Analysis by: Vincent Martin Hermosura

 PLATFORM:

Windows 2000, Windows Server 2003, Windows XP (32-bit, 64-bit), Windows Vista (32-bit, 64-bit), Windows 7 (32-bit, 64-bit)

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It deletes the initially executed copy of itself.

  TECHNICAL DETAILS

File Size: 405,504 bytes
File Type: EXE
Memory Resident: Yes
Initial Samples Received Date: 28 Feb 2013
Payload: Connects to URLs/IPs

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

  • %Application Data%\{random folder name}\{random file name1}.exe

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It creates the following folders:

  • %Application Data%\{random folder name}
  • %Application Data%\Microsoft\Address Book

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Global\{GUID}

It stays memory-resident by creating remote threads:

  • %Windows%\explorer.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows.)

Autostart Technique

This spyware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
{GUID} = "%Application Data%\{random folder name}\{random file name1}.exe"

Other System Modifications

This spyware adds the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\
WAB

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name

HKEY_CURRENT_USER\Software\Microsoft\
{random}

It adds the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkContactRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4
OlkFolderRefresh = "0"

HKEY_CURRENT_USER\Software\Microsoft\
WAB\WAB4\Wab File Name
(Default) = "%Application Data%\Microsoft\Address Book\{user name}.wab"

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
{port1}:UDP = "{port1}:UDP:*:Enabled:UDP {port1}"

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\GloballyOpenPorts\
List
{port2}:TCP = "{port2}:TCP:*:Enabled:TCP {port2}"

Dropping Routine

This spyware drops the following files:

  • %Application Data%\Microsoft\Address Book\{user name}.wab
  • %User Temp%\tmp{random}.bat - Used to delete its initially executed copy
  • %Application Data%\{random file name2}.{random}

(Note: %Application Data% is the current user's Application Data folder, which is usually C:\Documents and Settings\{user name}\Application Data on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Roaming on Windows Vista and 7.. %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003, or C:\Users\{user name}\AppData\Local\Temp on Windows Vista and 7.)

Information Theft

This spyware s configuration file contains the following information:

