VirusHTML/Banker.A!phish
Analysis
HTML/Banker.A!phish is a generic detection for HTML code within an email message or online (fake) website which attempts to steal detailed information associated with a bank account, credit card, or online payment account.
- It usually arrives through an email which may contain a fake account security warning or information update notification.
- It usually pretends to be a registration or account restoration page and asks for detailed information and sends the stolen information to a malicous website.
- The stolen information might be related to the following financial institutions:
- PayPal
- Bank One
- Bank of America
- Visa Europe
- The stolen information will then be sent to the following websites:
- http://www.enjo{Removed}nshop.nl/xmlrpc/cache/banking.php
- http://ppsrv471248.fm{Removed}kwkimkfkmasfmk.ru/fs.php
- http://www.cu{Removed}na.com/cgi/procesing.php
- http://aicomgr{Removed}ompany.com/chs.php
- http://rot{Removed}sh.de/vbv/run.php
Recommended Action
- Don't click on hyperlinks to financial institutions in email messages. Always open an instance of a new Internet browser and navigate to the financial institution by typing in the web address.
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |