Interesting phishing...

Printable View

December 15th, 2004, 12:56 PM
MrLinus

Interesting phishing...
A student of mine forwarded the following phish to me:

Quote:

Dear Visa® customer,

*Before activating your card, read this important information for cardholders!*

You have been sent this invitation because the records of Visa Corporate
indicate you are a current or former Visa card holder. To ensure your Visa
card's security, it is important that you protect your Visa card online with a
personal password. Please take a moment, and activate for Verified by Visa now.

Verified by Visa protects your existing Visa card with a password you create,
giving you assurance that only you can use your Visa card online.

Simply activate your card and create your personal password. You’ll get the
added confidence that your Visa card is safe when you shop at participating
online stores.

*Activate Now for Verified by Visa*
<http://usa.visa.com/track/dyredir.js....10/.verified/>

Visa Department

It uses a graphic to hide the information and the true url (as seen above) from the user. So the user clicks on the big banner (see attached picture) and then ends up at the re-directed site. Two things of note:
- - it's a hidden directory (note the . before the word verified); this makes me think that this system has been broken into
  - it actually checks numbers on the credit to ensure that what's inputted is legitimate rather than say all 1s or various variations of that (in the end I used a defunct credit card number to see if it would accept it and it did)
The site is up for now and as I write this I'm using IntelliTamper to get the pages as well as to see what other activities this person may have been up to. It has been reported to the Anti-Phishing Workgroup and the ISP.
December 15th, 2004, 03:30 PM
alamuru420123

where the heck is this website? It looks like somebody's personal computer. I just typed the ip address without the ".verified" and it took me to a test page ! Somebody's using apache on a red hat machine. :D
December 15th, 2004, 03:52 PM
MrLinus

Oh definately. It's part of why I think it's a compromised box. It's Apache 2.0.52 from what I found out IntelliTamper.
December 15th, 2004, 04:16 PM
Guus

Re: Interesting phishing...

Quote:

Originally posted here by MsMittens
It has been reported to the Anti-Phishing Workgroup and the ISP.

Does Visa know about it as well? They might want to file some complaints once/if they catch whoever is behind this...
December 15th, 2004, 04:17 PM
MrLinus

I'll mention it to them. Thank you for pointing that out. :)
December 15th, 2004, 04:26 PM
kurt_der_koenig

I kinda tired but I don't see an attached picture :confused: MsMittens
December 15th, 2004, 04:34 PM
MrLinus

Oops. Forgot to attach it. :D Damn exam week/marking! Brain's turned to mush.
December 15th, 2004, 04:37 PM
morganlefay

I did a whois on the IP I got when it redirected me

Quote:

WHOIS results for 200.251.251.10
Generated by www.DNSstuff.com
Country: BRAZIL

ARIN says that this IP belongs to LACNIC; I'm looking it up there.

NOTE: More information appears to be available at whois.registro.br.

Using 1 day old cached answer (or, you can get fresh results).
Hiding E-mail address (you can get results with the E-mail address).

% Copyright LACNIC lacnic.net
% The data below is provided for information purposes
% and to assist persons in obtaining information about or
% related to AS and IP numbers registrations
% By submitting a whois query, you agree to use this data
% only for lawful purposes.
% 2004-12-14 10:29:21 (BRST -02:00)

inetnum: 200.128/9
status: allocated
owner: Comite Gestor da Internet no Brasil
ownerid: BR-CGIN-LACNIC
responsible: Frederico A C Neves
address: Av. das Nações Unidas, 11541, 7° andar
address: 04578-000 - São Paulo - SP
country: BR
phone: +55 11 9119-0304 []
owner-c: CGB
tech-c: CGB
inetrev: 200.128/9
nserver: NS.DNS.BR
nsstat: 20041213 AA
nslastaa: 20041213
nserver: NS1.DNS.BR
nsstat: 20041213 AA
nslastaa: 20041213
nserver: NS2.DNS.BR
nsstat: 20041213 AA
nslastaa: 20041213
remarks: These addresses have been further assigned to Brazilian users.
remarks: Contact information can be found at the WHOIS server located
remarks: at whois.registro.br and at http://whois.nic.br
created: 19950104
changed: 20020902

nic-hdl: CGB
person: Comite Gestor da Internet no Brasil
e-mail: ******@NIC.BR
address: Av. das Nações Unidas, 11541, 7° andar
address: 04578-000 - São Paulo - SP
country: BR
phone: +55 19 9119-0304 []
created: 20020902
changed: 20020902

% whois.lacnic.net accepts only direct match queries.
% Types of queries are: POCs, ownerid, CIDR blocks, IP
% and AS numbers.

[If E-mail address(es) were hidden on this page, you can click here to get the results with the E-mail address.