  • .bankofamerica.com
  • http://.macys.com/.ognc?
  • http://.mail.yahoo.comco.uk/
  • http:///googleapis/ajax/libs/jquery/1.7.1/jquery.min.js
  • http:///logs/dtukvbv/in.php?
  • http:///logs/dtukvbv/js.php?
  • http:///logs/galerter/in.php?
  • http:///logs/in.php?
  • http:///logs/moneypak/in.php?
  • http:///logs/ukvbvg/in.php?
  • http:///logs/ukvbvg/js.php?
  • http:///nwolb/gate.php?
  • http:///rpl_bib/gate.php?
  • http:///rpl_bib/js.php?
  • http:///rpl_cashmanagement/gate.php?
  • http:///rpl_cashmanagement/js.php?
  • http:///rpl_lloyds_bos/gate.php?
  • http:///rpl_lloyds_bos/js.php?
  • http:///rplg/get.php?
  • http:///rplg/js.php?
  • http:///rplhsbcbusiness/get.php?
  • http:///rplhsbcbusiness/js.php?
  • http:///rplkod/get.php?
  • http:///rplkod/js.php?
  • http:///rplrch/get.php?
  • http:///rplrch/js.php?
  • http:///rpluk/get.php?
  • http:///rpluk/js.php?
  • http:///scripts/default0.js?
  • http://amazon./
  • http://businessaibie/businesslogin
  • http://deutsche-bank.de/
  • http://ebay./
  • http://empresa.lacaixa.es/
  • http://facebook./
  • http://gbw.it
  • http://mail.aol.comco.uk/
  • http://mail.google.com/mail/
  • http://my.ebay.com/ws/eBayISAPI.dll?CurrentPage=MyeBayPersonalInfo\x1cMyeBaySummaryMyeBayNextSummary
  • http://my.ebay.com/ws/eBayISAPI.dll?MyeBay
  • http://netbanking.sparkasse.at/hilfe/sicherheit
  • http://paypal./
  • http://postbank.bg
  • http://savingsloans.com.au/PCLink_Check.aspx?p=52
  • http://ubs.com/
  • http://www.atime.it/
  • http://www.business.natwest.com/afb/public/nwb/AFBRoot/mainhome/2morover/accounts
  • http://www.citibank.com.au/australia/signon1/
  • http://www.co-operativebank.co.uk/corporate/fdo-noticeboard
  • http://www.communitycps.com.au/aspx/banking_view.aspx
  • http://www.credem.it/secure/Forms/Privati/Pagine/
  • http://www.cybusinessonline.co.uk/essential-maintenance/fraud-message
  • http://www.ebay.com/
  • http://www.firsttrustbank.co.uk/FTBusinessPortal
  • http://www.inbiz.intesasanpaolo.com/
  • http://www.jp-bank.japanpost.jp/direct/pc/security/dr_pc_sc_start.html
  • http://www.keljob.com/ecommerce/customer/account/login
  • http://www.lloydsbankcommercial.com/servicemessage
  • http://www.membersequitybank.com.au/webBanking
  • http://www.mizuhobank.co.jp/.html
  • http://www.mizuhobank.co.jp/direct/start.html
  • http://www.montepio.pt/SitePublico/pt_PT/empresas
  • http://www.ntrs\x1cnortherntrust.com/\x1cptl/pcl/login.jsp?
  • http://www.rabobank.nl/bedrijven/uitgelogd
  • http://www.rabobank.nl/particulieren/uitgelogd
  • http://www.secure.hsbcnet.com/uims/content/public/hibm/logon/logon.html
  • http://www.wellsfargo.com/com
  • http://wwwcitibankcom/us/citibusinessonline/index.htm?
  • http://wwwrbs.co.uk/corporate/electronic-services/g1/bankline.ashx
  • httpaccesd.affaires.desjardins.com
  • httpaccesd.desjardins.comcooperADOperations
  • httpaccesd.desjardins.comModifierQuestRepAuthForte
  • https://.americanexpress.com
  • https://.anz.com/IBAU/
  • https://.anz.com/IBAU/BANKAWAYTRAN
  • https://.anztransactive.anz.com/saam/SAAMLogin/Login.fcc
  • https://.bankofamerica.com
  • https://.bankofamerica.com/login/sitekeyskmaint.go
  • https://.bankofamerica.com/myaccounts/
  • https://.banquepopulaire.fr/auth/UI/Login
  • https://.bk.mufg.jp/ib/dfw/APL
  • https://.bmo.com
  • https://.cedacri.it/hb/main/home.seam
  • https://.cedacri.it/HBNET/CONFIG.NSFmsgalertlogon.html
  • https://.corpower.org/SecureLogonMultiAuth.aspx?
  • https://.credit-agricole.fr/stb/entreeBam
  • https://.csebo.it/webcontoc/context
  • https://.de/portal/p
  • https://.de/portal/portal
  • https://.de/ptlweb/WebPortal
  • https://.directnet.com/dn/c/cls/auth
  • https://.ebanking-services.com/.aspx
  • https://.gruppocarige.it/vbank/
  • https://.lloydstsb.co.uk/personal/a/logon/entermemorableinformation.jsp
  • https://.ml.com/ClientFederation/Loginwidget.aspx
  • https://.onlineaccess1.com//Authentication/Login.aspx
  • https://.pncs.com.au/806015v47/
  • https://.royalbank.com
  • https://.scotiaonline.scotiabank.com
  • https://.td.com/waw/idp/login.htm
  • https://.wblnkblilk\x1d.com/Core/Authentication/MFAPassword.aspx
  • https://.wellsfargo.com/
  • https://.westpac.com.au/esis/Login/SrvPage
  • https://.westpac.com.au/wtwt/startpage
  • https://.worldsourcefinancial.com/uiw/LoginFailedLogin.html?
  • https:///cmserver/verify.cfm
  • https:///ebc_ebc1961/
  • https:///FBONav?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///fi/bb/logon
  • https:///FOSConvertiFormato?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPA02F24Action?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPABODFDistinta?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPABODFSingolo?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPABonificoEstero?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPARibaOnLine?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///FPFribaDistinta?CreateDocument&login=1&id=&action=&pswdispo=
  • https:///onlineserv/CM/adminLogin.cgi
  • https:///onlineserv/CM/index.cgi
  • https:///PassMarkRSAToken.aspx?
  • https:///portal/portal
  • https:///ptlweb/WebPorta
  • https:///pub/html/rsa/pt/RSApm/loginLoginRSAIDloginID.html
  • https:///script/Login2Servlet?
  • https:///tdsecure/intro.jsp
  • https:///wcmfd/wcmpw/Login
  • https://1111111111111111kunde.comdirect.de/itx/kontouebersicht/anzeige
  • https://111111111111kunde.comdirect.de/itx/persoenlicherbereich/anzeige
  • https://111111111111kunde.comdirect.de/itx/ueberweisung
  • https://111111111111kunde.comdirect.de/tx/brokerage/konto
  • https://111111kunde.comdirect.de
  • https://3ds.cardcenter.ch/acspage/cap?RID=
  • https://3ds.jccsecure.com/acspage/cap?RID=
  • https://3dsecure.acb.com.vn/ACB/jsp/
  • https://3dsecure.icscards.nl/acspage/cap?RID=
  • https://3dsecure.ing.ro/acs/auth/
  • https://3dsecure.paylife.at/acspage/cap?RID=
  • https://abnamro.nl/nl/ideal/identification.do
  • https://abnamro.nl/nl/logon/identificationhtml
  • https://absonline.absbuildingsociety.com.au/login.asp
  • https://accesd.desjardins.com//accesd/
  • https://accesd.desjardins.com/cooperADOperations/OperationImmediate.do
  • https://accesd.desjardins.com/tisecuADGestionAcces/logoff.do
  • https://accesd.desjardins.com/tisecuADGestionAcces/LogonAuthForteADP.do?msgId=logonValiderIdentit
  • https://accesd.desjardins.com/tisecuADGestionAcces/ModifierQuestRepAuthForte.do
  • https://access.imb.com.au/personal
  • https://access.jpmorgan.com/jpmalogon
  • https://access.rbsm.com/logon/passworddp300/.fcc?
  • https://accessonline.abnamro.com/fss/open/welcome.do
  • https://acs-ch.cal-online.co.il/acspage/cap?RID=
  • https://acs.icicibank.com/acspage/cap?RID=
  • https://acs.netcetera.ch/acspage/cap?RID=
  • https://acs.onlinesbi.com/sbi/jsp/
  • https://acs.swisscard.ch/acspage/cap?RID=
  • https://acs1.viseca.ch/acspage/cap?RID=
  • https://acs3.3dsecure.no/mdpayacs/pareq
  • https://acs4.3dsecure.no/mdpayacs/pareq
  • https://alphabank.cardinalcommerce.com/transaction/
  • https://apib.anz.com/apinetbank/StartupLoginEsInetANZ.aspx?
  • https://areariservata.bancamarche.it/wps/portal/login//corporate/
  • https://areariservata.bancamarche.it/wps/portal/login//corporatefamily/
  • https://areariservata.divisioneconsumer.it/
  • https://areattiva.agosweb.it/
  • https://authmaster.nationalcity.com/tmgmt/ogin.
  • https://avantcard.cardinalcommerce.com/transaction/
  • https://b1ext.rflbiab.com.au/mcu-prod/UI/
  • https://bancaincasa.sba.bcc.it//
  • https://bancaincasa.sba.bcc.it//htdocs/index_ita.htmlloginVersion.html
  • https://bancolombia.olb.todo1.com/html/navigation/leftmenu.jsp
  • https://bancolombia.olb.todo1.com/olb/Authentication
  • https://bancolombia.olb.todo1.com/olb/GetUserProfile
  • https://bancolombia.olb.todo1.com/olb/Login
  • https://bancolombia.olb.todo1.com/olb/RSACheckUserChallengeQuestions
  • https://bancopostaimpresaonline.poste.it/bpiol/
  • https://bancopostaimpresaonline.poste.it/bpiol/lastFortyMovementsBalance.do?method=loadLastFortyMovementList
  • https://bancopostaimpresaonline.poste.it/bpiol/login.do?method=verify
  • https://bancopostaimpresaonline.poste.it/bpiol/method
  • https://bancopostaimpresaonline.poste.it/bpiol/switch.do?method=switchApp&code=HOME&FUNCTIONCODESELECTED=HOME
  • https://bancopostaimpresaonline.poste.it/js/menu/jscript/global.js
  • https://bancopostaimpresaonline.poste.it/RBWeb/HOM/contiCorrenti.do?method=contiCorrenti
  • https://bancopostaimpresaonline.poste.it/RBWeb/HOM/service.do?admi
  • https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/lmf.jsp
  • https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/lsf.jsp
  • https://bancopostaimpresaonline.poste.it/RBWeb/RBLite/ContiCorrenti/scc.jsp
  • https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepay/cartapostepayBenvenuto
  • https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepaylistamovimenti
  • https://bancopostaonline.poste.it/bpol/cartepre/servizi/cartapostepaysaldo
  • https://bank.barclays.co.uk/olb/auth/LoginLink.action
  • https://bank.barclays.co.uk/olb/balances/PersonalFinancialSummary.action
  • https://bankaljazira.cardinalcommerce.com/transaction/
  • https://bankieren.mijn.ing.nl/particulier
  • https://bankieren.rabobank.nl/klanten
  • https://banking.bank1saar.de
  • https://banking.bankofscotland.co.uk/Logon/logon.aspx
