Home / malware PWS:HTML/Phish.CL
First posted on 28 August 2012.
Source: MicrosoftAliases :
PWS:HTML/Phish.CL is also known as Mal/Phish-A (Sophos).
Explanation :
PWS:HTML/Phish.CL is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate online banking or PayPal webpage. It is a member of the PWS:HTML/Phish family.
PWS:HTML/Phish.CL attempts to steal your online banking and PayPal account information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.
It may use images, logos and layouts that the authors of PWS:HTML/Phish.CL have copied from an authentic banking or PayPal site.
The phishing page is an HTML page that is usually hosted on compromised or malicious websites or sent through email, either as an attachment or in the form of a link.
Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Phish.CL.
In the wild, we have observed the following example webpages:
The information that PWS:HTML/Phish.CL attempts to gain from you includes the following:
- Full name
- Bank account information
- Five-digit passcode
- Telephone banking passcode
- Email address
- PayPal password
- SSN (social security number) if you reside in the US
- Credit/debit card number
- Credit card expiry date
- 3-digit card security code
- Online credit card verification codes, such as those used by "Verified by VISA" and "MasterCard SecureCode"
- Personal identification phrases, such as your mother's maiden name
- Bank name
- Date of birth
- Address
- Phone number
If you click "submit" or "update" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URLs using HTTP POST, which is a type of basic Internet data communication:
- www.dvd46.ru/M5.php
- 99.12.171.227/phpadmin/popup.php
Analysis by Jonathan San Jose
Last update 28 August 2012