PWS:HTML/Phish.M

PWS:HTML/Phish.M is an HTML file that imitates the legitimate Paypal website to steal user information. You may receive an HTML email message containing this file, or it may be hosted on a website that you are led to.

The fake Paypal website may appear similar to the following:

Because the HTML webpage looks similar to the legitimate Paypal site, a user may unsuspectingly fill out all the information in the page. If "Submit Profile" is clicked, all the information is sent to a remote attacker.

The stolen information may include the following:

• User's email address
• User's Paypal password
• Social security number if the user resides in the USA
• User's address
• User's credit card information

In the wild, the stolen information has been observed sent to the IP address "206.<removed>.208.15".

Analysis by Francis Allan Tan Seng