  • https://banking.bankofscotland.co.uk/Logon/Logon.aspx?
  • https://banking.bankofscotland.co.uk/ogon/ogon.aspx
  • https://banking.berliner-bank.de/trxm
  • https://banking.berliner-bank.de/trxm/bb
  • https://banking.berliner-sparkasse.de/portal/portal/
  • https://banking.commercebank.com/CBI/Accounts/CBI/Summary.aspx
  • https://banking.dkb.de/dkb
  • https://banking.dkb.de/portal/portal
  • https://banking.flessabank.de
  • https://banking.gecapital.de
  • https://banking.gecapital.de/entry
  • https://banking.gecapital.de/portal
  • https://banking.lloydsbank.com/Logon/logon.aspx
  • https://banking.lloydsbank.com/Logon/logon.aspx?
  • https://banking.lloydsbank.com/ogon/ogon.aspx
  • https://banking.mashreqbank.com/FID/login.aspx
  • https://banking.postbank.de/app/kontoumsatz.umsatz.initfinanzstatus.initnachrichtenbox.input.do
  • https://banking.postbank.de/app/legitimation.input.do
  • https://banking.postbank.de/app/mtan.listen.input.do
  • https://banking.postbank.de/rai
  • https://banking.postbank.de/rai/
  • https://banking.postbank.de/rai/login
  • https://banking.postbank.de/rai/StartPageFinanzstatusPage
  • https://banking.raiffeisen.at/logincenter
  • https://banking.securebnl.it/wps/portal/
  • https://banking.smile.co.uk
  • https://banking.sparda.de
  • https://banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550
  • https://banklinknet
  • https://banklinknet2.cariparma.it/NET2/Logoin
  • https://bbank.ybonline.co.uk/ifdu/ifdlm-web/login.ctl
  • https://bbo.1stsource.com/login.cfm
  • https://betalen.rabobank.nl/ideal-betaling
  • https://biz.hkbea-cyberbanking.com/servlet/MA01Show?
  • https://bizibanking.bangkokbank.com/bblamsui/Signon.aspx
  • https://bizonline.tcbk.com/tcbsb_corporatebankingweb/core/login.aspx?
  • https://bmo.com
  • https://bnidirect.bni.co.id/corp/common/login.do?action=login
  • https://bnycash.bankofny.com/
  • https://boveda.banamex.com.mx/
  • https://boveda.banamex.com.mx/serban/index.htm
  • https://bpmbanking.itHomePriv
  • https://bpmbanking.itHomePrivata.do
  • https://business-eb.ibanking-services.com/K1/sb_login.jsp?
  • https://business.bnl.it/bway/access/login
  • https://business.bnl.it/login/SMBway.jsp
  • https://business.co-operativebank.co.uk/corp/BANKAWAY
  • https://business.danskebank.co.ukcom/pub/logon/logon.aspx
  • https://business.lloydsbank.co.uk/businessaccount_
  • https://business.memberdirect.net/servlet/Logonbusiness/default.jsp?
  • https://business.santander.co.uk/LGSBBI_NS_ENS/ChannelDriver.ssobtoLOGON
  • https://businessbankingcenter.synovus.com/commercial/portal/login/basic/index.php
  • https://businessbankingsoc.tdcommercialbanking.com/WBB/LoginDisplay?;
  • https://businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
  • https://businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp
  • https://businessonline.tdbank.com/corporatebankingweb/core/login.aspx
  • https://businessonline.westpac.com.au/esis/furniture/v2.12/ESI/scripts/esi_writeKeypad.js
  • https://businessonline.westpac.com.au/esis/furniture/v2.12/scripts/jquery-1.3.2.min.js
  • https://businessonline.westpac.com.au/esis/Login/SrvPage
  • https://businessportal.mibank.com/oracleAccessManager/securid-forms-adforest/login.html?
  • https://bvi.bnc.ca
  • https://caixaebankingonline.cgd.pt/ceb/login.seam
  • https://cap.securecode.com/acspage/cap?RID=
  • https://capitalone360.com/myaccount/
  • https://cards.indusind.com/IndusindBank/jsp/
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/AndhraBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/BOB/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/BOBCards/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/CanaraBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/ComBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/CorporationBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/DenaBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/FederalBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/IndianBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/IOB/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/JKBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KotakBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/KVB/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/SeylanBank/server/AccessControlServer
  • https://cardsecurity.enstage.com/ACSWeb/EnrollWeb/UCOBank/server/AccessControlServer
  • https://cardsecurity.standardchartered.com/acspage/cap?RID=
  • https://cardservicing.mint.co.uk/RBSG_Consumer/Login.do
  • https://cartabancopostapiu.compassonline.it/
  • https://cashmanagement.barclays.net/portalservices/forms/login.pser
  • https://cashmanager.mizuhoe-treasurer.com/mz/servlet/SLogin?
  • https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/
  • https://cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
  • https://cbfm.saas.cashfac.com/cbfm/
  • https://cbi.bpmbanking.it/eb/esitoNonStipendi.do
  • https://cbi.bpmbanking.it/eb/storicoDistinte.do
  • https://cbi.electracard.com/cbi/jsp/
  • https://cbionline.cbi.ae/bus/security/companyLogin.jsp
  • https://cbs.fidelitybanknc.com/cb/servlet/cb/loginfcbnc.jsp?
  • https://cbs.ncbchina.cn/corporbank/login_basic_e.jsp?
  • https://cedacri.itHOME.NSF/FMsgAlertLogonInf?OpenForm&Login=1
  • https://chaseonline.chase.com/MyAccounts.aspx
  • https://cib.bankofthewest.com/K/\x1csa/login.jspindex.html?
  • https://cib.bochk.com/login/cib_login012_.jsp?
  • https://cib.bochk.com/login/fis/cib_login012_.jsp?
  • https://cib.icicibank.ca/CORPCIBCA/BANKAWAY?;
  • https://cib.icicibank.com.sg/CIBSGAPP/BANKAWAY?
  • https://cib.uab.ae/
  • https://client.schwab.com/Accounts/Summary/Summary.aspx
  • https://clientlogin.ibb.ubs.com/login?
  • https://cmol.bbt.com/auth/prompt.tb
  • https://cms.us.bk.mufg.jp/cbbtmu/logon/sbuser
  • https://co.uk/personal/a/account_details
  • https://co.uk/personal/a/change_MI
  • https://co.uk/personal/a/changememorableinformation/successmemorableinformation
  • https://co.uk/personal/a/make_transfer
  • https://co.uk/personal/a/your_personal_details
  • https://co.uk/personal/logon/login.jsp
  • https://commercial.bnc.ca/auth/Login
  • https://commercialservices.mandtbank.com/keypad/keypadCommon.jsp;?
  • https://commerzbank.de
  • https://commerzbanking.de
  • https://commerzbanking.de/js_bb/util.js
  • https://comnet.pbz.hr/PbzComnetWeb/app/logon.html
  • https://connect.barclays.com/authen
  • https://connexis.bnpparibas.com/
  • https://core.cedacri.it/CORE//LogonStep
  • https://core.cedacri.it/CORE/main/Workspace
  • https://corp.millenniumbcp.pt/_login/MPTCPlogin
  • https://corpbank.electracard.com/corpbank/jsp/
  • https://corpebankasia.icbc.com.cn/icbc/corporbank/index.jsp?
  • https://corporate.adcb.com/corporateWeb/
  • https://corporate.bpn.pt/CorporateBanking//autenticacao
  • https://corporate.cbq.com.qa
  • https://corporate.friuladria.it
  • https://corporate.friuladria.it/NET2/Logoin
  • https://corporate.metrobankdirect.com/corp_login_page.asp
  • https://corporate.santander.co.uk/LOGSCU_NS_ENS/
  • https://corporate.santander.co.uk/LOGSCU_NS_ENS/BtoChannelDriver.bto?dse_operationName=OP_LOG_ON
  • https://cosacs.electrapay.com/CosmosBank/jsp/
  • https://de/portal/portal
  • https://DesktopDefault
  • https://direct.53com/direct/logon53Direct.jsp
  • https://direct.jp-bank.japanpost.jp/tp1web/U.do
  • https://direct.smbc.co.jp/
  • https://direct11.bk.mufg.jp/ib/dfw/APL/
  • https://direkt.postbank.de/direktportalApp/application
  • https://direkt.postbank.de/direktportalApp/index.jsp
  • https://direkt.rba.hr/cgi-bin/ppz2/start/rbat.jsp
  • https://e-finance.postfinance.ch/ef/securesecure/fp/html/
  • https://e-finance.postfinance.ch/public/fp/html/static/ch.postfinance.fipo/scripts/main.min..js
  • https://e-finance.postfinance.ch/secure/fp/html/e-finance
  • https://eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login.jsp
  • https://eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login2.jsp
  • https://easyweb.tdcanadatrust.com/MaintainSecurityOptionsServlet
  • https://easyweb.tdcanadatrust.com/servlet/ca.tdbank.banking.servlet.FinancialSummaryServlet
  • https://eb.bankcomm.com.hk/eb/login.action?
  • https://ebank.adcu.com.au/mvp352/Login.asp
  • https://ebank.eonbank.com.my/cashmgmt/security/commonLogin.jsp?
  • https://ebank.kasikornbankgroup.com/kbiznet/login.html
  • https://ebank.spdb.com.cn/ent//login/queryosa_query.jsp
  • https://ebanking-ch.ubs.com/workbench/Index.do
  • https://ebanking.bawagpsk.com
  • https://ebanking.blombankegypt.com/ceb/cebcw/controller.jpf
  • https://ebanking.clarisbanca.it/wps/wcm/connect/web+content/GVB-LoginHB/GVB-Login/LoginGVB/
  • https://ebanking.cpb.gr/ui/tellerb2c/b2c/
  • https://ebanking.customscu.com.au/Login.asp
  • https://ebanking.eurobank.gr/ebanking/js/ebanking_utils.js
  • https://ebanking.eurobank.gr/ebanking/login.faces
  • https://ebusiness.hangseng.com/1/2/
  • https://ecash./ABCorporate/Core/signindefault.aspx?
  • https://edidelhkglonsta.my.rbs.com
  • https://egyptnet.bnpparibas.com/part//dciweb.htm?p0=idesai.tht
  • https://elementa.otpbanka.hr/gradjani//foweb/nb/eLEMENTa
  • https://elink.somb.com.au/mvpSOMB/Login.asp
  • https://empresa.lacaixa.es/
  • https://empresas.gruposantander.es/Estatico/BEComponentesGeneralesAccesoSEI/Html/webempresas.htm
  • https://entreprises.societegenerale.fr
