tisdag 18 oktober 2011

Kroatiskt VISA & MasterCard fiske på gång.

There has been a lot of interest regarding this blog post from throughout Europe so I have rewritten it to English.  Also some new reflections on the matter has been added.
The original Swedish text is at the bottom.

There is a mail that is circulating throughout Europe that claims that someone have tried to access your VISA or MasterCard 3 times and you are asked to change your password for your own security. The HTML formatted mail looks quite professional with nice logotypes etc.


The sender is secure@secure.co.uk. If you search for secure.co.uk you will find out that they do not exist which should be enough evidence not to proceed.
The link on the "Change Password"  button, you can find it by hovering over the button or looking at the HTML source of the mail, points to the following German address:
http://rbftp.radiobremen.de/HSRtest/config/rbftp/www.mastercard.com/www.verifiedbyvisa.com....


Very interesting.

If you copy the link and paste it into a web browser the following page is displayed. Very professional and it looks like most pages you encounter when doing payments on the Internet.
Note that the URL now have changed from a German domain to zagreb.sdp.hr. .HR is a Croatian domain (Hrvatska). Creative people those Croatians.

The form contains everything that is not likely needed to change your password but definitively needed for the creative Croatians to rip your card including the CVC code!


A funny thing that most people does not notice is that although the page states that it runs on SSL it's still an ordinary HTTP:// address, ha, ha!

Running WHOIS on the German address displays the following:
Domain: radiobremen.de
Nserver: auth04.ns.de.uu.net
Nserver: auth54.ns.de.uu.net
Status: connect
Changed: 2009-07-10T09:52:14+02:00

[Tech-C]
Type: ROLE
Name: UUNET Hostmaster
Address: Verizon Deutschland GmbH
Address: Sebrathweg 20
PostalCode: 44149
City: Dortmund
CountryCode: DE
Phone: +49 231 972 0
Fax: +49 231 972 2082


However, running it on SDP.HR, tells us that the domain does not exist.
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

%ERROR:101: no entries found
%
% No entries found in the selected source(s).

The reason for using redirects between the German and the Croatian sites is obvious, they can have multiple end-points for collecting the information and can easily change that end-points, manually or by using scripts, on the German server in order to protect them.

Another interesting reflection is that Radio Bremen, which seems to be a media company, either have someone on the payroll that wants to earn some extra money or they have been hacked.

******************************** Swedish below ********************************


Det cirkulerar lite mail nu som varnar för att någon felaktigt har försökt att accessa ditt VISA eller MasterCard 3 ggr och du ombeds att gå in och ändra ditt lösenord.



Avsändaren är secure@secure.co.uk. Tittar men närmare på secure.co.uk så finns dom inte. Däremot leder adressen på själva "Change Password" länken till följande tyska adress:
http://rbftp.radiobremen.de/HSRtest/config/rbftp/www.mastercard.com/www.verifiedbyvisa.com....

The sender claims to be secure@secure.co.uk. If you look further Tittar men närmare på secure.co.uk så finns dom inte. Däremot leder adressen på själva "Change Password" länken till följande tyska adress:
http://rbftp.radiobremen.de/HSRtest/config/rbftp/www.mastercard.com/www.verifiedbyvisa.com....


Intressant. 

Klistrar man in länken i en browser visas nedanstående fina sida upp. Notera att URLen nu bytt från Tyskland till .hr. HR är en kroatisk domän (Hrvatska). Kreativa dom där kroaterna.

Formuläret innehåller precis allt du inte behöver för att uppdatera ditt lösenord men väl allt annat som de kreativa kroaterna behöver för att använda ditt kort inkl CVC kod!


Lite lustigt att det står att man använder SSL men kör på en vanlig http address, ha, ha!


4 kommentarer:

  1. Riktigt fascinerande är det dessutom att så många fortfarande går på dessa enkla knep. Om alla kunde lära sig att inte vara så förnicklat blåögda, hade dessa kreativa nätbedragare inte haft något för sitt jobb. Tyvärr är det ju fortfarande lönt för dem...

    /Nilla

    SvaraRadera
  2. Hi,
    Sorry do not speak German.

    I just received the same email in london. 19/10/11

    http://rbftp.radiobremen.de/HSRtest/config/rbftp/www.mastercard.com/www.verifiedbyvisa.com/www.visa.com/login/account/change/password/for/vbv/moise/cancel/sugipula/UK1/

    SvaraRadera
  3. Hi,
    where did you get this information of this webseite ?

    Thank you!
    Best regards,
    Adri

    SvaraRadera
  4. Since there has been a lot of interest from throughout Europe I have rewritten it to English. Also some new reflections on the matter has been added and I think that it will also answer some of your questions.

    SvaraRadera