Brazilian Phishing Scam Targets MasterCard Reward Program

Security researchers warn of a new phishing attack that targets Brazilian credit card owners by spoofing emails from MasterCard's Surpreenda (surprise) program.

The new campaign was spotted by spam analysts from Commtouch, who note that unlike classic phishing schemes where users are threatened into exposing their sensitive information, this attack tries to lure them with rewards.

In order to achieve this they spoof communications related to MasterCard Surpreenda, an advantage program that lets credit card owners earn reward points when making purchases.

These points can then be spent in "pay one, take two" promotions, where the second product can be sent as a gift to someone.

The rogue emails purport to come from surpreenda@redecard.com.br and bear a title of "Participate in the MasterCard Surpirse Promotion - RedeCard." [translated]

It's likely the phishers hijacked a legit email advertising the program and only changed the destination of the link inside. The message reads [in translation]:

"To participate, simply register the card on the site [link]. After registration, each transaction of any value, is worth one point. Points can be exchanged for vouchers. With the voucher for the purchase of a product or service registered in the promotion, the cardholder earns another for free.

Accumulated points are not redeemable for vouchers turned into vouchers that compete for monthly drawings of two prepaid cards worth $ 50 thousand each, one for the cardholder and other gifts for those he appoints.

Sign up and start enjoying the benefits right now!

Sincerely,
MasterCard Promotions Department"

The link takes users to a phishing page spoofing the MasterCard website, which displays a form for inputting complete credit card details, as well as the Natural Persons Register number (CPF), the equivalent of the US SSN.

Phishing is very common in Brazil, therefore a lot of people have already gotten used to the old "confirm your information or risk account suspension" tricks. Attacks like this one suggest that phishers are trying to get more creative with their campaigns.