  • https://entry11.bk.mufg.jp/ibg/dfw/APLIN/loginib/login
  • https://eurobankmc.cardinalcommerce.com/
  • https://eurobankvisa.cardinalcommerce.com/
  • https://express.53.com/portal/auth/login/Login
  • https://fdonline.co-operativebank.co.uk/corp/BANKAWAY
  • https://fes.rakuten-bank.co.jp/MS/main/COMMAND=
  • https://fes.rakuten-bank.co.jp/MS/main/fcs/rb/fes/jsp/mainservice/Security/LoginAuthentication/Login/Login.jsp
  • https://fiepay.mashreqbank.com/Login.asp
  • https://finanzportal.fiducia.de
  • https://finanzportal.fiducia.de/
  • https://finanzportal.fiducia.de/entry
  • https://finanzportal.fiducia.de/portal
  • https://fineco.it
  • https://fps.fidelity.com/ftgw/Fps/Fidelity/RSAAnalyzeChallengeRetail/Maintain/Init
  • https://globalaccess.firstglobal-bank.com/internetbanking/ENULogin.jsp
  • https://gruppocarige.corporate.ssb.net//desktopdefault.asp
  • https://halifax-online.co.uk/personal
  • https://hb./LOGIN2.0/RTLOGIN/ASPX/
  • https://hb.bancareale.it
  • https://hbclassic.bpergroup.net
  • https://hbclassic.bpergroup.net//run?command=MOV_CC
  • https://hbnet.cedacri.it//home.nsf/Login=1
  • https://hbnet.cedacri.it/06045/home.nsf/FMsgAlertLogonFrameSet?OpenForm
  • https://hbnet.cedacri.it/CreateDocumentLogin
  • https://hbnet.cedacri.it/HBNET/CONFIG.NSF/risorse/-MSGALERTLOGON/$FILE/msgalertlogon.html
  • https://hbnet.cedacri.it/Main?OpenNavigator
  • https://hbpaschiinaziendacorporate./LOGIN2.0/RTLOGIN/ASPX/
  • https://hiring.monster.com/ogin.aspx
  • https://home.cbonlineco.uk/ralu/reglm-web/login.ctl
  • https://home.cybusinessonline.co.uk/lmgru/ceblm-web/
  • https://home.ybonlineco.uk/ralu/reglm-web/login.ctl
  • https://homebank.tsbbank.co.nz/online/HomeBServlet
  • https://hsbc.ca/1/2/!ut/
  • https://hypovereinsbank.deview=
  • https://i3d.borica.bg/acspage/cap?RID=
  • https://ib.absa.co.za/ib/Authenticate.do
  • https://ib.cim-italia.it/eb/accessologindo
  • https://ib.mps.it/web/ib/login
  • https://ib.nab.com.au/nabib/acctInfo_acctBal.ctl
  • https://ib.nab.com.au/nabib/index.jsplogin.ctl?
  • https://ib.npbs.co.uk/IB.Web/Login.aspx
  • https://ib.swedbank.lv
  • https://ib.teacherscreditunion.com.au/
  • https://ibank.agribank.com.vn/ibank/index.jsp
  • https://ibank.b-e.com.au/ibank/login.asp
  • https://ibank.barclays.co.uk/olb//Login
  • https://ibank.bcu.com.au/Login.asp
  • https://ibank.bib.barclays.com/logon
  • https://ibank.bib.barclays.com/logon/
  • https://ibank.bri.co.id/cms/
  • https://ibank.hncb.com.hk/netbank/pages/jsp/HKLogin/html/HKLogin_en.jsp?
  • https://ibank.humebuild.com.au/login.asp
  • https://ibank.nbg.gr/
  • https://ibank.nbg.gr/wps/myportal/!ut/
  • https://ibank.nbg.gr/wps/portal/LoginPageMap
  • https://ibank.standardchartered.com.hk/nfs/login.htm?
  • https://ibank.standardchartered.com.sg/nfs/login.htm?
  • https://ibanking..com.au/ibank/loginPagelogonAction.action
  • https://ibanking.banksa.com.au/InternetBanking/applySMSAlert.do
  • https://ibanking.banksa.com.au/InternetBanking/viewAccountPortfolio.do
  • https://ibanking.cairnspenny.com.au/Login.asp
  • https://ibanking.sbc-bank.com/iBanking/App_Files/Login/Login.aspx
  • https://ibanking.stgeorge.com.au/InternetBanking/viewAccountPortfolio.do
  • https://ibb.aibgb1.co.uk/ibb/controller
  • https://ibb.firsttrustbank1.co.uk/ibb/controller
  • https://ibbweb.tecmarket.it/tmibbwebsecurity//
  • https://ibqmc.cardinalcommerce.com/
  • https://ibqvisa.cardinalcommerce.com/
  • https://ibs.bankwest.com.au//AccountInformation//Balances.aspx
  • https://ibs.bankwest.com.au/BWLogin/.aspx?
  • https://ibusinessbanking.aib.ie/ibb/controller
  • https://icscards.nl/nlic/portal/ics/login
  • https://ideal.dbs.com/loginSubscriber/login/SubscriberLoginServletpin.jsp
  • https://ideal.ing.nl/internetbankieren/SesamLoginServlet
  • https://ideal.snsreaal.nl/secure/sns/Pages/Payment
  • https://ideal.snsreaal.nl/secure/srb/Pages/Payment
  • https://ihb.cedacri.it/hb/authentication/login-PIN_UTENTE
  • https://ihb.cedacri.it/hb/authentication/login.seam
  • https://ihb.cedacri.it/hb/main/
  • https://inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank
  • https://inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank?xid=
  • https://internet-banking.hk.dbs.com/IB/Welcome?
  • https://internetbank.swedbank.se/idp/portal/identifieringidp/idp/dap1
  • https://internetbanken.privat.nordea.se/nsp/login
  • https://internetbanking.firstoptioncu.com.au/mvptab/login.asp
  • https://internetbanking.gad.de/ptlweb
  • https://internetbanking.securetrustbank.com/SecureTrust/SecureTrust
  • https://internetbanking.suncorpbank.com.au
  • https://internetbanking.suncorpbank.com.au/?
  • https://internetbanking.suncorpbank.com.au/DisplayAccountLimits
  • https://internetbanking.suncorpmetway.com.au/sml/logon.asp
  • https://invest.ameritrade.com/grid/p/site
  • https://is2.cuviewpoint.net/firebrigades/
  • https://is2.cuviewpoint.net/mvpamp/
  • https://is2.cuviewpoint.net/mvpamp/login.asp
  • https://is2.cuviewpoint.net/mvpcentralmurray/Login.asp
  • https://is2.cuviewpoint.net/mvpcompanion/Login.asp
  • https://is2.cuviewpoint.net/mvpcomtax/Login.asp
  • https://is2.cuviewpoint.net/mvpcwcul/Login.asp
  • https://is2.cuviewpoint.net/mvpencompass/login.asp
  • https://is2.cuviewpoint.net/mvpfamilyfirst/Login.asp
  • https://is2.cuviewpoint.net/mvpfcc/Login.asp
  • https://is2.cuviewpoint.net/mvpford/login.asp
  • https://is2.cuviewpoint.net/mvpgm/login.asp
  • https://is2.cuviewpoint.net/mvpheritageisle/login.asp
  • https://is2.cuviewpoint.net/mvpindustriesmutual/Login.asp
  • https://is2.cuviewpoint.net/mvplucu/Login.asp
  • https://is2.cuviewpoint.net/mvpmaccu/Login.asp
  • https://is2.cuviewpoint.net/mvpmaritime/login.asp
  • https://is2.cuviewpoint.net/mvpmaroondah/login.asp
  • https://is2.cuviewpoint.net/mvpphcu/Login.asp
  • https://is2.cuviewpoint.net/mvpplenty/login.asp
  • https://is2.cuviewpoint.net/mvpqldprof/Login.asp
  • https://is2.cuviewpoint.net/mvpsge/Login.asp
  • https://is2.cuviewpoint.net/mvpstmarys/Login.asp
  • https://is2.cuviewpoint.net/mvpswc/login.asp
  • https://is2.cuviewpoint.net/mvptartan/login.asp
  • https://is2.cuviewpoint.net/mvpwaw/Login.asp
  • https://is2.cuviewpoint.net/mvpwecu/Login.asp
  • https://isi-business.sparkasse.it/CORE//LogonStep
  • https://isi-netbusiness.sparkasse.it/Home/Introduzione/Visualizza.aspx?ID_Primaria=
  • https://jpmorgan.chase.com/Secure/Summary
  • https://kfh-b.cardinalcommerce.com/transaction/
  • https://ktt.key.com/ktt/cmd/logon
  • https://ktt.key.com/ktt/cmd/logonFromKeyComNew
  • https://kunde.comdirect.de
  • https://kunde.comdirect.de/ccf/modules/js/cp_core.module.js
  • https://kunde.comdirect.de/ccf/plugins/js/jquery.cdb.commandlink.js
  • https://kunde.comdirect.de/ccf/plugins/js/jquery.cdb.topframechecker.js
  • https://kunde.comdirect.de/itx/geldanlagen/auflisten
  • https://kunde.comdirect.de/itx/kontouebersicht/anzeige
  • https://kunde.comdirect.de/itx/persoenlicherbereich/anzeige
  • https://kunde.comdirect.de/itx/posteingangsuche
  • https://kunde.comdirect.de/itx/ueberweisung
  • https://kunde.comdirect.de/itx/umsaetze/auflisten
  • https://kunde.comdirect.de/itx/versandoptionen/verwalten
  • https://kunde.comdirect.de/lp/wt
  • https://kunde.comdirect.de/lp/wt/login
  • https://kunde.comdirect.de/tx/brokerage/konto
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/ChangeFlowToCancelService.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/CustomerChannelProcess.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/FinalizeFlow.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/InitializeCitimailQH.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/InitializeFlow.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/ShowIndex.do
  • https://latinamerica.citibank.com/MXGCB/LATAM/edelivery/StatementsProcess.do
  • https://leumionline.bankleumi.co.uk/my.policy
  • https://lloydsbank.co.uk/personal
  • https://lloydslink.online.lloydsbank.com/Logon/Logon.jsp
  • https://lloydslink.online.lloydsbank.com/xlWebApp/
  • https://login.commbiz.commbank.com.au/?
  • https://login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Login/Init
  • https://login.smartbusiness.ae/
  • https://logon.reflex.rhbbank.com.my/rhbcams/corporate/login.jsp
  • https://marfinbank.cardinalcommerce.com/transaction/
  • https://mcm.bankmandiri.co.id/corp/common/login.do?action=login
  • https://meine.deutsche-bank.de/trxm/db
  • https://meine.norisbank.de/trxm/noris
  • https://member.neteller.com/moneyIn
  • https://mib.bankmandiri.co.id/sme/common/login.do?action=login
  • https://mijn.ing.nl/internetbankieren/SesamLoginServlet
  • https://mvp.bdcu.com.au/mvpbdcu/login.asp
  • https://mvp.bigsky.net.au/mvpbscu/Login.asp
  • https://mvp.gosfordcreditunion.com.au/mvpgosford/Login.asp
  • https://mvp.novacu.com.au/mvpnova/Login.asp
  • https://mvp1.sccu.com.au/mvpsccu/Login.asp
  • https://my-db-direct.db.com/u/eb/Login_Main.serv
  • https://my.commbank.com.au/netbank/Portfolio/Home/Home.aspx
  • https://my.statestreet.com/secid-smpwservicesmain-smpwservices.fcc?
  • https://mybusinessbank.co.uk
  • https://nabconnectnabcomau/auth/login/.do?
  • https://nbf.ae/corporate/BANKAWAY;?
  • https://nbqonline.ae/corp/BANKAWAY?Action.CorpUser.Init
  • https://net24.montepio.pt/Net24-Web/func/acesso/net24eLoginTV.jsp
