Home / malware PWS:HTML/Loyphish.G
First posted on 15 October 2012.
Source: MicrosoftAliases :
There are no other names known for PWS:HTML/Loyphish.G.
Explanation :
PWS:HTML/Loyphish.G is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate online banking webpage. It is a member of the PWS:HTML/Phish family.
The webpage attempts to steal your online banking information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.
It may use images, logos and layouts that the authors of PWS:HTML/Loyphish.G have copied from an authentic banking website.
The phishing page is an HTML page that is usually hosted on compromised or malicious websites, which an attacker may attempt to lure you to by clicking a link in an email.
Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Loyphish.G.
In the wild, we have observed the following example webpage:
PWS:HTML/Loyphish.G attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as to check or confirm your account details.
The information that PWS:HTML/Loyphish.G attempts to gain from you includes the following:
- User ID
- Password
- Personal identification phrases, or "memorable information"
- Date of birth
- 6-digit telephone banking PIN (personal identification number)
If you click "continue" or "update" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URL using HTTP POST, which is a type of basic Internet data communication:
- hxxp://www.whirleygames.co.uk/css/aa.php
Analysis by Jonathan San Jose
Last update 15 October 2012
