A new and widely disseminated phishing attack aimed at Visa cardholders uses the visa-secure.com domain to collect authentication information from Visa customers. The situation highlights the trend for fraudsters to register plausible sounding domains in advance of an attack, which is both a threat and an opportunity for financial instituations trying to defend themselves against Internet fraud.
The threat is plain to see: the visa-secure domain generates additional credibility for the attack, in a scenario where credibility is everything.
The phishing mail uses some plausible trappings with a From address of email@example.com and invites the victim to confirm their card information by visiting a secure page at https://visa-secure.com/personal/secure_with_visa/. The victim is then prompted to activate their Visa card by entering their address details, credit card information, bank details, password and Social Security number. The fraudulent web page reassuringly states, "We use advanced SSL encryption technology to ensure confidential information cannot be viewed, intercepted or altered."
A compounding problem is that although visa-secure.com is not owned by Visa, Visa does own and use other derivatives and extensions of Visa as part of its Internet presence, including names such as verifiedbyvisa.com and visabuxx.com. To someone accustomed to these sites, it might seem plausible that sensitive card information would be handled by a domain called visa-secure.com.
In fact, the visa-secure.com domain is administered by fraudsters and hosted in Taiwan.
However, although the domain adds considerable credibility to the attack, it also gives the financial institution an opportunity to defend its customers, and creates precisely the scenario anticipated by our own bank fraud detection service.
This allows financial institutions to pre-empt such frauds through prompt action as soon as they notice domains that may be attempting to masquerade as their institution. Netcraft's service can often spot such suspicious domain registrations within 24 hours. The visa-secure.com domain was registered nearly two months ago, on 13 August 2004, giving plenty of time for action to be taken before it was eventually used in this attack.