A new and widely disseminated phishing attack aimed at Visa cardholders uses the visa-secure.com domain to collect authentication information from Visa customers. The situation highlights the trend for fraudsters to register plausible sounding domains in advance of an attack, which is both a threat and an opportunity for financial instituations trying to defend themselves against Internet fraud.

The threat is plain to see: the visa-secure domain generates additional credibility for the attack, in a scenario where credibility is everything.

The phishing mail uses some plausible trappings with a From address of update@visa.com and invites the victim to confirm their card information by visiting a secure page at https://visa-secure.com/personal/secure_with_visa/. The victim is then prompted to activate their Visa card by entering their address details, credit card information, bank details, password and Social Security number. The fraudulent web page reassuringly states, "We use advanced SSL encryption technology to ensure confidential information cannot be viewed, intercepted or altered."

A compounding problem is that although visa-secure.com is not owned by Visa, Visa does own and use other derivatives and extensions of Visa as part of its Internet presence, including names such as verifiedbyvisa.com and visabuxx.com. To someone accustomed to these sites, it might seem plausible that sensitive card information would be handled by a domain called visa-secure.com.

In fact, the visa-secure.com domain is administered by fraudsters and hosted in Taiwan.

However, although the domain adds considerable credibility to the attack, it also gives the financial institution an opportunity to defend its customers, and creates precisely the scenario anticipated by our own bank fraud detection service.

This allows financial institutions to pre-empt such frauds through prompt action as soon as they notice domains that may be attempting to masquerade as their institution. Netcraft's service can often spot such suspicious domain registrations within 24 hours. The visa-secure.com domain was registered nearly two months ago, on 13 August 2004, giving plenty of time for action to be taken before it was eventually used in this attack.

Microsoft reported: "This issue affects Web content owners who are running any version of ASP.NET on Microsoft Windows 2000, Windows 2000 Server, Windows XP Professional, and Windows Server 2003." Netcraft data finds that ASP.NET is currently on over 2.9 million active sites.

Wordpress has grown in popularity in recent months, emerging as a leading free alternative to Movable Type, which alienated many users with new licensing terms. The vulnerability could allow hackers to create a URL that generates pages in WordPress from content created by the hacker, rather than the site owner. An unsuspecting user following such a link would be sent to the trusted WordPress-based site, but encounter fake content that could include a range of exploits, such as links that infect their computers with spyware or trojans.

The spoofed page includes a form and asks the user to provide their Social Security number, ATM card number, ATM password/PIN, and the last four digits of their Suntrust account. The "bait" in this phishing scam is an email with the subject "SunTrust Bank - Suspicious Activity Suspected" with a spoofed return address of "services@suntrust.com." The mail tells SunTrust customers that "your information has been changed or incomplete, as a result your access to use our services has been limited. Please update your information." The mail includes a link to the investor relations page of the SunTrust site, which is manipulated to insert the spoofed page from a remote server at the IP address 194.47.244.145, located at Lund University in Sweden.

Security groups are split on whether the image succeeds in its attempt, but most agree that the incident is a precursor to a more ambitious exploit with improved code. Others maintain that fears of a "JPEG of Death" wreaking havoc on the Internet are overdone, even as reports emerge that the vulnerability in Microsoft's Graphic Device Interface (GDI) is showing up in numerous non-Microsoft applications.

The malicious JPEG was sent to several Usenet newsgroups that post pornographic images. Some security researchers say early tests show the exploit crashes Windows XP machines when it is opened, but stops short of compromising computers. But maintainers of EasyNews, a web-based interface for reading Usenet, say the image installs a trojan. "Once this JPEG overflowed GDI+, it phoned home, connected to an ftp site and downloaded almost 2 megs of stuff," according to a message from EasyNews. "It installs a trojan that installs itself as a service."