Analysis by: RonJay Kristoffer Caragay
ALIASES:

Spyware.Dyre (Malwarebytes); PWS:Win32/Dyzap (Microsoft); Win32/Battdil.AC (ESET-NOD32)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.

It connects to certain websites to send and receive information. It deletes itself after execution.

  TECHNICAL DETAILS

File Size: 488,448 bytes
Memory Resident: Yes
Initial Samples Received Date: 16 Jul 2015
Payload: Steals information

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It may be dropped by the following malware:

Installation

This spyware drops the following copies of itself into the affected system:

  • %AppDataLocal%\{random filename}.exe (for Windows Vista and above)
  • %Windows%\{random filename}.exe (for Windows XP and below)

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

  • Global\u1nyj3rt20

It injects codes into the following process(es):

  • explorer.exe
  • svchost.exe

Autostart Technique

This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
ImagePath = "%Windows%\{random filename}.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
DisplayName = "Google Update"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
Start = "2"

It adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and above)

Other System Modifications

This spyware adds the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate (for Windows XP and below)

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
LimitBlankPasswordUse = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fSingleSessionPerUser = "0"

(Note: The default value data of the said registry entry is 1.)

Dropping Routine

This spyware drops the following files:

  • %System%\config\systemprofile\Application Data\ea1bw72e0f4.dll (for Windows XP and below)
  • %AppDataLocal%\ea1bw72e0f4.dll (for Windows Vista and above)

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This spyware gathers the following data:

  • Host Name
  • Public IP Address
  • Computer Name
  • OS Version
  • OS Platform
  • User Accounts
  • System Info(CPU, Memory, No. of Processors)
  • Installed programs
  • Services

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

  • google.com
  • microsoft.com

It connects to the following URL(s) to get the affected system's IP address:

  • http://icanhazip.com

It connects to the following website to send and receive information:

  • http://{BLOCKED}.{BLOCKED}.199.58:4443
  • http://{BLOCKED}.{BLOCKED}.63.98:443
  • http://{BLOCKED}.{BLOCKED}.194.188:4443
  • http://{BLOCKED}.{BLOCKED}.126.8:4443
  • http://{BLOCKED}.{BLOCKED}.201.9:443
  • http://{BLOCKED}.{BLOCKED}.10.23:443
  • http://{BLOCKED}.{BLOCKED}.152.131:443
  • http://{BLOCKED}.{BLOCKED}.33.98:443
  • http://{BLOCKED}.{BLOCKED}.89.141:443
  • http://{BLOCKED}.{BLOCKED}.190.84:443
  • http://{BLOCKED}.{BLOCKED}.191.213:443
  • http://{BLOCKED}.{BLOCKED}.206.204:443
  • http://{BLOCKED}.{BLOCKED}.129.153:4443
  • http://{BLOCKED}.{BLOCKED}.129.218:4443
  • http://{BLOCKED}.{BLOCKED}.135.106:4443
  • http://{BLOCKED}.{BLOCKED}.83.218:4443
  • http://{BLOCKED}.{BLOCKED}.67.21:443
  • http://{BLOCKED}.{BLOCKED}.67.211:443
  • http://{BLOCKED}.{BLOCKED}.90.33:443
  • http://{BLOCKED}.{BLOCKED}.81.96:4443
  • http://{BLOCKED}.{BLOCKED}.14.89:443
  • http://{BLOCKED}.{BLOCKED}.178.154:443
  • http://{BLOCKED}.{BLOCKED}.151.10:443
  • http://{BLOCKED}.{BLOCKED}.73.151:4443
  • http://{BLOCKED}.{BLOCKED}.170.118:443
  • http://{BLOCKED}.{BLOCKED}.172.36:443
  • http://{BLOCKED}.{BLOCKED}.76.44:4443
  • http://{BLOCKED}.{BLOCKED}.50.169:443
  • http://{BLOCKED}.{BLOCKED}.51.25:443
  • http://{BLOCKED}.{BLOCKED}.60.225:443
  • http://{BLOCKED}.{BLOCKED}.61.13:443
  • http://{BLOCKED}.{BLOCKED}.15.70:443
  • http://{BLOCKED}.{BLOCKED}.96.30:443
  • http://{BLOCKED}.{BLOCKED}.97.238:443
  • http://{BLOCKED}.{BLOCKED}.228.144:443
  • http://{BLOCKED}.{BLOCKED}.166.113:443
  • http://{BLOCKED}.{BLOCKED}.61.101:443
  • http://{BLOCKED}.{BLOCKED}.144.195:4443
  • http://{BLOCKED}.{BLOCKED}.235.48:443
  • http://{BLOCKED}.{BLOCKED}.34.137:443
  • http://{BLOCKED}.{BLOCKED}.219.35:443
  • http://{BLOCKED}.{BLOCKED}.54.22:443
  • http://{BLOCKED}.{BLOCKED}.55.12:443
  • http://{BLOCKED}.{BLOCKED}.55.122:443
  • http://{BLOCKED}.{BLOCKED}.75.75:4443
  • http://{BLOCKED}.{BLOCKED}.102.70:443
  • http://{BLOCKED}.{BLOCKED}.154.243:443
  • http://{BLOCKED}.{BLOCKED}.194.154:443

