By Andrew Brandt
The gang of malware distributors who are currently flooding the Internet with bogus Facebook “Update Tool,” CDC “H1N1 Flu Vaccination Profile,” and IRS “Tax Statement” emails and Web pages are at it again — this time, targeting Visa with a fake email alert that leads to a page hosting not only a Trojan-Backdoor-Zbot installer, but that performs a drive-by download as well. This is the second time in less than a month that malware distributors have targeted Visa; Just before Thanksgiving, we saw a similar scam involving links to bunk Verified By Visa Web pages.
I’d say it’s ironic that malware distributors are using fraudulent transaction warnings as a method to infect users with a keylogger capable of stealing their credit card information when the victim enters it into a shopping Web site, but Visa doesn’t issue these kinds of warnings—the Visa-card-issuing bank warns customers of suspected fraud themselves, and they never do anything with that level of urgency via email.
Once you click through to the Web page, you end up on a page dressed up in its holiday best to look like an official Visa Web site. The top of the page even has your credit card number printed on it! Well, not the whole credit card number. It just prints the number “4XXX XXXX XXXX XXXX” (then goes on to say “to protect your private information, part of the card number is hidden with X’s“). How considerate.
Of course, all bank-issued Visa card numbers in the US are sixteen digits long and begin with a “4″ so it’s actually a pretty good guess that the Visa in your wallet right now looks just like that.
The bogus Web page even sports a URL that begins with “reports.visa.com,” followed by a random six- to eight-character domain name, but there the similarities end. The servers hosting the fraudulent pages are based in foreign countries where you wouldn’t expect a major company like Visa to operate its Web presence from, such as Morocco, on networks known to harbor both Koobface and Zbot Trojans. The text on the page claims to have a downloadable transaction report for your card. If you haven’t already guessed, the “statement” is just an installer for the Trojan.