  • https://netbank.communityfirst.com.au/mvpcfcu/Login.asp
  • https://netbank.qpcu.org.au/myviewpoint/
  • https://netbank.selectcu.com.au/mvpscc/login.asp
  • https://netbanking.hdfcbank.com/netbanking/
  • https://netbanking.mashreqbank.com/B001/SMELogin.jsp
  • https://netbanking.mashreqbank.com/EntlWeb/IbsJsps/orbilogin.jsp
  • https://netbanking.sparkasse.at/
  • https://netbanking.sparkasse.at/casserver/login
  • https://netbanking.sparkasse.at/sPortal/
  • https://netbranch.resourcescu.com.au/mvpRCU/Login.asp
  • https://netdirect.maitlandmutual.com.au/Login.asp
  • https://netsafe.hdfcbank.com/ACSWeb/jsp/
  • https://netteller2.tsw.com.au/704062V45/ntv4.asp?wci=entry
  • https://netteller2.tsw.com.au/802214V47/ntv47.ASP?WCI=entry
  • https://netteller2.tsw.com.au/TRNC/ntv43.asp?wci=entry
  • https://new.credem.it/Alert_FE/Default.aspx
  • https://nowbankingpiccoleimprese..it
  • https://nowbankingpiccoleimprese.cariparma.itasp
  • https://nowbankingprivati.cariparma.it/IT/Pagine/Login.aspx
  • https://nuovosito.fineco.it/
  • https://oltx.fidelity.com/ftgw/fbc/of
  • https://online-.unicredit.it/
  • https://online-business.bankofscotland.co.uk/business/logon/login.jsp?
  • https://online-business.tsb.co.uk/business/logon/login.jsp
  • https://online-retailprivate\x1dsmallbusiness.unicredit.it/login.htm
  • https://online.adambank.com/eBankingAdamLogin/login
  • https://online.americanexpress.com/myca/?request_type=authreg_acctAccountSummary
  • https://online.bankofcyprus.co.uk/netteller/login.faces
  • https://online.cibeg.com/MCP
  • https://online.citibank.com/
  • https://online.citibank.com//portal/Home.do
  • https://online.citibank.com/US/CBOL/ain/dashboard/flow.action
  • https://online.citibank.com/US/JPS/portal/Home.do
  • https://online.citibank.com/US/JPS/portal/Index.do
  • https://online.citibank.com/US/JRS/portal/menu.do?ID=Support
  • https://online.citibank.com/US/JSO/signon/LocaleUsernameSignon.do
  • https://online.corp.westpac.com.au/.asp
  • https://online.corp.westpac.com.au/furniture/scripts/jquery-1.3.2.min.js
  • https://online.coutts.com/eBankingCouttsLogin/login
  • https://online.crfossano.it/nb/it/home2.jsp
  • https://online.dbank.bg/main/main.asp
  • https://online.dbank.bg/main/main_new.asp
  • https://online.dib.ae/webapplication.ui/localoperations/login/corporateloginpage.aspx
  • https://online.fgb.ae/fgbcorporate/CorpLogin.htm?
  • https://online.mecu.com.au/daib/logon/cu3140/logon.asp
  • https://online.nbad.com/iportalweb/iportal/jsps/orbilogin.jsp
  • https://online.qantascu.com.au/daib/logon/cu2035/logon.asp
  • https://online.rbb.bg/page/default.aspx
  • https://online.savingsloans.com.au/DAIB/Logon/CU5023/Logon.asp
  • https://online.thinkmoney.co.uk/account/security/logon/logon.aspx
  • https://online.unicreditcorporate.it/ibx/web/menu/menutop/index.jsp
  • https://online.unicreditcorporate.it/nb/it/home_i.faces
  • https://online.unicreditcorporate.it/nb/it/welcome.jsp
  • https://online.washingtonfederal.com/login_business.aspengine/login/businessLogins.asp?
  • https://online.wellsfargo.com/das/
  • https://online.wellsfargo.com/das/cgi-bin/session.cgi
  • https://online.ybs.co.uk/public/authentication/login1.do
  • https://onlinebanking.nationwide.co.uk/AccessManagement/Login
  • https://onlinebanking.psd-bank.de/entry
  • https://onlinebanking.wachovia.com/myAccounts.aspx
  • https://onlinebusiness.lloydsbank.co.uk/business/logon/login.jsp
  • https://onlinebusinessplus.vancity.com/business/default.jsp\x1dservlet/Logon?;
  • https://particuliers.securelcl.fr/outil/UAUT
  • https://particuliers.societegenerale.fr
  • https://paschiinazienda.mps.it/PaschiHome/LOGIN2.0/RTLOGIN/ASPX/RTLoginCB01.aspx
  • https://payments.corporate.lloydsbank.com/lloydsbank_corporate_poli_webui/lloydsbank.aspx?target=PaymentHome
  • https://pc-easynet.policecredit.com.au/easyaccess/Login.asp
  • https://pc-easynet.policecredit.com.au/easyaccess/Welcome.asp
  • https://permonline.newcastlepermanent.com.au/IB/NPBSBusiness
  • https://permonline.newcastlepermanent.com.au/IB/NPBSPersonal
  • https://personal.co-operativebank.co.uk
  • https://personal.co-operativebank.co.uk/CBIBSWeb/
  • https://personal.macquarie.com.au/transact
  • https://personal/a/account_overview_personal
  • https://personal/a/eiaauthentication/phoneauthenticationinprogress
  • https://personal/a/eiaauthentication/phoneauthfailure
  • https://personal/a/eiaauthentication/phoneauthfailureinvalidcode
  • https://personal/a/make_payment
  • https://personal/a/makepayment/makepaymentconfirmation
  • https://personal/a/makepayment/makepaymentsuccessful
  • https://personal/a/set_up_new_payee
  • https://pnb.electracard.com/pnb/jsp/
  • https://portal.raiffeisen.at/group/club
  • https://portal.raiffeisen.at/group/private
  • https://portal.raiffeisenControllerVerfuegbarerBetrag.js
  • https://portal.raiffeisencore-packed.js
  • https://private.bankofsingapore.com/IPBWBWeb/Login/.aspx?
  • https://professionalson-line.bankofscotlandbusiness.co.uk/_mem_bin/formslogin.asp
  • https://professionnels.societegenerale.fr
  • https://ptlweb/WebPortal
  • https://qweb.quercia.com//Autorizzazioni/Distinte/isualizza.aspx
  • https://qweb.quercia.com//Autorizzazioni/Ricerche/isualizza.aspx
  • https://qweb.quercia.com//Home/Introduzione/Visualizza.aspx
  • https://qweb.quercia.com//Informazioni/Movimenti/isualizza.aspx
  • https://qweb.quercia.com//Informazioni/SaldiBanca/isualizza.aspx
  • https://qweb.quercia.com//Informazioni/SaldiConto/isualizza.aspx
  • https://qweb.quercia.com//Menu.htm
  • https://railnet.railcu.org.au/rail/
  • https://rakbankonline.ae/corp/BANKAWAY;?
  • https://regiobank.nl/internetbankieren/homepage/secure/homepage/homepage.html
  • https://regiobank.nl/internetbankieren/secure/login.html
  • https://regiobank.nl/internetbankieren/secure/login.htmlaction_prepareStepTwo=Inloggen
  • https://regiobank.nl/internetbankieren/secure/logout/logoutConfirm.html
  • https://retail.santander.co.ukScripts/behaviour.js
  • https://retail.santander.co.ukssobto
  • https://retailcorporate.metrobankonline.co.uk
  • https://robraiffeisenit/nibank/
  • https://royalbank.com/wps/myportal
  • https://s2b.standardchartered.com/ssoapp/login.jspcore.security.login.event
  • https://sambabankmc.cardinalcommerce.com/
  • https://sambabankvisa.cardinalcommerce.com/
  • https://santanderpbmc.cardinalcommerce.com/
  • https://santanderpbvisa.cardinalcommerce.com/
  • https://savcreditmc.cardinalcommerce.com/
  • https://savcreditvisa.cardinalcommerce.com/
  • https://scotiaonline.scotiabank.com/online/views
  • https://secure-banking.com//PassmarkSignIn.faces
  • https://secure-code.mlp.de/acspage/cap?RID=
  • https://secure.accu.com.au/secureaccu2/
  • https://secure.ampbanking.com/au/Logon
  • https://secure.arcot.com/acspage/cap?RID=
  • https://secure.axisbank.com/ACSWeb/EnrollWeb/AxisBank/server/AccessControlServer
  • https://secure.bankofamerica.com/myaccounts/
  • https://secure.barclaycard.co.uk/barclays/tdsecure/pa.jspbarclaycard.visa
  • https://secure.brannenbanks.com/BrannenBank/PassmarkSignIn.faces
  • https://secure.businesswaybnl.it/newcorporate/online/listamoviment/search
  • https://secure.businesswaybnl.it/newcorporate/online/listamovimenti/list
  • https://secure.businesswaybnl.it/newcorporate/webcontoc/elencodistinte/.continue
  • https://secure.businesswaybnl.it/newcorporate/webcontoc/elencomovimenti/.continue
  • https://secure.businesswaybnl.it/newcorporate/webcontoc/elencomovimenti/start
  • https://secure.businesswaybnl.it/newcorporate/webcontoc/elencosaldi
  • https://secure.businesswaybnl.it/newcorporate/webcontoc/login/login
  • https://secure.fundsxpress.com/piles/fxweb.pile/fxsecond_authcustom_login?
  • https://secure.handelsbanken.se/bb/glss/servlet/ssco_auth2
  • https://secure.ingdirect.ca/INGDirect.html
  • https://secure.membersaccounts.com/SELFSERVICE/Login.aspx
  • https://secure.mystate.com.au/secure
  • https://secure.rabobank.com/Gateway/offlineloginpage.html?
  • https://secure1.businesswaybnl.it/newcorporate/online/balance/list
  • https://secure1.businesswaybnl.it/newcorporate/online/italiantransfer/list
  • https://secure5.arcot.com/acspage/
  • https://securebank.cahoot.com/servlet/com.aquariussecurity.bks.security.authentication.servlet.LoginEntryServletBKS
  • https://securebusiness.lloydsbank.co.uk/business/a/
  • https://securebusinesswaybnl.it/newcorporate/webcontoc/menu/
  • https://securecode.abnamro.nl/acspage/cap?RID=
  • https://securecode.ing.nl/acspage/cap?RID=
  • https://securentrycorp./authentication/zbf/
  • https://securentrycorp.metricsanalytics
  • https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/auth/SCode.jsp
  • https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/auth/VBV.jsp
  • https://secureonline.idbibank.com/ACSWeb/EnrollWeb/IDBIBank/server/AccessControlServer
  • https://server.cey-ebanking.com/CLKCCM//OOBA/OOBALogin.asp?
  • https://server.cey-ebanking.com/CLKCCM//passmark/.asp?
  • https://sibacs.electrapay.com/SouthIndianBank/jsp/
  • https://signin.ebay.com/ws/eBayISAPI.dll?SignIn
  • https://singapore.lbbw-business.com/LBBWCorpWeb/login/.action?
  • https://singlepoint.usbank.com/cs70_banking/logon/sbuser
  • https://smallbusinessonline.bbt.com/auth/kba_cs_reg_conf.tb
  • https://smallbusinessonline.bbt.com/auth/pwd.tb
