This malicious HTML script may originally arrive as an email message or via a visited Web page. The following is a sample of the spammed email:
The spammed email message is designed to convince recipients that it is an authentic Visa security update. It persuades its recipients to click on the �Continue� button.
When a user clicks the �Continue� button, a blank Web page on the following URL is opened:
The blank page contains Java script code that opens a spoofed or forged Web page.
The succeeding page is forged to look like the USA Visa Web site. The Internet address also appears as http://www.usa.visa.com, which is the address of the real Visa site. The actual address of the page, however, is the following:
The spoofed site prompts for the visitor's VISA account number and PIN. The following is a screenshot of the spoofed site:
The actual and current Visa site appears as such:
This malicious HTML script uses an Internet Explorer vulnerability that gives an attacker the capability to spoof a Web site. An attacker could create a link to a deceptive Web site that displays the address of a legitimate site on the Internet Explorer address and status bars.
More information on the vulnerability can be found at Microsoft Knowledge Base Article - 833786.
Analysis by: Reginald Wong