Spanish bank phishing site with keylogger protection

08/05/2010
G DATA Blog

A quite interesting site washed into our systems this morning: A Spanish bank phishing site with integrated anti-keylogger mechanism - intent or coincidence?

The site is a perfect copy of Caja España's "Oficina Virtual", the online banking log-in site. It even includes the anti-phishing advisory logo and the virtual on-screen keyboard, which is a precaution normally taken by the bank, to prevent identity theft through keyloggers.
But in this case... I mean... we are looking at a phishing campaign... so, what is the idea behind the virtual keyboard here? Are the scammers afraid of other tricksters stealing their bait???

Obviously, the phishers just copied the bank's site's HTML and JavaScript code and therefore the original virtual keyboard was just included into their trap - But to think about data thieves protecting their stolen data against other data thieves is somehow funny!

 

Apart from that, the method used is an ordinary phishing attempt:
Instruction 1: Type your user name and password and click "enter"

 

Instruction 2: Enter all information of your banking code card and click "continue"

 

Instruction 3: Oops, an error occurred - aha, really?! - wait for the redirection to re-enter the information


Finally: The original banking site appears but your data is gone.