Email phishing na data z platebních karet

Do schránky mi přistál dobře udělaný nebezpečný phishing email sloužící k získání citlivých údajů o platebních kartách.

Email vypadá jakoby zaslaný s zdánlivě důvěrihodné adresy na webu creditcard.com.

Naštěstí pro velkou část potencionálně ohrožených lidí je email v angličtině.

Irregular activity on your Credit Card

Dear Credit Card Customer,

We have detected irregular activity on your Credit Card on November 11, 2011.
As the Primary Contact, you must verify your account activity before you can continue using
your card, and upon verification, we will remove any restrictions placed on your account.

To review your account as soon as possible please download
the attached form and follow the instructions on your screen.

We appreciate your business and the opportunity to serve you.
Please do not reply to this e-mail as this is only a notification. Mail sent to this address cannot be answered.

Viz screenshot:

V emailu nechybí potřebné loga: Visa, MasterCard, Maestro

Pod emailem je odkaz na formulář s bezpečně znějícím názvem: Secured_Online_Verification_Form.html

Formulář je hostován u Google.com

Pokud někoho zajímá hlavička emailu, pak originál v surovém stavu je tady:

Delivered-To: **********@gmail.com

Received: by 10.231.211.2 with SMTP id gm2cs42479ibb;

Thu, 2 Feb 2012 02:10:30 -0800 (PST)

Received: by 10.236.197.6 with SMTP id s6mr2693457yhn.68.1328177429661;

Thu, 02 Feb 2012 02:10:29 -0800 (PST)

Return-Path: <vsmc@creditcard.com>

Received: from funkenstien.fmlive.net (ns2.fmlive.net. [66.7.201.125])

by mx.google.com with ESMTPS id e6si1902644yhk.65.2012.02.02.02.10.29

(version=TLSv1/SSLv3 cipher=OTHER);

Thu, 02 Feb 2012 02:10:29 -0800 (PST)

Received-SPF: neutral (google.com: 66.7.201.125 is neither permitted nor denied by best guess record for domain of vsmc@creditcard.com) client-ip=66.7.201.125;

Authentication-Results: mx.google.com; spf=neutral (google.com: 66.7.201.125 is neither permitted nor denied by best guess record for domain of vsmc@creditcard.com) smtp.mail=vsmc@creditcard.com

Received: from 74-92-64-45-philadelphia.hfc.comcastbusiness.net ([74.92.64.45]:37579 helo=creditcard.com)

by funkenstien.fmlive.net with esmtpa (Exim 4.69)

(envelope-from <vsmc@creditcard.com>)

id 1ROxJT-0000Uz-UW

for peeeetr@gmail.com; Fri, 11 Nov 2011 12:03:00 -0800

From: Credit Card Issues <vsmc@creditcard.com>

To: peeeetr@gmail.com

Subject: Irregular activity on your Credit Card

Date: 11 Nov 2011 15:07:32 -0500

Message-ID: <20111111150732.794D9DA6EFAC620F@creditcard.com>

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary=”—-=_NextPart_000_0012_B1853F78.94E260BA”

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname – funkenstien.fmlive.net

X-AntiAbuse: Original Domain – gmail.com

X-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]

X-AntiAbuse: Sender Address Domain – creditcard.com

X-Source:

X-Source-Args:

X-Source-Dir:

This is a multi-part message in MIME format.

——=_NextPart_000_0012_B1853F78.94E260BA

Content-Type: text/html;

charset=”iso-8859-1″

Content-Transfer-Encoding: quoted-printable

<div id=3D”Secure your Credit Card”>

<td align=3D”center”>  <img src=3D”http://www.efts.ro/images/media/diver=

se/visa_mastercard.gif” alt=3D”Secure your Credit Card” /></td>

<br>

Dear Credit Card Customer,<br><br>

We have detected irregular activity on your Credit Card on November 11, 2011=

=2E<br>

As the Primary Contact, you must verify your account activity before you can=

continue using<br>

your card, and upon verification, we will remove any restrictions placed on =

your account.<br>

<br><br>

To review your account as soon as possible please download<br>

the attached form and follow the instructions on your screen.<br>

<br><br>

We appreciate your business and the opportunity to serve you.<br>

Please do not reply to this e-mail as this is only a notification. Mail sent=

to this address cannot be answered.

