PWS:HTML/Phish.BE

PWS:HTML/Phish.BE is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate PayPal webpage.

PWS:HTML/Phish.BE attempts to steal your banking and PayPal account information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

It may use images, logos and layouts that the authors of PWS:HTML/Phish.BE have copied from an authentic PayPal site.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites, which an attacker may attempt to lure you to by clicking a link in an email.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Phish.BE.

In the wild, we have observed the following example webpage:

The information that PWS:HTML/Phish.BE attempts to gain from you includes the following:

• Full name
• Email address
• PayPal password
• SSN (social security number) if you reside in the US
• Credit/debit card number
• Credit card expiry date
• 3-digit card security code
• Bank name
• Date of birth
• Address
• Phone number

This information is sent to a website when the "Agree and Restore your account" button is pressed. We have observed the information being sent to the following websites:

• hxxp://debtmanagersoft.com
• hxxp://www.strmedia.com/reels/0000/0004/process.php
• hxxp://sochifito.cl/reactivation/w.php

Analysis by Rex Plantado