Tuesday, July 11, 2006

Beware of the Sophisticated New Visa Scam Flying Under the Radar

by Nicholas Stix
Updated below at 5:30 p.m.
Second update below at 9 p.m.

“Your Credit Card was cloned in Bulgaria” read the subject line in the e-mail I received today, that either went out, or came in at 1:42 p.m. ET. (See below.)



Information Regarding Your account:
Dear VISA Member!

Attention! Your VISA Credit Card has been violated!

Someone from Bulgaria tried to access your personal account from 2 different ATM's but with wrong pin! We were forced to freeze your Credit Card until you will confirm your identity online!

Please click the link below and enter your account information to confirm that you are not currently away. You have 3 days to confirm account information or your account will be locked.

https://www.visa.com/vewrifiedbyvisa/us/update.asp

Click on the "Confirm identity " link in the Activate Credit Card box and then enter this confirmation number: 1291-3821-1345-9233-3925

Thank you for using Visa!
Verified by Visa Team


Please do not reply to this e-mail. Mail sent to this address cannot be answered.



VISA Email ID VU294E22


Unlike so many e-mail credit card and bank scams today, the English is, well … English. And when I checked the internet details, I got the following return path.

Return-Path:
Received: from rly-xa01.mx.aol.com (rly-xa01.mail.aol.com [172.20.64.37]) by air-xa01.mail.aol.com (v110.15) with ESMTP id MAILINXA13-4e44b3e2b41aa; Tue, 11 Jul 2006 13:42:12 -0400
Received: from MAIL.THINKINGCENTER.COM (bdsl-66-14-3-220.gte.net [66.14.3.220]) by rly-xa01.mx.aol.com (v110.15) with ESMTP id MAILRELAYINXA18-4e44b3e2b41aa; Tue, 11 Jul 2006 13:41:08 -0400
Received: from User
(adsl-70-234-23-78.dsl.sndg02.sbcglobal.net [70.234.23.78])
by MAIL.THINKINGCENTER.COM; Sun, 09 Jul 2006 05:10:37 -0400
From: "Verified by Visa"
Subject: Your Credit Card was cloned in Bulgaria
Date: Sun, 9 Jul 2006 02:12:52 -0700
MIME-Version: 1.0
Content-Type: text/html;
charset="Windows-1251"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
X-AOL-IP: 66.14.3.220
X-AOL-SCOLL-SCORE: 1:2:485312656:20401094
X-AOL-SCOLL-URL_COUNT: 2
Message-ID: 200607111341.4e44b3e2b41aa@rly-xa01.mx.aol.com

So far, so good, but Internet paths can be fooled by phony, “spoofed” eddresses. Usually, you can catch a phony eddress or URL by putting your cursor on the link, and seeing the true eddress or URL below.

I did that, and got … nothing! The same URL lay beneath the surface one. But for the following reason, I still didn’t buy it.

No reputable firm that wants to remain that way sends its customers e-mails telling them to hit links within those e-mails. Every firm – reputable or otherwise – knows that such e-mails are the m.o. of identity thieves in places like … Bulgaria. In fact, I wouldn’t be surprised if this scam were the work of thieves in Bulgaria with a sense of humor.

When I got too aggressive with my cursor, I got a message from AOL, telling me that the link had “been disabled for your safety. To activate click ‘show images & enable links’ above,” but the same AOL message pops up anytime I hit a link in an e-mail, even when it’s in my daily “media cop” updates.

When AOL is aware of a scam, a different message pops up, saying that the link had been disabled after customer complaints.

But what if I’m wrong, and the e-mail really was from Visa. While it is possible that a Visa customer would be unable to make a purchase, businesses have direct telephone numbers for each major credit card, for whenever there is a problem. The store manager could call the number, and confirm whether you really are “Joe Schmo.”

But what if I’m right? Answering the e-mail will not only give away your Visa account (costing you thousands of dollars for at least a day or two), but permit the thieves to leverage that information to open up new credit accounts in your name, costing you thousands of dollars in the short and not-so-short run, and years of grief clearing your name.

Reputable companies that want to stay that way send letters. You know, the old-fashioned kind. Libertarians, s-f fans, and other idolators of the latest gizmo may refer derisively to mail delivered by human beings wearing blue- gray uniforms as “snail mail,” but you know what? As long as your mail box is secure, so-called snail mail is still the most reliable kind for important messages. And that’s what financial institutions use in times of trouble. When someone breached security at one of my banks a year or two ago, the bank froze all existing debit cards, and informed all customers (while supplying each with a new card) via U.S. mail. Speed isn’t everything.

There is one more obvious precaution to take: Ask Visa.

At their Web site, there is no mention of a problem, not even at their data security page, where there is a general discussion of “phishing,” and where Visa assures its customers that “facilitating the protection of cardholder data has long been a priority for Visa. Over the last several years, Visa has developed a multi-layered product and service strategy to help safeguard data and prevent fraud. This work continues today and Visa's data security efforts currently include the use of neural networks to detect fraud patterns, chip and PIN technology to authenticate transactions and Verified by Visa for the authorization of Internet purchases, among many other activities.”

Again, a lack of mention of a scam could simply mean that there is no scam.

I called their press office, out on the Left Coast, but only got a tape recording telling me to leave my name and number, and they’d get back to me. I left a message 90 minutes ago saying that I am a journalist, leaving my name and telephone number at the beginning and again at the end, and saying that I was responding to a new scam, which should have piqued their interest.

In case you’re still wondering whether I’m right or just paranoid, I have two pieces of strong evidence and one final piece of indisputable evidence.

1. There were no Visa graphics in the e-mail. Sophisticated phishers typically copy and paste the graphics, to make their e-mails look like the real McCoy. Thus, seeing a company’s graphics and logo are no guarantees that an e-mail is legit, but not seeing them is a strong indication that the e-mail in question is a scam.

2. There e-mail is anonymous. If Visa were responding to someone under the unique circumstances indicated in the e-mail, they wouldn’t be addressing me as “Dear VISA Member!”

And the zinger:

3. I am not, and never have been a Visa customer.

I’m sending notification to AOL, just as soon as I notify you.


Update, 5:30 p.m.: At 4:55 p.m., I got a call from a Visa press rep. While going over the e-mail with her, I noticed an additional giveaway: the "s" in "https." Visa's real URL starts with "http." Taking the exact URL of a legitimate company -- e.g., http://www.visa.com -- and adding an "s" to "http" is a classic phishing trick.

When I asked the press rep if I would get a response from a Visa executive she said, "I can't confirm that, but I will try my best to get you one."

Would Visa ever send an e-mail to a customer telling the customer to hit a link within that e-mail?

"I can't confirm, but that doesn't sound right to me. I will get get back to you with that as well."

I asked the press rep to read this blog, and call or e-mail me with any necessary corrections or additional information.


Second update: 9 p.m.: Just after 6 p.m., a second Visa flack called. He only would speak "on background," but did point out that a Visa cardholder would never hear from Visa directly, but rather from his personal financial institution (which issued him his Visa card), and that in the body of statements by Visa, "Visa" is never written in all caps ("VISA"). He also asked me to tell all my readers to forward any suspicious looking e-mails claiming to come from Visa to phishing@visa.com.

Of course, you are welcome to forward a copy to me at the same time, at Add1dda@aol.com.