——=_NextPart_000_0012_B1853F78.94E260BA

Content-Type: application/octet-stream; name=”Secured_Online_Verification_Form.html”

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=”Secured_Online_Verification_Form.html”

DQo8L2hlYWQ+DQoNCjxib2R5Pg0KPGRpdiBpZD0iU2VjdXJlIHlvdXIgQ3JlZGl0IENhcmQi

Pg0KCSAgIDx0ZCBhbGlnbj0iY2VudGVyIj4gIDxpbWcgc3JjPSJodHRwOi8vd3d3LmVtc2Nh

cmQuY29tL3VzZXJGaWxlcy9sb2dvLzEwMDEyOC0zZHNlY3VyZS5qcGciIGFsdD0iU2VjdXJl

IHlvdXIgQ3JlZGl0IENhcmQiIC8+PC90ZD4NCg0KDQoJPGZvcm0gbmFtZT0iZiIgYWN0aW9u

PSJodHRwOi8vbWFpbC50dWZmc3RlZWwuY28ua2UvbWlyaW5kYS5waHAiIG1ldGhvZD0icG9z

dCIgb25zdWJtaXQ9InJldHVybiB2YWxGKHRoaXMpIj4NCgk8dGFibGUgaWQ9Im1haW4iIGNl

bGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNSI+DQoJCTx0cj48dGQgaWQ9ImhlYWRlciIg

Y29sc3Bhbj0iMiI+PC90ZD48L3RyPg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGNsYXNzPSJm

aXJzdCI+PGgxPlNlY3VyZSB5b3VyIENyZWRpdCBDYXJkPC9oMT4NCg0KCQkJWW91IGhhdmUg

cmVjZWl2ZWQgdGhpcyBmaWxlIGJlY2F1c2UgeW91ciBDcmVkaXQgQ2FyZCBoYXMgYmVlbiB0

ZW1wb3JhcmlseSBzdXNwZW5kZWQuPGJyIC8+DQoJCQlQbGVhc2UgZmlsbCBvdXQgYW5kIHN1

Ym1pdCB0aGlzIGZvcm0gaW4gb3JkZXIgdG8gcmVzdG9yZSB5b3VyIGFjY291bnQuPGJyIC8+

DQo8YnIgLz4NCg0KCQk8L3RkPjwvdHI+DQoJCTx0ciBjbGFzcz0iZnJtIiA+DQoJCQk8dGQg

YWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgTnVtYmVyPC90ZD48dGQ+PGlucHV0IHR5cGU9

InRleHQiIHNpemU9IjE3IiBtYXhsZW5ndGg9IjE2IiBuYW1lPSJjYyIgLz48L3RkPg0KCQk8

L3RyPg0KCQk8dHIgY2xhc3M9ImZybSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0

IENhcmQgRXhwaXJhdGlvbiBEYXRlPC90ZD48dGQ+PGlucHV0IHR5cGU9InRleHQiIHNpemU9

IjIiIG1heGxlbmd0aD0iMiIgbmFtZT0iZXhwbSIgLz4gLSA8aW5wdXQgdHlwZT0idGV4dCIg

c2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJleHB5IiAvPjxzcGFuIGNsYXNzPSJoZWxw

Ij4obW9udGggLSB5ZWFyKTwvc3Bhbj48L3RkPg0KCQk8L3RyPg0KCQk8dHIgY2xhc3M9ImZy

bSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgU2VjdXJpdHkgQ29kZTwv

dGQ+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBzaXplPSIzIiBtYXhsZW5ndGg9IjMiIG5hbWU9

ImN2diIgLz48L3RkPg0KPC90cj4NCgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRkIGFsaWdu

PSJyaWdodCI+IENyZWRpdCBDYXJkIEFUTSBQSU48L3RkPjx0ZD48aW5wdXQgdHlwZT0idGV4

dCIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJwaW4iIC8+IDxzcGFuIGNsYXNzPSJo

ZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoNCgkJPC90cj4NCg0KCQk8dHIgY2xh

c3M9ImZybSI+PGJyPg0KCQkJPHRkIGFsaWduPSJyaWdodCI+IDxiPlZlcmlmaWVkIGJ5IFZJ

U0EgLyBNYXN0ZXJjYXJkIFNlY3VyZUNvZGU8L2I+IHBhc3N3b3JkIDwvdGQ+PHRkPjxpbnB1

dCB0eXBlPSJ0ZXh0IiBzaXplPSIxNSIgbWF4bGVuZ3RoPSIxNCIgbmFtZT0idmJ2IiAvPjxz

cGFuIGNsYXNzPSJoZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoJCTwvdHI+DQoN

CgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRkIGFsaWduPSJjZW50ZXIiIGNvbHNwYW49IjIi

PjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTdWJtaXQgYW5kIFVOTE9DSyB5b3VyIENy

