Home / malwarePDF  

PWS:HTML/Phish.EB


First posted on 10 December 2012.
Source: Microsoft

Aliases :

PWS:HTML/Phish.EB is also known as Trojan-PWS.HTML.Phish (Ikarus), Mal/Phish-A (Sophos).

Explanation :



PWS:HTML/Phish.EB is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate Lloyds TSB bank webpage. It is a member of the PWS:HTML/Phish family.

The webpage attempts to steal your online banking information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

It may use images, logos and layouts that the authors of PWS:HTML/Phish.EB have copied from an authentic Lloyds TSB website.

The phishing page is an HTML page that is usually attached to an email which an attacker may encourage you to open based on the message in the email.

In the wild, we have observed the following example email:



We have observed the following example webpage as an attachment to the email:



We have observed these phishing pages using the following page name to steal your information:

  • Lloyds TSB Login Form.html


PWS:HTML/Phish.EB attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as to verify your account due to "unauthorized attempts".

The information that PWS:HTML/Phish.EB attempts to gain from you includes the following:

  • Your personal information:
    • Date of birth
    • Personal identification phrases, such as a memorable word you have previously registered with your Internet banking account
  • Credit or debit card information, including:
    • Internet banking user ID
    • Internet banking password
    • Telephone banking bin
    • Credit card number
    • Card expiry date
    • Card verification number/security code (CVV)


If you click "Continue" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URL using HTTP POST, which is a type of basic Internet data communication:

  • hxxp://<removed>.223.79.156/apache2-default/admin-wp.php




Analysis by Horea Coroiu

Last update 10 December 2012

 

TOP

Malware :