  • https://smallbusinessonline.bbt.com/bbtobs/bbtolbext/suppress/statements
  • https://smallbusinessonline.bbt.com/bbtobs/bbtolbweb/main/oview/home
  • https://sme.standardchartered.com/commonapp/core.security.vascochallenge.event
  • https://snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
  • https://snsbank.nl/mijnsns/bankieren/secure/verzendlijst/verzendlijst.html
  • https://snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
  • https://snsbank.nl/mijnsns/secure/login.html
  • https://snsbank.nl/mijnsns/secure/login.htmlaction_prepareStepTwo=Inloggen
  • https://snsbank.nl/mijnsns/secure/logout/logoutConfirm.html
  • https://sparda.wlp-acs.com/flowGlobal.wflow
  • https://sparkasse.it/hb/authentication/login-PIN_UTENTE
  • https://sparkasse.ithome.seam
  • https://ssl2.haspa.de/OnlineFiliale/banking/authenticate/login
  • https://ssl2.haspa.de/OnlineFiliale/banking/services
  • https://sslsecure.maybank.com.sg/cgi-bin/mbs/scripts/mbb_login.jsp?
  • https://sso.unionbank.com/obc/forms/password.fccunp/SSOLoginServlet
  • https://stanbicibtcbankweb.cardinalcommerce.com/transaction/
  • https://statestreet.com
  • https://tdcanadatrust.com
  • https://tdetreasury.tdbank.com/s1gcb/logon/sbuser
  • https://thinkmoney.cardinalcommerce.com/
  • https://titolari.cartasi.it/portaleTitolari/pt/new3/login_old
  • https://titolari.cartasi.it/portaleTitolari/titolari
  • https://transtasman.online.anz.com/client/logon.do?
  • https://transtasmanadmin.online.anz.com/saam/SAAMLogin/OTPPINH.fcc
  • https://treas-mgt.frostbank.com/rdp/cgi-bin/.cgi
  • https://trz.tranzact.org/credential.aspxOTP.asp?
  • https://tsb.co.uk/personal
  • https://tsys.arcot.com/acspage/cap?RID=
  • https://ubagroup.cardinalcommerce.com/transaction/
  • https://ubi.cbibanking.it/eb/accessologindo
  • https://ubi.electracard.com/ubi/jsp/
  • https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/cashManagementSimpleSearch.x
  • https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/cashManagementSimpleSearch.xhtml?rvn=1
  • https://unigeb.unicreditcorporate.it/ga-gif-war/pages/U3/monitorOnlineDetailedOverview.xhtml
  • https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/commons/onlineList.xhtml
  • https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/online/checking/availableBalance.xhtml
  • https://unigeb.unicreditcorporate.it/ga-gif-war/views/products/online/checking/checkingHistory.xhtml
  • https://uniservices.uobgroup.com/ELO/login.jspwpe/ca/login.dowpe/ca/loginForm.jsp;?
  • https://us.etrade.com/e/t/accounts/accountsombo
  • https://usgateway.rbs.com/wps/portal/cb/applicationsMoneyManagerGps
  • https://valido.credem.it/ValidoFrontend/loginShort.xhtml
  • https://vip.btcchina.com/bbs/index.php
  • https://voscomptesenligne.labanquepostale.fr/voscomptes/canalXHTML/comptesCommun/synthese_assurancesEtComptes/afficheSynthese
  • https://voscomptesenligne.labanquepostale.fr/wsost/OstBrokerWeb/loginform
  • https://vpn.sjp.co.uk/vpn/vpnloginpage.html
  • https://vpn.tarumanagara.com/+CSCOE+/logon.html
  • https://w.businessbanking.cibc.com/logon.jsp?;
  • https://web.ib.mizuhobank.co.jp//ScrCheck.js
  • https://web.ib.mizuhobank.co.jp/servlet/mib?xtr=Emf
  • https://webbanker.cua.com.au/webbanker/
  • https://webbanker.cua.com.au/webbanker/CUA?xid=
  • https://webbanker.cua.com.auwebbanker/
  • https://webcbiplus.bpergroup.net/webcontoc
  • https://webcbiplus.bpergroup.net/webcontoc/ccsaldi
  • https://webcbiplus.bpergroup.net/webcontoc/elencodistint
  • https://webcbiplus.bpergroup.net/webcontoc/esitobonificistipendi
  • https://webcbiplus.bpergroup.net/webcontoc/html//ITA/homePage
  • https://webcbiplus.bpergroup.net/webcontoc/menumaster
  • https://webcbiplus.bpergroup.net/webcontoc/movimenticcbanc
  • https://webcbiplus.bpergroup.net/webcontoc/MovimentiPeriodoOnline
  • https://webcbiplus.bpergroup.net/webcontoc/saldihomepage
  • https://webcbiplus.bpergroup.net/webcontoc/summaryhomepag
  • https://webcbiplus.bpergroup.net/webcontoc/top
  • https://webcmpr.bancopopular.com/K1/
  • https://wired.businessmanager.com/signon/signon.do?
  • https://wirexchange.goxroads.com/wx/login\x1cwp_login_user.cfm?
  • https://ws.kasikornbank.com/baliweb//site/defaultskin//html/static/logon.htm
  • https://WsAccountsList
  • https://www.3dsecure.icicibank.com/ACSWeb/EnrollWeb/ICICIBank/server/AccessControlServer
  • https://www.53.com/servlet/efsonline/index.html
  • https://www.53.com/site
  • https://www.abbeyinternational.com/Login.aspx?
  • https://www.accountcentralonline.com/cmuser/myacct/
  • https://www.alahliecorp.com/AlahlieCorp//web/CorporateSignOn.aspx?
  • https://www.alahlionline.com/AOLRetail//web/RetailSignOnAr/web/RetailSignOnUser/LoginDoubleAuthentication.aspx?
  • https://www.alexlinkbank.com/eBanking//web/L/corporate/aspx/user/CorporateSignOn.aspx
  • https://www.alinmaonline.com/cb/servlet/cb/jsp-ns/login.jsp?
  • https://www.alinmaonline.com/efs/servlet/efs/jsp-ns/login.jsp?
  • https://www.almubasher.com.sa/NewECorporate/p/login/.do?
  • https://www.almubasher.com.sa/retail/LogonRetail.jsp?
  • https://www.amazon.co.uk/gp/css/homepage.html
  • https://www.anz.com/inetbank/login.asp?
  • https://www.anzdirect.co.nz/online/.do?
  • https://www.arabi-online.net/efs/servlet/efs/jsp-ns/login.jsp?
  • https://www.asbolb.com/servlet/ASB.ASBServlet
  • https://www.bancagenerali.it/
  • https://www.bancagenerali.it/fec/cc/bonifico/sepa/ins/bonifico-sepa-ins-step1.html
  • https://www.bancagenerali.it/fec/cc/bonifico/sepa/ins/bonifico-sepa-ins-step2.html?
  • https://www.bancanuova.it/bn-web/home/atTime.html
  • https://www.bancsabadell.com/cs/Satellite/SabAtl/Particulares/
  • https://www.bankalbilad.com/retail/logon.do
  • https://www.bankline.natwest.com/
  • https://www.bankline.natwest.com/CWSLogon/
  • https://www.bankline.rbs.com/
  • https://www.bankline.rbs.com/CWSLogon/
  • https://www.bankline.ulsterbank.coie/
  • https://www.bankline.ulsterbank.ieco.uk/CWSLogon/
  • https://www.bankofamerica.com
  • https://www.barclaycardus.com/app/ccsite/action/switchAccount
  • https://www.barclays.net/serviceannouncement/message/login
  • https://www.barclayswealth.com/login/action/logon/unauthenticated/personal
  • https://www.barclayswealth.com/public//multi/all/crossSegmentContactUs.htm
  • https://www.bb-fire.com/SignOn/
  • https://www.bbvanetcash.com/local_tlsb/KDPOSolicitarCredenciales_.html
  • https://www.bbvanetcash.com/local_tlsb/TLBHEntradaUsuario_logon_CAS.html
  • https://www.bendigobank.com.au//ReduceLimitSetup
  • https://www.bendigobank.com.au/banking/BBLIBanking
  • https://www.bendigobank.com.au/banking/pkmslogin.form
  • https://www.billmelater.com/your-account/home.xhtml
  • https://www.bizchannel.cimb.com.sg/corp/common/login.do?
  • https://www.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet?
  • https://www.boi-bol.com/
  • https://www.boi-bol.com/do/leftMenuaccSingleAccount\x1caccTransApplyPayWIApplyFilterActionRptPayHisReportListRptTransReportPrint
  • https://www.boi-bol.com/newHome.jsp
  • https://www.bpinetempresas.pt/SIGNON/signon.asp
  • https://www.bpmbanking.it/imprpri/wbOnetoone//do/banking/Stat
  • https://www.bpmbanking.it/imprpri/wbOnetoone//do/banking/WsBonificoSepaInput.do
  • https://www.bpmbanking.it/wscmn/INLINEANET/iln/js/ajaxAccess.js
  • https://www.bpmbanking.it/wscmn/js/movimenti.js
  • https://www.bpmbanking.it/wscmn/js/responsive/generic.js
  • https://www.business.hsbc.co.uk/1//
  • https://www.business.hsbc.co.uk/1/2/
  • https://www.bxs.com/
  • https://www.capitaloneonline.co.uk/CapitalOne_Consumer/Login.do
  • https://www.careerbuilder.com/hare/ogin.aspx
  • https://www.cartabcc.it/
  • https://www.cashanalyzer.com/caloadbalance.aspxcgi-bin/.dll/?
  • https://www.caterallenonline.co.uk/WebAccess.dll
  • https://www.cbdibusiness.ae/cb/servlet/cb/login.jsp?
  • https://www.cencorpcu.com/secure/secure_logon.asp?
  • https://www.chase.com
  • https://www.chase.com/apps/chase/clientlibs/foundation/publishoptimized/homepage-po-min.js
  • https://www.chebanca.it/wps/portal/Istituzionale/login
  • https://www.cibconline.cibc.com/olbtxn/accounts/MyAccounts.cibc
  • https://www.cibconline.cibc.com/olbtxn/user/ChangePVQ2.cibc
  • https://www.cibconline.cibc.com/olbtxn/user/GetPVQAction.cibc
  • https://www.cibconline.cibc.com/olbtxn/user/VerifyPVQAction.cibc
  • https://www.cic.fr/fr/
  • https://www.citibank.co.in/acspage/cap_nsapi.so?RID=
  • https://www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
  • https://www.citibusiness.citibank.com.sg/SGCBZ/JSO/signon/DisplayCinSignon.do?
  • https://www.comerica.com/
  • https://www.commercial.hsbc.com.hk/1/2/
  • https://www.commerzbanking.de/P-Portal/XML/IFILPortal/pgf.html
  • https://www.contactus.cnb.com/html/tnet-ad.html
  • https://www.corporateatarabi.com/s1gcb/logon/sbuser
  • https://www.cortalconsors.de/euroWebDe/
  • https://www.cpsinternetbanking.com.au/daib/logon/cu5022/logon.asp
  • https://www.credem.it/OneToOne/ebank/functions/home/home_sec/home_cliente_.jsp
  • https://www.credit-suisse.com.sg/amserver/UI/Login?
  • https://www.creditmutuel.fr/groupe/fr/index.html
  • https://www.creval.it/index.asp
  • https://www.csebanking.it/fec/
  • https://www.csebanking.it/ibportal/home-LISTA_MOVIMENTI.do
  • https://www.csebanking.it/ibportal/Logon.html
  • https://www.csebo.it/webcontoc/login
  • https://www.dab-bank.de/meinedabbank/UEbersicht/finanzuebersicht.app.html
