Home / malwarePDF  

PWS:HTML/Phish.DD


First posted on 02 November 2012.
Source: Microsoft

Aliases :

PWS:HTML/Phish.DD is also known as Trojan-PWS.HTML.Phish (Ikarus), Trojan-Spy.HTML.Fraud.ix (Kaspersky).

Explanation :



PWS:HTML/Phish.DD is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate PayPal webpage. It is a member of the PWS:HTML/Phish family.

The webpage attempts to steal your online banking and PayPal account information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

It may use images, logos and layouts that the authors of PWS:HTML/Phish.DD have copied from an authentic PayPal website.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites, or included as an attachment to an email message.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Phish.DD.

In the wild, we have observed the following example webpages:







We have observed these phishing pages using the following page names to steal your information:

  • Account Verification.html
  • Account.html
  • PP-658-119-347.htm


PWS:HTML/Phish.DD attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as updating your PayPal profile.

The information that PWS:HTML/Phish.DD attempts to gain from you includes the following:

  • Your personal information:
    • Full name
    • Email address
    • Date of birth
    • PayPal password
    • Home phone number
    • Address
    • Personal identification phrases, such as your mother's maiden name
  • Credit or debit card information, including:
    • Credit/debit card number
    • Card expiry date
    • Card verification number/security code


If you click "Save Profile" or "update" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URL using HTTP POST, which is a type of basic Internet data communication:

  • hxxp://95.154.192.201/~review/cgi-bin/www.paypal.com.php




Analysis by Patrik Vicol

Last update 02 November 2012

 

TOP

Malware :

Family: