From SecureCode to Verified by Visa

Approximately two weeks ago, we mentioned a phishing attempt targeting the Mastercard’s SecureCode service [1]. We expected to see similar attempts targeting Visa’s counterpart service, Verified by Visa. Today, we received one of the first samples:

Verified by Visa phishing email

The email came with a forged “From” address, and provides plenty of links to the real Verified by Visa page. The “Activate Now” button, however, takes you to a phishing page hosted on a compromised domain:

Verified by Visa Phishing page

The phish page asks for various identity information, including a user’s Visa card number, 3-digit security ID, ATM pin, Social Security Number, mother’s maiden name, full address, and phone number. The security key creation portion of the site provides two boxes for entering the new key:

Verified by Visa Phishing page (Security Key)

The help link for the security key, however, directs a user to the Yahoo! Security Key page:

Help for Yahoo Security Key

If an unsuspecting user visits the link, chances are they will get suspicious and start wondering what Yahoo! IDs have to do with Verified by Visa. So, this phish site is not very well constructed. This phish campaign also lacks the enticing 16% purchase discount offered by the previous attempt.

Hopefully, even non-alert users would recognize this phishing attempt due to the inconsistencies on the site. On the other hand, alert computer users employing safe computing practices would not have clicked on the link in the first place.