JS_PHISHY.A

 Analysis by: Alvin Bacani

 ALIASES:

JS/Kryptik.AGJ (ESET-NOD32)

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel:

Downloaded from the Internet

This spyware may be hosted on a website and run when a user accesses the said website.

  TECHNICAL DETAILS

File Size:

38,832 bytes

File Type:

HTML, HTM

Memory Resident:

No

Initial Samples Received Date:

19 Jul 2013

Payload:

Steals information

Arrival Details

This spyware may be hosted on a website and run when a user accesses the said website.

Stolen Information

This spyware sends the gathered information via HTTP POST to the following URL:

  • http://{BLOCKED}oronenglish.hu/.myacct/secure/accountsummary/aexp/login/action.php

NOTES:
This malware displays a fake account verification page of a credit card company. The page then attempts to steal sensitive user-input information such as:

  • Birthday
  • Credit Card Number and Security Code
  • Driver's License
  • Email Address
  • Email Password
  • Mother's Maiden Name
  • Security Pin
  • Social Security Number
  • Username and Password ,/li>

  SOLUTION

Minimum Scan Engine:

9.300

FIRST VSAPI PATTERN FILE:

10.164.06

FIRST VSAPI PATTERN DATE:

19 Jul 2013

Scan your computer with your Trend Micro product to delete files detected as JS_PHISHY.A. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.