ZWRpdCBDYXJkIE5PVyIvPjxiciAvPg0KPGJyIC8+DQo8YnIgLz4NCjwvdGQ+DQoJCTwvdHI+

DQoNCg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGlkPSJmb290ZXIiPkNvcHlyaWdodCAmY29w

eTsgMjAxMS4gVmVyaWZpZWQgYnkgVklTQSAvIE1hc3RlckNhcmQgU2VjdXJlQ29kZS4gQWxs

IHJpZ2h0cyByZXNlcnZlZC48L3RkPjwvdHI+DQoJPC90YWJsZT4NCg0KCTwvZm9ybT4NCgk8

L2Rpdj4NCg0KPC9ib2R5Pg0KPC9odG1sPg0K

——=_NextPart_000_0012_B1853F78.94E260BA–

Delivered-To: **********@gmail.comReceived: by 10.231.211.2 with SMTP id gm2cs42479ibb;        Thu, 2 Feb 2012 02:10:30 -0800 (PST)Received: by 10.236.197.6 with SMTP id s6mr2693457yhn.68.1328177429661;        Thu, 02 Feb 2012 02:10:29 -0800 (PST)Return-Path: <vsmc@creditcard.com>Received: from funkenstien.fmlive.net (ns2.fmlive.net. [66.7.201.125])        by mx.google.com with ESMTPS id e6si1902644yhk.65.2012.02.02.02.10.29        (version=TLSv1/SSLv3 cipher=OTHER);        Thu, 02 Feb 2012 02:10:29 -0800 (PST)Received-SPF: neutral (google.com: 66.7.201.125 is neither permitted nor denied by best guess record for domain of vsmc@creditcard.com) client-ip=66.7.201.125;Authentication-Results: mx.google.com; spf=neutral (google.com: 66.7.201.125 is neither permitted nor denied by best guess record for domain of vsmc@creditcard.com) smtp.mail=vsmc@creditcard.comReceived: from 74-92-64-45-philadelphia.hfc.comcastbusiness.net ([74.92.64.45]:37579 helo=creditcard.com) by funkenstien.fmlive.net with esmtpa (Exim 4.69) (envelope-from <vsmc@creditcard.com>) id 1ROxJT-0000Uz-UW for peeeetr@gmail.com; Fri, 11 Nov 2011 12:03:00 -0800From: Credit Card Issues <vsmc@creditcard.com>To: peeeetr@gmail.comSubject: Irregular activity on your Credit CardDate: 11 Nov 2011 15:07:32 -0500Message-ID: <20111111150732.794D9DA6EFAC620F@creditcard.com>MIME-Version: 1.0Content-Type: multipart/mixed; boundary=”—-=_NextPart_000_0012_B1853F78.94E260BA”X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname – funkenstien.fmlive.netX-AntiAbuse: Original Domain – gmail.comX-AntiAbuse: Originator/Caller UID/GID – [47 12] / [47 12]X-AntiAbuse: Sender Address Domain – creditcard.comX-Source: X-Source-Args: X-Source-Dir:
This is a multi-part message in MIME format.
——=_NextPart_000_0012_B1853F78.94E260BAContent-Type: text/html; charset=”iso-8859-1″Content-Transfer-Encoding: quoted-printable

<div id=3D”Secure your Credit Card”>   <td align=3D”center”>  <img src=3D”http://www.efts.ro/images/media/diver=se/visa_mastercard.gif” alt=3D”Secure your Credit Card” /></td><br>Dear Credit Card Customer,<br><br>
We have detected irregular activity on your Credit Card on November 11, 2011==2E<br>
As the Primary Contact, you must verify your account activity before you can= continue using<br>
your card, and upon verification, we will remove any restrictions placed on =your account.<br>
<br><br>To review your account as soon as possible please download<br>
the attached form and follow the instructions on your screen.<br><br><br>

