Home / malwarePDF  

PWS:HTML/Barfraud.AI


First posted on 29 September 2012.
Source: Microsoft

Aliases :

There are no other names known for PWS:HTML/Barfraud.AI.

Explanation :



PWS:HTML/Barfraud.AI is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate Barclays bank webpage.

PWS:HTML/Barfraud.AI attempts to steal your banking account information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

It may use images, logos and layouts that the authors of PWS:HTML/Barfraud.AI have copied from an authentic Barclays bank website.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites, which an attacker may attempt to lure you to by clicking a link in an email.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Barfraud.AI.

In the wild, we have observed the following example webpages:







During analysis, the websites we observed hosting these phishing pages used any of the following page names to steal your information:

  • Barclays - Login Form.html
  • Barclays_Online_Form.html
  • Barclays_Update_Form.html
  • customer.relations@barclays.co.uk.htm


This is an example of what the URL for one of these pages might look like:

hxxp://www.<removed>.com/Barclays_Update_Form.html

PWS:HTML/Barfraud.AI attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as one of the following:

  • As a "security check"
  • As a requirement for "updating your personal details"
  • As a result of "redesigned online banking"


The information that PWS:HTML/Barfraud.AI attempts to gain from you includes the following:

  • Your personal information:
    • Full name
    • Date of birth
    • Address
    • Home phone number
    • Mobile (cell) phone number
  • Your financial information:
    • 16-digit Connect/Electron (Visa debit) card number
    • Three-digit card security code
    • Card expiry date
    • Debit card number
    • Account number
    • Account sort code (your account's bank/branch identification number)
    • Five-digit passcode
    • Telephone banking passcode


If you click "submit" or "update" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URLs using HTTP POST, which is a type of basic Internet data communication:

  • hxxp://mail.easymate.cn/done.php
  • hxxp://www.ecsl.lt/icons/barclays.php




Analysis by Mihai Calota

Last update 29 September 2012

 

TOP