register
-- Home
-- Phishing Archive
-- Report Phishing
-- Events
-- APWG News
-- Resources
-- Membership
-- APWG Member Site
-- Contact Us
-- JOIN THE APWG
 
LATEST NEWS IN THE FIGHT AGAINST PHISHING:		  
 
 
     
     
     
     
 

VISA - 'Enroll your card with Verified By Visa program'
30-Sep-2004

Summary
Email title: 'Enroll your card with Verified By Visa program'
Scam target: VISA customers
Email format: HTML e-mail
Sender:

Visa Inc © <verifiedbyvisa@visa.com>
Sender spoofed? Yes
Scam call to action: 'We need your authentication in order to protect your e-mail, your credit card and IP address from unsolicited bulk e-mails and fake shopping sites...Ples complete the Visa proposal at...' (original spelling kept)
Scam goal: Getting victim's keybank.com username/password, credit/debit card information
Call to action format: URL link
Visible link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html
Called link :

http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm
Phish website hosted on IP: 209.35.123.41
 
E-mail
 

Another phish targeting VISA's 'Verified by VISA' program. The spelling mistakes here are something that could make you suspicious:

 
 
Otherwise, it's pretty nice. The sender is spoofed and the link looks legitimate.
 
Web Site
Visible link: https://www.usa.visa.com/personal/secure_with_visa/index.html?t=h1_/index.html
Called link :

http://www.verified-web-us.com/Visa%20USA%20%20Personal%20%20Protect%20Your%20Card.htm
Phish website hosted on IP: 209.35.123.41
 

The phish site uses a cunning trick to make the deception deeper - a Java program that 'overwrites' the address bar of your browser with another window, which has the legitimate URL in it. This window is placed on a fixed location, so if your browser is unusually cusomized - you have some stuff that makes the address bar shorter, puts it higher or lower or at the bottom of the page, the scam will become obvious. But with the majority of users having their browsers the default way, the scam will work as intended on most people's machines.

There are some other clues of phishing, too: the errors in HTML rendering indicated by the browser (would VISA have errors on their official site? I doubt it - somebody would lose his/her job too quickly :) ), and the missing 'lock' icon at the lower right corner of the browser window (although the URL starts with https://):
 
 
After the information is 'phished', the website will display a typically looking logout/confirmation screen, with some spelling errors on it too:
 
 
The phish is hosted on a server within the US:
 
Phish server DNS/WHOIS information:
DNS lookup:

Authoritative Server: a.ns.interland.net
Responsible Person: hostmaster.interland.net
Zone Serial Number: 2004092705
Refresh Interval: 1800
Retry Interval: 900
Expire Interval: 864000
Minimum Time to Live: 2560
verified-web-us.com NS a.ns.interland.net
verified-web-us.com NS b.ns.interland.net
verified-web-us.com NS c.ns.interland.net
verified-web-us.com MX 5 inbound.registeredsite.com
verified-web-us.com A 209.35.123.41
WHOIS data (for IP 209.35.123.41):

OrgName: Interland
OrgID: INTD
Address: 101 Marietta Street
City: Atlanta
StateProv: GA
PostalCode: 30039
Country: US

NetRange: 209.35.0.0 - 209.35.255.255
CIDR: 209.35.0.0/16
NetName: INTERLAND-2
NetHandle: NET-209-35-0-0-1
Parent: NET-209-0-0-0-0
NetType: Direct Allocation
NameServer: A.NS.INTERLAND.NET
NameServer: B.NS.INTERLAND.NET
NameServer: C.NS.INTERLAND.NET
RegDate: 1999-03-23
Updated: 2002-03-04