
ownerid: 001.444.385/0001-49
responsible: Marcelo Machado Gomes
address: Rua Doutor Camilo, 187,
address: 30240-090 - Belo Horizonte - MG
phone: (31) 32891888 []
owner-c: MMG27
tech-c: MMG27
created: 20020828
changed: 20020828
inetnum-up: 200.251/16