Home / malwarePDF  

PWS:HTML/Taxfraud.A


First posted on 19 September 2012.
Source: Microsoft

Aliases :

PWS:HTML/Taxfraud.A is also known as PHISH/Banker.D (Avira), Trojan.JS.Banker (Ikarus).

Explanation :



PWS:HTML/Taxfraud.A is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate United Kingdom government taxation website. It is a member of the PWS:HTML/Taxfraud family.

These pages attempt to steal your banking information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

These pages may use images, logos and layouts that the authors of PWS:HTML/Taxfraud.A have copied from an authentic United Kingdom government website.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites or sent through email.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Taxfraud.A.

A compromised website is an otherwise safe website to which an attacker has inserted one or more of these malicious pages, without the website owner's knowledge.

In the wild, we have observed the following example of PWS:HTML/Taxfraud.A:



We have observed these phishing pages using the following page names to steal your information:

  • refund_form.html
  • Refund_TaxID639223.html


The following is an example of what the URL for one of these pages might look like:

hxxp://www.<removed>.com/refund_form.html

PWS:HTML/Taxfraud.A attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as claiming a tax refund.

The information that PWS:HTML/Taxfraud.A attempts to gain from you includes the following:

  • Your personal information:
    • Full name as it appears on your credit card
    • Date of birth
    • Personal identification phrases, such as your mother's maiden name
    • Address
    • Phone number
  • Credit or debit card information, including:
    • Bank name
    • Account sort code (your account's bank/branch identification number)
    • Account number
    • Debit/credit card number
    • Card expiry date
    • Card verification number/security code
    • Online credit card verification passwords, such as those used by "Verified by VISA" and "MasterCard SecureCode"


If you click "submit" or "update" or a similar button after filling out the form, the information is sent to a remote server. We have observed the information being sent to the following URLs using HTTP POST, which is a type of basic Internet data communication:

  • hxxp://70.89.177.117/d.php
  • hxxp://76.73.76.58/~emiltele/index1.php
  • hxxp://85.17.159.77/~londonhe/images.php
  • hxxp://85.17.159.77/~londonhe/new.php
  • hxxp://clearyfitzgeralddentalpractice.ie/cgi-bin/formmail/form.cgi
  • hxxp://emilteleaga.cc/index1.php
  • hxxp://hackneyvslibrary.co.uk/defaults.php
  • hxxp://www.london-historyes.org/default.php.php
  • hxxp://www.shoefashionality.com/ext/index1.php


Analysis by Mihai Calota

Last update 19 September 2012

 

TOP

Malware :

Family: