Posted on behalf of Nick Johnston, Senior Software Engineer, Symantec Hosted Services
MessageLabs Intelligence has recently seen an interesting variant on normal bank and other financial institution phishing. This particular phish message encourages the recipient to receive 90 dollars by completing a survey sponsored by a fast food restaurant. This scam is different than normal phishing where phishers often impersonate banks and other financial institutions, claiming that the victim's account has been temporarily disabled, requiring some kind of action to restore it. The use of a well-known, unrelated, trusted third-party fast food restaurant brand as a vector for stealing confidential information is relatively new.
It appears that this phish was aimed at users in New Zealand. Our analysis shows that most of the recipients where in Australia or New Zealand, the URL of the site included a.nz, presumably a very poor attempt by the phishers to try to fool people that they were browsing the organization’s legitimate web site. Why New Zealand was targeted is unclear; perhaps the phishers wanted to acquire New Zealand-based credit cards. Nevertheless, this shows the global nature of the phishing problem.
The survey itself seems relatively plausible with eight simple questions, and apart from the unusual URL, poor appearance of the logo and the error messages above each question, it could almost pass as real.
When pressing the "Proceed" link, the victim is prompted to enter credit card information for the payment of the 90 dollar reward.
The page asks for the usual credit card details, including the CVV2 or card security number typically found on the back of credit cards. Combined with the address information, this should be enough for the phishers (or whomever becomes the end user of these details) to carry out fraudulent "card not present" transactions (for example an online or phone purchase). It's interesting to note that the page doesn't ask for any MasterCard SecureCode or Verified by Visa details, suggesting that at least these particular phishers don't see any value in getting this information, probably since it is not widely used, and in most cases cardholder use of them is not mandatory.
This phishing site was taken down shortly before MessageLabs Intelligence discovered it, so hopefully its impact was limited. However, the site was hosted on a compromised server, and it's quite likely that the gang had many more compromised servers ready.
As well as the usual victims of phishing, this type of phish casts the well-known fast food chain in a negative light as victims who lose money to this scam might somehow blame the restaurant which is actually a victim itself in this case.