What is Authorize.Net?
According to their website, Authorize.Net is a leading provider of payment gateway services, managing the submission of billions of transactions to the processing networks on behalf of merchant customers. Authorize.Net enables merchants to authorize, settle and manage credit card and electronic check transactions via Web sites, retail stores, mail order/telephone order (MOTO) call centers and mobile devices.
Description of the Authorize.Net Scam:
As noted above, Authorize.Net services allow merchants (ie. business owners) to authorize credit card transactions. At the end of the day, an email will be sent out notifying the business owner/merchant of all the activity for the day. The email will arrive with the subject line ‘Successful Credit Card Settlement Report’.
The Authorize.Net Scam arrives as an email very closely resembling the true Credit Card Settlement Report email. See screenshots below:
The above screenshot is of an actual (real) email sent on behalf of Authorize.Net. The screenshot shown below is the forged email. As you will see, all the wording and even the Subject line are identical.
With the emails so closely resembling each other, how could I tell that this was a Phishing Scam?
While the emails are very close in similarity there are a few differences. The first big difference is that the forged Authorize.Net email contains hyperlinks. Whether the email appears to be from a trusted source or not, it is highly recommend NOT to click on embedded links as 9 out of 10 times it will lead to something bad. The other difference is in the recipient email. In the case of the scam email, the emails we are receiving are appearing to be highly targeted towards the business owner or management employees. We suggest when setting up a merchant account or business bank account, etc. that a separate email account be established that will be used primarily for this activity. The account that is setup should not be used for any other purposes or be posted or made known.
What happens if I happened to click on the link?
Instead of the links directing back to login into your Authorize.Net account, the links point the unknowing user to the website:
hxxp://meiaquatro.com.br/newbie/abcex.html
Once this website is visited, the screen will show a "Connecting to server..." message and behind the scenes the following scripts get executed:
hxxp://50.63.177.246/deaart/averted.js1
hxxp://ftp.a1suretybonds.com/naasiest/elitist.js1
hxxp://www.bodypower.biz/furaaered/curiosity.js1
As this is a brand new threat, at the time of this writing the webpages above are not online. We are monitoring their activity closely and should the status change, we will update this post. Scripts like the above are typically used to download Trojans, Scareware or Rogueware (ie. FBI MoneyPak virus) on to the users system.
Please Note: In the meantime, Thirtyseven4 Antivirus is up-to-date against these threats and Thirtyseven4 has proactively blocked these targeted domains (listed above) via our Browser Protection module.
|
