Confidentiality issue there.
The phishers use a variety of sites set up yesterday. The links (at least the ones I deal with) are structured like this:
hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm?id=50957485169957807751718084384151236318517423286436648315422844&email=TARGET'S EMAIL ADDRESS
The site heryswi.com hosting the phish page changes, sites registered yesterday and being used to target at least 3 banks with different phish based on the code and emails I've seen. This site is among several registered yesterday, list at bottom of message.
Once they reach the site they are asked for name, user id, acct number and password.
When they submit, the data above plus theiremail address is sent somewhere, the client is directed to the second page which will be in the structure
hxxp://OURSITE.OURCOMPANY.com.heryswi.com/ibs####/cmserver/ccare/default/cform.cfm/account.php
This page has the iframe attempting to download the malware, as well as a link to download the executable "certificate.exe"
All of the malware is being downloaded from laenas.org
Some of the domains hosting phish:
hxxp://tewasds.com
hxxp://hytrqwe.net
hxxp://www.tewasdi.com
hxxp://www.tewasdi.net
hxxp://www.tewasdl.com
hxxp://www.tewasdo.com
hxxp://www.tewasdv.com
hxxp://www.tewasdy.net
hxxp://heraswy.net
hxxp://hotrkwe.com
hxxp://hytrkwe.com
hxxp://hotrkwe.net
hxxp://hytrkwe.net
hxxp://tewasda.net
hxxp://tewasde.com
Topic: hxxp://laenas.org/serv/in.php; Zbot infection site (Read 5254 times)