Approximately two weeks ago, we mentioned a phishing attempt targeting the Mastercard's SecureCode service . We expected to see similar attempts targeting Visa's counterpart service, Verified by Visa. Today, we received one of the first samples:
The email came with a forged verifiedbyvisa.com "From" address, and provides plenty of links to the real Verified by Visa page. The "Activate Now" button, however, takes you to a phishing page hosted on a compromised domain:
The phish page asks for various identity information, including a user's Visa card number, 3-digit security ID, ATM pin, Social Security Number, mother's maiden name, full address, and phone number. The security key creation portion of the site provides two boxes for entering the new key:
The help link for the security key, however, directs a user to the Yahoo! Security Key page:
If an unsuspecting user visits the link, chances are they will get suspicious and start wondering what Yahoo! IDs have to do with Verified by Visa. So, this phish site is not very well constructed. This phish campaign also lacks the enticing 16% purchase discount offered by the previous attempt.
Hopefully, even non-alert users would recognize this phishing attempt due to the inconsistencies on the site. On the other hand, alert computer users employing safe computing practices would not have clicked on the link in the first place.