14 DAY TRIAL // Security researchers from Avira warn of a new multiphishing campaign targeting German credit card owners. The rogue email messages falsely inform users that their credit cards have been locked and include links to phishing sites for both VISA and MasterCard.
The subject of the fake emails is “Locked card” and their Form field is forged to appear as if they originate from a @creditcard.com address. The messages claim that the recipient's credit card was locked for security reasons and in reality are sent from infected computers, which are part of a botnet.
Users are told that in order to be able to use their cards again that they need to complete a special online form. “It is the first time that we see that a single email contains two phishing URLs, targeting two financial institutions: VISA and Mastercard. […] The email is very well crafted though the German used isn’t the best, and is being sent in HTML form (with a plain text part, too),” security researchers from Avira, warn.
The phishing pages are using the template of the real VISA and MasterCard websites and even though they are hosted on different domains, the URLs follow the same http://[host]/ verification/?page=[card brand]_de pattern. The researchers point out that the multiphishing behavior is also present on the backend. “The two hosts work with both tags, so if you interchange mastercard_de with visa_de, you will be redirected to the 'correct' fake website,” they explain.
In addition, whenever another link on the page is clicked, a JavaScript alert window pops up saying that the form needs to be submitted first. This has the purpose of preventing users from realizing that the page they're on is fake.
Finally, the researchers warn that the hosts involved in this scam are also used to distribute malware. Visiting the domains with the phishing part removed from the URL, will load an exploit targeting older version of Adobe Reader.
You can follow the editor on Twitter @lconstantin