Threat behavior
PWS:HTML/Phish.CO is an HTML file that imitates legitimate websites. It attempts to steal your online banking or personal information by tricking you into filling out your details in a form on a fake page.
It is common for this detection to trigger in your Internet cache. When using Internet Explorer, the Internet cache is known as the Temporary Internet Files folder and is commonly located at C:\Users\<user name>\AppData\Local\Microsoft\Windows\Temporary Internet Files\. The Temporary Internet Files (or cache) folder contains webpage content that is stored on your hard disk for quick viewing. This cache permits Internet Explorer to download only the content that has changed since you last viewed a webpage, instead of downloading all the content for a page every time it is displayed. Having this detection reported may indicate that you have recently visited a website that tried to steal your sensitive information.
The webpages used by Phish.CO can vary. For example, we have seen the following pages, being used by Phish.CO to steal information:
In the examples, we've seen, Phish.CO has been trying to steal the following sensitive information:
- Your full name
- Bank account details
- Five-digit passcodes
- Telephone banking passcodes
- Email addresses
- Bank name
- Date of birth
- Address
- Phone number
When you click "continue", "update" or similar buttons after filling out the form, your information is sent to a remote server. We have observed captured information being sent to the following hosts using an HTTP POST method:
-
jobs-shopping.pro
-
alexkrauss.name
Analysis by Patrick Estavillo
Prevention