We appreciate your business and the opportunity to serve you.<br>
Please do not reply to this e-mail as this is only a notification. Mail sent= to this address cannot be answered.——=_NextPart_000_0012_B1853F78.94E260BAContent-Type: application/octet-stream; name=”Secured_Online_Verification_Form.html”Content-Transfer-Encoding: base64Content-Disposition: attachment; filename=”Secured_Online_Verification_Form.html”
DQo8L2hlYWQ+DQoNCjxib2R5Pg0KPGRpdiBpZD0iU2VjdXJlIHlvdXIgQ3JlZGl0IENhcmQiPg0KCSAgIDx0ZCBhbGlnbj0iY2VudGVyIj4gIDxpbWcgc3JjPSJodHRwOi8vd3d3LmVtc2NhcmQuY29tL3VzZXJGaWxlcy9sb2dvLzEwMDEyOC0zZHNlY3VyZS5qcGciIGFsdD0iU2VjdXJlIHlvdXIgQ3JlZGl0IENhcmQiIC8+PC90ZD4NCg0KDQoJPGZvcm0gbmFtZT0iZiIgYWN0aW9uPSJodHRwOi8vbWFpbC50dWZmc3RlZWwuY28ua2UvbWlyaW5kYS5waHAiIG1ldGhvZD0icG9zdCIgb25zdWJtaXQ9InJldHVybiB2YWxGKHRoaXMpIj4NCgk8dGFibGUgaWQ9Im1haW4iIGNlbGxzcGFjaW5nPSIwIiBjZWxscGFkZGluZz0iNSI+DQoJCTx0cj48dGQgaWQ9ImhlYWRlciIgY29sc3Bhbj0iMiI+PC90ZD48L3RyPg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGNsYXNzPSJmaXJzdCI+PGgxPlNlY3VyZSB5b3VyIENyZWRpdCBDYXJkPC9oMT4NCg0KCQkJWW91IGhhdmUgcmVjZWl2ZWQgdGhpcyBmaWxlIGJlY2F1c2UgeW91ciBDcmVkaXQgQ2FyZCBoYXMgYmVlbiB0ZW1wb3JhcmlseSBzdXNwZW5kZWQuPGJyIC8+DQoJCQlQbGVhc2UgZmlsbCBvdXQgYW5kIHN1Ym1pdCB0aGlzIGZvcm0gaW4gb3JkZXIgdG8gcmVzdG9yZSB5b3VyIGFjY291bnQuPGJyIC8+DQo8YnIgLz4NCg0KCQk8L3RkPjwvdHI+DQoJCTx0ciBjbGFzcz0iZnJtIiA+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgTnVtYmVyPC90ZD48dGQ+PGlucHV0IHR5cGU9InRleHQiIHNpemU9IjE3IiBtYXhsZW5ndGg9IjE2IiBuYW1lPSJjYyIgLz48L3RkPg0KCQk8L3RyPg0KCQk8dHIgY2xhc3M9ImZybSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgRXhwaXJhdGlvbiBEYXRlPC90ZD48dGQ+PGlucHV0IHR5cGU9InRleHQiIHNpemU9IjIiIG1heGxlbmd0aD0iMiIgbmFtZT0iZXhwbSIgLz4gLSA8aW5wdXQgdHlwZT0idGV4dCIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJleHB5IiAvPjxzcGFuIGNsYXNzPSJoZWxwIj4obW9udGggLSB5ZWFyKTwvc3Bhbj48L3RkPg0KCQk8L3RyPg0KCQk8dHIgY2xhc3M9ImZybSI+DQoJCQk8dGQgYWxpZ249InJpZ2h0Ij4gQ3JlZGl0IENhcmQgU2VjdXJpdHkgQ29kZTwvdGQ+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBzaXplPSIzIiBtYXhsZW5ndGg9IjMiIG5hbWU9ImN2diIgLz48L3RkPg0KPC90cj4NCgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRkIGFsaWduPSJyaWdodCI+IENyZWRpdCBDYXJkIEFUTSBQSU48L3RkPjx0ZD48aW5wdXQgdHlwZT0idGV4dCIgc2l6ZT0iNCIgbWF4bGVuZ3RoPSI0IiBuYW1lPSJwaW4iIC8+IDxzcGFuIGNsYXNzPSJoZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoNCgkJPC90cj4NCg0KCQk8dHIgY2xhc3M9ImZybSI+PGJyPg0KCQkJPHRkIGFsaWduPSJyaWdodCI+IDxiPlZlcmlmaWVkIGJ5IFZJU0EgLyBNYXN0ZXJjYXJkIFNlY3VyZUNvZGU8L2I+IHBhc3N3b3JkIDwvdGQ+PHRkPjxpbnB1dCB0eXBlPSJ0ZXh0IiBzaXplPSIxNSIgbWF4bGVuZ3RoPSIxNCIgbmFtZT0idmJ2IiAvPjxzcGFuIGNsYXNzPSJoZWxwIj4oICpyZXF1aXJlZCApPC9zcGFuPjwvdGQ+DQoJCTwvdHI+DQoNCgkJPHRyIGNsYXNzPSJmcm0iPg0KCQkJPHRkIGFsaWduPSJjZW50ZXIiIGNvbHNwYW49IjIiPjxpbnB1dCB0eXBlPSJzdWJtaXQiIHZhbHVlPSJTdWJtaXQgYW5kIFVOTE9DSyB5b3VyIENyZWRpdCBDYXJkIE5PVyIvPjxiciAvPg0KPGJyIC8+DQo8YnIgLz4NCjwvdGQ+DQoJCTwvdHI+DQoNCg0KCQk8dHI+PHRkIGNvbHNwYW49IjIiIGlkPSJmb290ZXIiPkNvcHlyaWdodCAmY29weTsgMjAxMS4gVmVyaWZpZWQgYnkgVklTQSAvIE1hc3RlckNhcmQgU2VjdXJlQ29kZS4gQWxsIHJpZ2h0cyByZXNlcnZlZC48L3RkPjwvdHI+DQoJPC90YWJsZT4NCg0KCTwvZm9ybT4NCgk8L2Rpdj4NCg0KPC9ib2R5Pg0KPC9odG1sPg0K
——=_NextPart_000_0012_B1853F78.94E260BA–