PWS:HTML/Phish.BE

(?)

Encyclopedia entry
Updated: Aug 03, 2012 | Published: Jun 16, 2012

Aliases
Not available

Alert Level (?)
Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.131.574.0
Released: Jul 24, 2012

Detection initially created:
Definition: 1.127.2134.0
Released: Jun 16, 2012

Summary

PWS:HTML/Phish.BE is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate PayPal webpage.

PWS:HTML/Phish.BE attempts to steal your banking and PayPal account information by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

It may use images, logos and layouts that the authors of PWS:HTML/Phish.BE have copied from an authentic PayPal site.

Top

Symptoms

Identifiable symptoms

The following may indicate the presence of PWS:HTML/Phish.BE:

An email inviting or requesting you to fill in your PayPal account details (including your bank details) to "restore your account"
The display of the following page, or ones similar to it, that asks you to fill out your PayPal account and bank details:

Fake Restore Your Account PayPal page

Top

Technical Information (Analysis)

PWS:HTML/Phish.BE is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate PayPal webpage.

It may use images, logos and layouts that the authors of PWS:HTML/Phish.BE have copied from an authentic PayPal site.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites, which an attacker may attempt to lure you to by clicking a link in an email.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Phish.BE.

In the wild, we have observed the following example webpage:

Fake Restore Your Account PayPal page

The information that PWS:HTML/Phish.BE attempts to gain from you includes the following:

Full name
Email address
PayPal password
SSN (social security number) if you reside in the US
Credit/debit card number
Credit card expiry date
3-digit card security code
Bank name
Date of birth
Address
Phone number

This information is sent to a website when the "Agree and Restore your account" button is pressed. We have observed the information being sent to the following websites:

hxxp://debtmanagersoft.com
hxxp://www.strmedia.com/reels/0000/0004/process.php
hxxp://sochifito.cl/reactivation/w.php

Analysis by Rex Plantado

Top

Prevention

Take these steps to help prevent infection on your computer.

Top

Recovery

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

PWS:HTML/Phish.BE attempts to steal sensitive and confidential information from affected users to perpetrate fraud. If you believe that your personal financial information may have been compromised, please refer to the following advisory for additional advice:

What to do if you are a victim of fraud

Top


	Provide feedback Please note: While your feedback is very important to us, we do not respond to individual submissions through this channel. Feedback, requests, or questions submitted through this form are monitored, however responses are not generated. If you require support, please visit the Safety & Security Center.