  • https://www.discovercard.com/cardmembersvcs/achome/
  • https://www.discovercard.com/cardmembersvcs/personalprofile/pp/GetInitialInfo
  • https://www.dskdirect.bg/page/default.aspx
  • https://www.e-closingsecured.com:/scripts/spiis.dll/its-itec/itec_login
  • https://www.e-moneyger.com/wps/myportal/!ut/p//
  • https://www.ebanking.cimbthai.com/cash/logon.jsp
  • https://www.ebanking.pcu.com.au/ebank/Login.asp
  • https://www.efirstbank.com/centralAuth/jsp/main/Logon.faces?
  • https://www.eg.secure.barclays.com/bir/feature/loginprocess
  • https://www.empresas.santandertotta.pt/canalempresas/finance/login.jsp
  • https://www.ezcardinfo.com/AcctSummary.aspx
  • https://www.farbanca.it/fb-web/home/atTime.html
  • https://www.fbo.fubonbank.com.hk/fboPortal/index_e.jsp?
  • https://www.fcsolb.com/cb/pages/jsp-ns/
  • https://www.ffinonline.com/ffbweatherfordonline1/authentication/Login.aspxAccounts/AccountOverview.aspx
  • https://www.fiabusinesscard.com/cgi-bin/ias//GotoWelcome
  • https://www.fideuramonline.it/script/LogonServlet
  • https://www.firstdirect.com/1/2/
  • https://www.firstmeritib.com
  • https://www.fnb.co.za/
  • https://www.fnbstl.com/business/cts_security_precheck.jsp
  • https://www.fundsdirect.co.uk/bks/login.aspx?bksid=beaumont
  • https://www.gbw.itRndRapportiSrv
  • https://www.gbw/cbl/exec/Info?
  • https://www.gbw/cbl/logi
  • https://www.gbw/exec/BonificoSrv
  • https://www.gbw/exec/Distinte
  • https://www.gbw/exec/homePage?noAddToNavi=1&myAction=leftMenu
  • https://www.gbw/exec/RndMovimentiSr
  • https://www.gbw/exec/RndRapportiSrv
  • https://www.gbw/exec/RndSaldiSrv
  • https://www.gbw/javascripts/gestoreEventiTastiera.js
  • https://www.gbwstyle/main.css
  • https://www.global-ebanking.com/login/login.faces
  • https://www.gotomycard.com/accounts.asp
  • https://www.greater.com.au/WebBankV2/Greater
  • https://www.gruppocarige.it/vbank/
  • https://www.gruppocarige.it/vbank/jsp/welcomefamily.jsp
  • https://www.gruppocarige.it/vbankIT/jsp/welcomefamily.jsp
  • https://www.gruppocarige.it/vbankSA/jsp/welcomefamily.jsp
  • https://www.halifax-online.co.uk/personal/logon/login.jsp
  • https://www.harrisbank.com/HOB/retail/logon/psohobdecidelogon
  • https://www.hsbc.ca/1/2/
  • https://www.hsbc.co.uk/1/2/
  • https://www.hsbc.com.au/1/2/
  • https://www.hsbc.com.cn/1/2/
  • https://www.hsbc.com.eg/1/2/
  • https://www.hsbc.com.mx/1/2/
  • https://www.hsbc.com.sg/1/2/
  • https://www.hsbc.com.vn/1/2/
  • https://www.hsbc.fr/1/2/hsbc-france/entreprises-institutionnels/connexion
  • https://www.hsbccreditcard.com/ecare/control/generic.js
  • https://www.hsbccreditcard.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=HB_090_750
  • https://www.hsbccreditcard.com/ecare/viewaccount
  • https://www.huntington.com/scripts/onlinebanking.js
  • https://www.hvbrsce.com/ebanking/London/EXE/WBankDsp.exe
  • https://www.ib.boq.com.au/boqws/boqbl
  • https://www.ib.kiwibank.co.nz/
  • https://www.ib.kiwibank.co.nz/keepsafe/challenge/
  • https://www.ibsnetaccess.com/NASApp/NetAccess/RegisteredAccountsDisplay
  • https://www.ibsnetaccess.com/NASApp/NetAccess/updateQandA.action?target=updtQA
  • https://www.idbaccess.blilk.com/core/Authentication/
  • https://www.inbank.it/function/login/index.jsp
  • https://www.inbiz.intesasanpaolo.com/scriptFvca0/PortalWAR/login/login.do
  • https://www.inbiz.intesasanpaolo.com/scriptFvca0/PortalWAR/portal_login/portalFvca0/sma/
  • https://www.inbiz.intesasanpaolo.comlogin
  • https://www.ingdirect.com.au/client/login.aspx?
  • https://www.integrator.barclays.com/idc/html/LoginStep1.html
  • https://www.isideonline.it/relaxbanking/
  • https://www.iwbank.it/
  • https://www.jefferson-bank.com/business/j_security_check?
  • https://www.jp-bank.japanpost.jp/direct/pc/security/dr_pc_sc_start.html
  • https://www.maybank2e.net/M2E/mbbcustomer/
  • https://www.mercantilcbonline.com/secure/banking/logonindividualLogon
  • https://www.moneybookers.com/app/login.pl
  • https://www.moneybookers.com/app/my_account.pl
  • https://www.moneypak.comCardReloadInfo.aspx
  • https://www.my.comm111bank.com.au/netbank/Logon/Logonaspx
  • https://www.my.commbank.com.au/netbank/Logon/Logonaspx
  • https://www.my.commbiz.commbank.com.au/?
  • https://www.myaccountaccess.com/onlineCard/
  • https://www.myaccountaccess.com/onlineCard/postLogin.do?phase=start
  • https://www.mybusinessbank.co.uk/cs70_banking/logon/slogon
  • https://www.mycardsecure.com/acspage/cap.dll?RID=
  • https://www.mycardstatement.com/AcctSummary.aspx
  • https://www.mye-bankonline.com.eg/ceb/login1.seam
  • https://www.necu.com.au/mvpnewengland/Login.asp
  • https://www.nordstromcard.com/fdr_nr.service?TRANTYPE
  • https://www.nwolb.com/.aspx
  • https://www.nwolb.com/Brands/RSA_js/fp_AA.js
  • https://www.nwolb.com/logindefault.aspx
  • https://www.onlineaccess.ca/NASApp/NetAccess/
  • https://www.onlinebanking.iombank.com/logindefault.aspx
  • https://www.onlinesbiglobal.com//BANKAWAY?;
  • https://www.optionsxpress.com/login.asp
  • https://www.otpbanka.hr/english/welcome.htm
  • https://www.partnercardservices.com/ecare/control/generic.js
  • https://www.partnercardservices.com/ecare/customerservice/updatepersonalinfo?&locale=en_US&brand=RZ_500_501
  • https://www.partnercardservices.com/ecare/viewaccount?
  • https://www.paypal.com/
  • https://www.paypal.com//cgi-bin/webscr?
  • https://www.paypal.com//cgi-bin/webscr?cmd=_login-done
  • https://www.paypal.com//cgi-bin/webscr?cmd=_profile-credit-card-new-clickthru
  • https://www.paypal.com/cgi-bin/webscr?
  • https://www.paypal.com/home
  • https://www.paypal.com/ukus/cgi-bin/webscr
  • https://www.paypal.com/us/cgi-bin/webscr?cmd=_login-done
  • https://www.paypal.com/us/cgi-bin/webscr?cmd=_profile-credit-card-new-clickthru
  • https://www.pcunet1.com.au/mvppolice/Login.asp
  • https://www.pcunet2.com.au/mvppolice/Login.asp
  • https://www.permatae-business.com/corp/common/login.do?action=login
  • https://www.pnc.com//pnccorp/PNC/Home/Corporate
  • https://www.pnccardservicesonline.com/pages/AccountSummary.aspx
  • https://www.popolarevicenza.it/bpvi-web/home/atTime.html
  • https://www.professionalpartners.cortalconsors.de
  • https://www.rbc.com/NU00/pki/authenticate/AuthenticateUserRoamingEPF.jsp
  • https://www.rbsdigital.com/.aspx
  • https://www.rbsdigital.com/Brands/RSA_js/fp_AA.js
  • https://www.rbsdigital.com/logindefault.aspx
  • https://www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserInputRoamingEPF.jsp?
  • https://www.scotiaonline.scotiabank.com/online/views/accounts/summary/summaryStandard.bns
  • https://www.sebkort.com/skm/acspage/cap?RID=
  • https://www.secure.hsbcnet.com/uims/portal/IDV_OTP_CHALLENGE;
  • https://www.securenetbanking.ca/IBClient/loginCorpIBRetail/loginbusiness.aspx?
  • https://www.securepay.hsbc.co.in/SecurePay/servlet/Authenticate
  • https://www.securesuite.co.uk/nationwide/tdsecure/pa.jspnationwide_visa
  • https://www.securesuite.co.uk/rbs/tdsecure/pa.jspdebit_nw_visa
  • https://www.securesuite.co.uk/rbs/tdsecure/pa.jspdebit_rbs_visa
  • https://www.securesuite.co.uk/santander/tdsecure/pa.jspsantander.visa
  • https://www.selfpointonline.it/
  • https://www.sella.it/Autenticazione/
  • https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/buitenlandbetalen.html
  • https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenbinnenland.html
  • https://www.snsbank.nl/mijnsns/bankieren/secure/betalen/overschrijvenBuitenland.html
  • https://www.snsbank.nl/mijnsns/bankieren/secure/transacties/transactieoverzicht.html
  • https://www.snsbank.nl/mijnsns/homepage/secure/homepage/homepage.html
  • https://www.snsbank.nl/mijnsns/secure/login.html
  • https://www.statementlook.com/fdr_ge.service?TRANTYPE
  • https://www.sterlingwires.com/
  • https://www.suntrust.com/PersonalBanking
  • https://www.suntrust.com/portal/server.pt?
  • https://www.suntrust.com/portal/server.pt?mode=2
  • https://www.teacherscreditunion.com.au/internetbanking/Login.asp
  • https://www.tescobank.com/sss/auth
  • https://www.ucoebanking.com/BankAwayRetail//web/L001/retail/jsp/user/CorporateSignOn.aspx?
  • https://www.ulsterbankanytimebanking.co.uk/logindefault.aspx
  • https://www.unb.com/uninet/main_login.asp
  • https://www.unity-online.co.uk
  • https://www.us.hsbc.com/1/2/
  • https://www.usaa.com/inet/ent_logon/Logon
  • https://www.usbank.com/internetBanking/RequestRouter
  • https://www.vancity.com/MyBusiness/OnlineBanking/?
  • https://www.vancity.com/OnlineBanking/
  • https://www.vietcombank.com.vn/ibanking/Default.aspx
  • https://www.vietinbank.vn/ipay/vbh/login.do
  • https://www.websteronline.com/personal/personal-homepage.html
  • https://www.widebayaust.com.au/webbank/
  • https://www.widebayaust.com.au/webbank/WBA
  • https://www.winglungbank.com/corpbanking/logon/CbHomLogonInp.jsp?
  • https://www1.membersequitybank.com.au/
  • https://www1.membersequitybank.com.au/ME?xid=
  • https://www1.royalbank.com
  • https://www2.csebo.it/webcontoc/ccsaldi
  • https://www2.csebo.it/webcontoc/insertpagitl?tipo_pagamento=bonifico
  • https://www2.csebo.it/webcontoc/insertpagnr
  • https://www3.lifecard.co.jp/WebDesk/www/.html
  • https://wwwcm.netteller.com/logincm2008/Authentication/Views/.aspx?
  • https://wwwroyalbank.com/cgi-bin/rbaccess
  • https://youwebcard.bancopopolare.it/WEBHT/login

