PWS:HTML/Bankfraud.F

PWS:HTML/Bankfraud.F is a password-stealing malicious webpage, known as a phishing page, that disguises itself as a legitimate online banking website. It is a member of the PWS:HTML/Bankfraud family.

These pages attempt to steal your banking information, particularly from Barclays bank, by tricking you into filling out your details in a form on a fake page, and then sending that information to a remote attacker.

These pages may use images, logos and layouts that the authors of PWS:HTML/Bankfraud.F have copied from an authentic banking website.

The phishing page is an HTML page that is usually hosted on compromised or malicious websites or sent through email.

Alternatively, a visit to a compromised or malicious website can be used to redirect you to a website that hosts phishing pages that are then detected as PWS:HTML/Bankfraud.F.

A compromised website is an otherwise safe website to which an attacker has inserted one or more of these malicious pages, without the website owner's knowledge.

In the wild, we have observed the following examples:

During analysis, most of the websites we observed hosting these phishing pages were compromised, and the pages used any of the following page names to steal your information:

• a.php
• auth.php
• barclays.co.uk.php
• barcs.php
• err.php
• finish.php
• m.php
• M5.php
• p.php
• update.php

This is an example of what the URL for one of these pages might look like:

hxxp://www.<removed>.com/barclays.co.uk.php

PWS:HTML/Bankfraud.F attempts to obtain personal, banking-related data from you, by tricking you into filling out a form for a particular reason, such as one of the following:

• As a "security check"
• As a requirement for "upgrading your personal details"
• To access or authenticate your account as a result of "redesigned online banking"

The information that PWS:HTML/Bankfraud.F attempts to gain from you includes the following:

• Credit card number
• Credit card expiry date
• 3-digit card security code
• Card holder name
• Debit card number
• Bank membership number
• Five-digit passcode
• Telephone banking passcode
• Surname
• Date of birth
• Mother's maiden name
• Memorable word
• Address
• Home phone number
• Mobile (cell) phone number

When "submit" or "update" or a similar button is pressed after filling out the form, the information may be either collected by the attacker from the compromised website, or sent to a remote server.

Related entries

PWS:HTML/Bankfraud

Analysis by Zarestel Ferrer