Doesnt look like visa to me???

MLF
December 15th, 2004, 04:43 PM
kurt_der_koenig

Quote:

Oops. Forgot to attach it. Damn exam week/marking! Brain's turned to mush

lol hey, no problem. Just finishing up my finals now<in between classes now>. I don't expect my brains to recover from the mush state for a while now! geesh..You teachers need to calm down on the finals ;) jk. Eight plus pages for an English final in less than two hours..come on! From me thats definately not going to make sense :)
December 16th, 2004, 09:02 PM
MrLinus

An interesting solution has come up. After reporting this to Visa, they replied they'd look into it. When attempting the link today I got the following page:

Quote:

This URL does not appear to be an authorized Visa URL.
If you believe this is a Phishing attempt, please report it by sending an email to
[email protected]

Smart move on their part and fairly quick. The phished site itself doesn't seem to respond any more either.
December 16th, 2004, 10:40 PM
Tiger Shark

I got an interesting one today frowarded by me CEO, (Yes, they're getting it finally...), purporting to be from Smith Barney. When I clicked the link I guess it was intercepted by the offending IP's ISP because it popped up a cute little window that simply stated "For security reasons this port is unavailable". A very elegant way of blocking the problem while they fix the cause.
December 16th, 2004, 11:04 PM
morganlefay

We have a new one here in Canada as I was warned by this email from CIRA

Quote:

CIRA Warns Dot-ca Domain Name Holders of Misleading Verification Notices Protect your domain name. Do not share your CIRA User Account Number or Password with anyone!

Ottawa, December 13, 2004 - The Canadian Internet Registration Authority
(CIRA) is advising dot-ca domain registrants (holders of dot-ca domain
names) NOT TO RESPOND OR REPLY TO ANY EMAILS requesting verification of CIRA User Account Numbers and Passwords.

CIRA has learned that an unknown party is attempting to obtain CIRA User Account Numbers and Passwords from dot-ca registrants by sending MISLEADING EMAIL NOTICES that appear to originate from CIRA. These misleading emails request that CIRA User Account Numbers and Passwords be provided to validate registrant information and prevent domain name suspension (inactivation).
The emails originate from [email protected]. CIRA's compliance email address is [email protected]

If you have replied to an email requesting your CIRA User Account Number and Password, and have included your CIRA User Account Number and Password in your reply, PLEASE CONTACT YOUR REGISTRAR IMMEDIATELY to request a new CIRA User Account Number and Password. If you do not know the name of your registrar, you may obtain it by entering your dot-ca domain name in the WHOIS field at http://whois.cira.ca/public

For additional information: http://www.cira.ca/news-releases/139.html

MLF
December 17th, 2004, 02:50 PM
steve.milner

Ms Mittens, on your second point:

Checking creditcard validity is relatively easy:

Here's a little pascal that will do the job:

Code:

// Perform LUHN check on a credit card number function CCLUHNCheck(CardNumber: string): Boolean; var Pos, Total, Temp: Integer; Double: Boolean; begin Double := False; Total := 0; for Pos := Length(CardNumber) downto 1 do begin if Double then begin Temp := 2 * StrToInt(MidStr(CardNumber, Pos, 1)); if Temp < 10 then Total := Total + Temp else Total := Total + (Temp - 9); // (Equivalent to adding two digits together) end else Total := Total + StrToInt(MidStr(CardNumber, Pos, 1)); Double := not Double; end; if Total mod 10 = 0 then Result := True else Result := False; end;

Steve
December 17th, 2004, 02:54 PM
MrLinus

Oh.. it may be easy but I've rarely seen it actually used. Many of the phishings I've seen prior to this don't take the time/effort to do that.
December 17th, 2004, 02:58 PM
steve.milner

A more intelligent phisher...

Didn't want to go to the trouble of filtering out the garbage or to make the phish look more real? I wonder what the real motive was..

Steve
December 17th, 2004, 05:25 PM
dspeidel

There's to the best of knowledge a new IE security flaw that allows a phisher to show a legitimate web address for example paypal.com but redirect the unsuspecting to a different site. A test can be found on http://secunia.com/internet_explorer...rability_test/ this is an IE only bug. I did a search and could not find an announcement of the bug (if I missed it PM me and I'll delete this post)

Regrads,
-D
December 18th, 2004, 09:34 PM
jinxy

Actualy I don't think the site verified whether the credit card was real or not..Only that the details entered matched the format of a credit card.

I'm only just learning javaScript but that is the impression i got looking at the sites sourse.................On the original site the script was not visible. The fake just looked like it was a course grab, with some bs javascipt added..............................Im not sure but i think submitted information would have been forwarded to another site hosted localy and not in the public domain.