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

  • http://www.google.com
  • http://www.bing.com

It deletes the initially executed copy of itself

NOTES:

This spyware monitors the browser activities of the affected system, specifically the address bar.

It sends out DNS queries to a randomized domain name with the following extensions:

  • .info
  • .com
  • .biz
  • .org
  • .net
  • .ru

  SOLUTION

Minimum Scan Engine: 9.700
FIRST VSAPI PATTERN FILE: 10.804.05
FIRST VSAPI PATTERN DATE: 19 May 2014
VSAPI OPR PATTERN File: 10.805.00
VSAPI OPR PATTERN Date: 19 May 2014

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Scan your computer with your Trend Micro product and note files detected as TSPY_ZBOT.ABTE

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft
    • WAB
  • In HKEY_CURRENT_USER\Software\Microsoft
    • {random}

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run
    • {random} = "%Application Data%\{random folder name}\{random file name}.exe"
  • In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
    • %Windows%\explorer.exe = "%Windows%\explorer.exe:*:Enabled:Windows Explorer"
  • In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    • {port1}:UDP = "{port1}:UDP:*:Enabled:UDP {port1}"
  • In HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
    • {port2}:TCP = "{port2}:TCP:*:Enabled:TCP {port2}"

Step 6

Search and delete this folder

[ Learn More ]
Please make sure you check the Search Hidden Files and Folders checkbox in the More advanced options option to include all hidden folders in the search result.
  • %Application Data%\Microsoft\Address Book
  • %Application Data%\{random folder name}

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %Application Data%\{random file name2}.{random}

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_ZBOT.ABTE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 9

Scan your computer with your Trend Micro product to delete files detected as TSPY_ZBOT.ABTE. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

NOTES:

The created registry key HKEY_CURRENT_USER\Software\Microsoft\{random} cannot be identified by the users since there are no reference values in the created key. The only way it can be identified is by comparing the present keys with a backup if the users have one. Note that the key {random} need not to be deleted since it won't cause the user's system any harm.


Did this description help? Tell us how we did.