HEADS UP: Fake Visa email

Printable View

December 23rd, 2003, 04:56 PM
SirDice

HEADS UP: Fake Visa email

I received the following HTML email this morning:

Quote:

From: Visa International Service <[email protected]>
Subject: Visa Security Update
Date: 23 Dec 2003 05:24:34 -0600

{image}

Dear Customer,

Our latest security system will help you to avoid possible fraud actions
and
keep your investments in safety.

Due to technical security update you have to reactivate your account

Click on the link below to login to your updated Visa account.

To log into your account, please visit the Visa Website at

http://www.visa.com

We respect your time and business.
It's our pleasure to serve you.

Please don't reply to this email. This e-mail was generated by a mail
handling system.

{image}

Copyright 1996-2003, Visa International Service Association. All rights
reserved.

The visa link inside the email points to:
http://www.visa.com:UserSession=2f6q...ed_by_visa.htm

After the http://www.visa.com you'll find a familiar 0x01. It's the first email I've seen that actually makes use of this browser bug.
December 23rd, 2003, 05:32 PM
thehorse13

Yeah, this is all over BugTraq today too. Yet another XSS issue to deal with...

Good catch.

:)
December 23rd, 2003, 10:30 PM
KissCool

And they have added the very classical false web site trap, also. Hidden in their endless link, you can find "@205.243.144.83/~gotierc/verified_by_visa.htm".

This mail seems well written and well presented. It could make a lot of victims.
December 24th, 2003, 01:09 AM
nihil

Good heads up!

The "English" is not quite "English", but it is a reasonable effort :)

Cheers
December 24th, 2003, 01:15 AM
foxyloxley

As a question ? What would happen if I were to click the link in SirDice's message, and put some fake details into the relevant boxes, and NO I haven't been there.

edit : by what would happen. I mean, would it class as a hack? or spam ? or what ?
December 24th, 2003, 02:24 AM
Tim_axe

Scam I think. The website has already been taken down. Clicking the link now brings you to a 404 Error, page not found. Basically when it was working, the person would forward the data you type in to a CGI script to collect the data that people type in, and they would access this data later to get account detail to steal money, etc... The page itself is at http://205.243.144.83/~gotierc/verified_by_visa.htm but all of the stuff before it is made to make is appear "real," but it is really just random data and doesn't/shouldn't do anything. On Internet Explorer, it would appear to be the site listed in front with the visa.com and user session data...