Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: New VISA scam exploits IE vulnerability

New VISA scam exploits IE vulnerability

From: Marek Szuba <cyberman_at_if.pw.edu.pl>
Date: Wed, 24 Dec 2003 01:36:51 +0100 (MET)

(Moderators: feel free to wrap the long lines if you think it's necessary,
I'm posting it as I received it)

Hello bugtraq,

The VISA scam rides again!

=== Cut ===

>From 1863qb_at_yahoo.com Wed Dec 24 00:42:50 2003
Received: from 172.153.31.70 (AC991F46.ipt.aol.com [172.153.31.70])
        by xxxx.xxxx.xxxx.xx (8.11.2/8.11.2) with SMTP id hBNNglx01132
        for <xxxx_at_xxxx.xxxx.xx>; Wed, 24 Dec 2003 00:42:48 +0100 (MET)
Message-Id: <200312232342.hBNNglx01132_at_xxxx.xxxx.xxxx.xx>
Date: Tue, 23 Dec 2003 17:42:09 -0600
From: Visa International Service <security_at_visa-security.com>
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
Reply-To: Visa International Service <security_at_visa-security.com>
Organization: Visa International Service
X-Priority: 3 (Normal)
To: xxxx_at_xxxx.xxxx.xx
Subject: Visa Security Update
Mime-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Status: RO
X-Status:
X-Keywords:
X-UID: 1036

<HTML><HEAD>
<TITLE>Secure with Visa</TITLE>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<BODY bgcolor=#ffffff>

<table ALIGN=center cellpadding="0" cellspacing="0" border="0">
<tr>
<td>

<table ALIGN=center cellpadding="0" cellspacing="0" border="0">
<tr width="610">
<td height="118"><center><IMG src="http://66.235.192.147/~gotierco/p_secure_holiday.jpg"></center></td>
</tr>

<table ALIGN=center cellpadding="0" cellspacing="0" border="0">
<tr>
<td><br>
<b>Dear Customer,<br><br>

Our latest security system will help you to avoid possible fraud actions and<br> keep your investments in safety.<br><br>

Due to technical security update you have to reactivate your account<br><br>

Click on the link below to login to your updated Visa account.<br><br>

To log into your account, please visit the Visa Website at <br><br>

<a href="http://www.visa.com :UserSession=2f6q9uuu88312264trzzz55884495&usersoption=SecurityUpdate&StateLevel=GetFrom@66.235.192.147/~gotierco/verified_by_visa.htm">http://www.visa.com</a>

<br><br>

We respect your time and business.<br> It's our pleasure to serve you.<br><br><br></b>

Please don't reply to this email. This e-mail was generated by a mail handling system.<br><br><br>

<center><IMG src="http://66.235.192.147/~gotierco/white_visa_logo.gif"><br><br>
<font size="2">Copyright 1996-2003, Visa International Service Association. All rights reserved.</center><br><br>
</td></tr></table>
</td></tr></table>
</td></tr></table>
</BODY></HTML>

=== Cut ===

While the whole thing seems to be a really sorry attempt of someone who
knows next to nothing about e-mail, looking at the URI the victim is
supposed to go to suggests the scammer attempted (unsuccessfully, it
appears - I couldn't check it because I don't use Windows, but there
doesn't seem to be the 0x01 char anywhere) to exploit the Internet
Explorer URL parsing vulnerability discovered not long ago, in order to
obscure the real target host from superficial inspections that many users,
especially of the kind that would believe such messages, never go
beyond.

AOL and iPowerWeb (where the scam site is located) have been notified.

Cheers, 

-- 
MS
Received on Dec 26 2003
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos