Theft of American Express, Visa and MasterCard card data
06 Oct 2013
Let's consider how the attacker can steal cardholder data using social enginerring.
Attacker sends e-mail with the text about necessary to check information about cardholder. Fishing html attachment is used in order to gather this infomation. See below.
Function document.write() writes to the document value obtained and function unescape() decodes the string according to ASCII. See html result below.
Let's decode content of the file using function unescape(). You can see that all user's data will be sent to the address http://22.214.171.124/js/action.php using HTTP method Post after click to the button Submit.
Then install and activate plugin Tamper Data for the browser Mozilla Firefox and look at real behavior of the web form. We were right. All user's data will be sent to the host 126.96.36.199 after submitting.
In HTTP response user will receive redirect to the site http://www.visa.co.uk. And as result user will think that submitting was completed sucсessfully.
You should be more careful during the work with e-mail.