Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Interesting phishing...

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323

    Interesting phishing...

    A student of mine forwarded the following phish to me:

    Dear Visa® customer,


    *Before activating your card, read this important information for cardholders!*

    You have been sent this invitation because the records of Visa Corporate
    indicate you are a current or former Visa card holder. To ensure your Visa
    card's security, it is important that you protect your Visa card online with a
    personal password. Please take a moment, and activate for Verified by Visa now.

    Verified by Visa protects your existing Visa card with a password you create,
    giving you assurance that only you can use your Visa card online.

    Simply activate your card and create your personal password. You’ll get the
    added confidence that your Visa card is safe when you shop at participating
    online stores.

    *Activate Now for Verified by Visa*
    <http://usa.visa.com/track/dyredir.js....10/.verified/>


    Visa Department
    It uses a graphic to hide the information and the true url (as seen above) from the user. So the user clicks on the big banner (see attached picture) and then ends up at the re-directed site. Two things of note:

    • - it's a hidden directory (note the . before the word verified); this makes me think that this system has been broken into
      - it actually checks numbers on the credit to ensure that what's inputted is legitimate rather than say all 1s or various variations of that (in the end I used a defunct credit card number to see if it would accept it and it did)


    The site is up for now and as I write this I'm using IntelliTamper to get the pages as well as to see what other activities this person may have been up to. It has been reported to the Anti-Phishing Workgroup and the ISP.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Senior Member
    Join Date
    Oct 2004
    Posts
    118
    where the heck is this website? It looks like somebody's personal computer. I just typed the ip address without the ".verified" and it took me to a test page ! Somebody's using apache on a red hat machine.
    Never trouble another for what you can do for yourself.
    -Thomas Jefferson

    http://www.AntiOnline.com/sig.php?imageid=777

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Oh definately. It's part of why I think it's a compromised box. It's Apache 2.0.52 from what I found out IntelliTamper.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103

    Re: Interesting phishing...

    Originally posted here by MsMittens
    It has been reported to the Anti-Phishing Workgroup and the ISP.
    Does Visa know about it as well? They might want to file some complaints once/if they catch whoever is behind this...
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  5. #5
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    I'll mention it to them. Thank you for pointing that out.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  6. #6
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    I kinda tired but I don't see an attached picture MsMittens

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Oops. Forgot to attach it. Damn exam week/marking! Brain's turned to mush.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    I did a whois on the IP I got when it redirected me

    WHOIS results for 200.251.251.10
    Generated by www.DNSstuff.com
    Country: BRAZIL

    ARIN says that this IP belongs to LACNIC; I'm looking it up there.

    NOTE: More information appears to be available at whois.registro.br.

    Using 1 day old cached answer (or, you can get fresh results).
    Hiding E-mail address (you can get results with the E-mail address).


    % Copyright LACNIC lacnic.net
    % The data below is provided for information purposes
    % and to assist persons in obtaining information about or
    % related to AS and IP numbers registrations
    % By submitting a whois query, you agree to use this data
    % only for lawful purposes.
    % 2004-12-14 10:29:21 (BRST -02:00)

    inetnum: 200.128/9
    status: allocated
    owner: Comite Gestor da Internet no Brasil
    ownerid: BR-CGIN-LACNIC
    responsible: Frederico A C Neves
    address: Av. das Nações Unidas, 11541, 7° andar
    address: 04578-000 - São Paulo - SP
    country: BR
    phone: +55 11 9119-0304 []
    owner-c: CGB
    tech-c: CGB
    inetrev: 200.128/9
    nserver: NS.DNS.BR
    nsstat: 20041213 AA
    nslastaa: 20041213
    nserver: NS1.DNS.BR
    nsstat: 20041213 AA
    nslastaa: 20041213
    nserver: NS2.DNS.BR
    nsstat: 20041213 AA
    nslastaa: 20041213
    remarks: These addresses have been further assigned to Brazilian users.
    remarks: Contact information can be found at the WHOIS server located
    remarks: at whois.registro.br and at http://whois.nic.br
    created: 19950104
    changed: 20020902

    nic-hdl: CGB
    person: Comite Gestor da Internet no Brasil
    e-mail: ******@NIC.BR
    address: Av. das Nações Unidas, 11541, 7° andar
    address: 04578-000 - São Paulo - SP
    country: BR
    phone: +55 19 9119-0304 []
    created: 20020902
    changed: 20020902

    % whois.lacnic.net accepts only direct match queries.
    % Types of queries are: POCs, ownerid, CIDR blocks, IP
    % and AS numbers.


    [If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.
    Doesnt look like visa to me???

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    Oops. Forgot to attach it. Damn exam week/marking! Brain's turned to mush
    lol hey, no problem. Just finishing up my finals now<in between classes now>. I don't expect my brains to recover from the mush state for a while now! geesh..You teachers need to calm down on the finals jk. Eight plus pages for an English final in less than two hours..come on! From me thats definately not going to make sense

  10. #10
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    An interesting solution has come up. After reporting this to Visa, they replied they'd look into it. When attempting the link today I got the following page:

    This URL does not appear to be an authorized Visa URL.
    If you believe this is a Phishing attempt, please report it by sending an email to
    AskVisaUSA@visa.com
    Smart move on their part and fairly quick. The phished site itself doesn't seem to respond any more either.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •