register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

VISA - 'Verified By Visa'
15-Sep-2004

Summary
Email title: 'Verified By Visa'
Scam target: VISA cardholders
Email format: HTML e-mail
Sender:

noreply@visa.com
Sender spoofed? Yes
Scam call to action: 'You may activate Verified by Visa for your Visa card in two ways: Activate Now or Activate During Shopping...You may activate now by entering your card number over our secure server. If your card issuer is participating in Verified by Visa (most issuers are) you'll complete a brief activation process. You'll verify your identity, create your Verified by Visa password and you're done...'
Scam goal: Getting victim's credit/debit card information, SSN, contact information (name, e-mail address, phone numbers, etc.)
Call to action format: URL link
Visible link: http://usa.consumers.datasecurities.net/vsx-cgi/vsapps/personal/vsactivation
Called link :

http://usa.consumers.datasecurities.net/vsx-cgi/vsapps/personal/vsactivation
Phish website on: datasecurities.net
 
E-mail
 

This phish is quite an interesting one. It does not do the usual threatening phish scams do. It takes a real service offered by VISA, and offers to enroll you to it - from VISA's name, of course. The only difference is that VISA does not activate this service online.

The message is a very mild and calm in temper (while most phish scams create an atmosphere of urgency) and explains the new service - essentially a password protection of the transactions made from your card online. The text itself is largely copied from the VISA website:
 
 
The URL is not hidden. It does, however, start and finish like a normal URL on the VISA website, and could be very convincing.
 
Web Site
Visible link: http://usa.consumers.datasecurities.net/vsx-cgi/vsapps/personal/vsactivation
Called link :

http://usa.consumers.datasecurities.net/vsx-cgi/vsapps/personal/vsactivation
Phish website on: datasecurities.net
 
When eventually the link is clicked, the phish site opens:
 
 
As you see, the site copies the VISA style - in colors, fonts and pictures. It does have multiple links to the legitimate VISA site, and does not urge you to do anything - and this is what makes this scam so believable. The URL is, again, untampered. It is just believably constructed:
 
 
After the 'submit' button is pressed, the business end of the phish comes out:
 
 
This is where it should become suspicious. The amount of information is too great for just a service activation. Yet, it does look nice and believable.
 
WHOIS data:

Domain Name: DATASECURITIES.NET
Registrar: Spot Domain LLC

Expiration Date: 2007-08-14 10:58:27
Creation Date: 2004-08-14 08:49:56

Name Servers:
ns1.aaaservers.com
ns2.aaaservers.com

REGISTRANT CONTACT INFO
Rajagopal Srirangam
Rajagopal Srirangam
1539 Platte St.
Denver, CO 80202
US
Phone: 3034805307
Phone Code: 1 United States
Fax: 3034806895
Email Address: DATASECURITIES.NET@name.net