People often uses credit cards online to purchase products but many people fail to validate the site address and proceed with submitting sensitive information such as card numbers. Attackers can then steal credit card information along with the associated CVV number. Here is an example of one such fake website, hosting supposedly ‘free’ services - hxxp://www.angelfire.com/ak5/billincenta/.
Once a victim visits this website, he will be presented with popup box portraying the site as AOL’s billing center:
The message indicates that the user needs to update credit card and billing information, or their account will be ‘voided and cancelled’. When victim clicks on the OK button, he will be taken to another webpage where he is asked to enter his credit card details.
Once the victim enters their sensitive and personal information, the webpage smartly displays another popup stating “AOLBilling will now validate your credit card”. This is again done to convince user that the site is a legitimate AOL billing website. Nothing is actually validated against AOL and credit card information is sent to attacker. The webpage collects and sends a POST request with all user details. Here is packet capture of the request sent:
For the purpose of this blog, we have entered fake information. If you look at the above POST request, you will also notice a recipient email address of “firstname.lastname@example.org”. This means all sensitive information is sent to this email address. The victim is then redirected to the error page.
Users should never enter credit card details without being 100% confident that the form is hosted at the correct domain and traffic is sent via HTTPS.