The text of the fake email (errors included) reads:
And the mail looked like this and at the time of its capture no longer showed the logos because the images were hosted on a free site that blocked them:Subject: Urgent to verify your account
Dear Customer,
Recently, we have determined that a person can use your card without your authorization, and not payments from multiple attempts. Now we need to confirm your credit card information. To protect the card against fraudulent use, and the Verified by Visa security update system, please follow this link:
- Publicidad -click here (link)
Note: If you do not complete this procedure by March 30, 2011, we will be forced to suspend your card permanently, as it may be used fraudulently.
Thank you for considering this information and help us maintain the confidentiality and security of your credit card.Cordially.
Verified by Visa security service department.
The links in this case correspond to a
Argentine e-mail marketing company
Abuse of e-mail marketing platform
(New method for these cases!) In particular this phishing case does not differ in any way from others that we have already reported. But in several of the emails we receive today denouncing the case (not all) we observe the particularity that they were sent and made with the e-mail marketing system of a well-known company in the field in Argentina.In these cases the emails were sent to the subscribers of electronic newsletters of some clients of this company. This evidently helped the criminals since, since the message came from a recognized and usual IP, they were not filtered by many anti-spam/anti-phishing filters. Even the links are those used, in this case abused, by the e-mail marketing system.
From Segu-Info we contacted that company and its manager explains:
And he also tells us about some measures they have already taken:- Publicidad -Apparently somehow they took the user's password and made a send from the system in a normal way (not hack), since they uploaded the piece through the system as users.
We find here the "novelty" about the abuse by criminals of the credentials of a mass mailing platform and its subscriber base.We already asked the client to check their equipment, we proceeded to deactivate the URL of the aforementioned mail, we blocked any mail that may leave our system with that subject, or mail that includes the word visa.
We believe this may continue in the future to the extent that email marketing companies do not take greater monitoring measures and hinder or prevent abuse as observed today.
The fake site
You can see the entry page to the fake site as it has already been denounced by one of the readers who alerted us to this issue.And as we said it does not represent novelty, it is still very similar to the original even the domain they registered for this case. Thanks: to Pablo S. for the detailed report of this case and to Alejandro B. for answering our queries.
Clarification: The Visa website has not been abused. The reported case shows how they have duplicated it and trick users into entering that twin site to steal credentials.
Raúl de la Redacción de Segu-Info