It does the following:

  • Receive configuration(web injects)
  • Receive New connections
  • Download file and execute
  • Download Module(VNC,TV)
  • Browser Snapshot
  • Terminate Process
  • Add Users
  • Shutdown/restart system
  • Monitors the following browsers:
    • chrome.exe
    • firefox.exe
    • iexplore.exe
  • Connects to the following STUN (Session Traversal Utilities for NAT) server in order to determine the public IP address of the compromised computer:
    • stun1.voiceeclipse.net
    • stun.callwithus.com
    • stun.sipgate.net
    • stun.ekiga.net
    • stun.internetcalls.com
    • stun.noc.ams-ix.net
    • stun.voip.aebc.com
    • stun.voipbuster.com
    • stun.voxgratia.org
    • stun.ipshka.com
    • stun.faktortel.com.au
    • stun.iptel.org
    • stun.voipstunt.com
    • 203.183.172.196:3478
    • s1.taraba.net
    • stun.l.google.com:19302
    • stun1.l.google.com:19302
    • stun2.l.google.com:19302
    • stun3.l.google.com:19302
    • stun4.l.google.com:19302
    • stun.schlund.de
    • stun.rixtelecom.se
    • stun.voiparound.com
    • numb.viagenie.ca
    • stun.stunprotocol.org
    • stun.services.mozilla.com
    • stun.2talk.co.nz
  • Stop the following services:
    • wscsvc
    • MpsSvc
    • WinDefend

It deletes itself after execution.

NOTES:

This spyware steals important banking/bitcoin information by injecting malicious codes to bank/Bitcoin login webpages with URLs containing any of the following:

  • cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
  • cashproonline.bankofamerica.com/*
  • businessaccess.citibank.citigroup.com/cbusol/signon.do
  • businessaccess.citibank.citigroup.com/*
  • www.bankline.natwest.com/CWSLogon/logon.do*
  • www.bankline.natwest.com/*
  • www.bankline.rbs.com/CWSLogon/logon.do*
  • www.bankline.rbs.com/*
  • www.bankline.ulsterbank.ie/CWSLogon/logon.do*
  • www.bankline.ulsterbank.ie/*
  • www.business.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR2LKuyHkgbotDB1dDZyDDTwMzM0sDTy93B1dnXz8DN0tTCC6nd0dPUzMfYCqwzxdDTxNnEwMTH3dDA08jQnoLsgNDQUAO-nOhw!!
  • www.business.hsbc.co.uk/*
  • www.nwolb.com/default.aspx
  • www.nwolb.com/*
  • www6.rbc.com/webapp/ukv0/signin/logon.xhtml
  • www6.rbc.com/*
  • online.bankofscotland.co.uk/personal/logon/login.jsp
  • online.bankofscotland.co.uk/*
  • www.rbsdigital.com/login.aspx*
  • www.rbsdigital.com/*
  • wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp*
  • wellsoffice.wellsfargo.com/*
  • lloydslink.online.lloydsbank.com/Logon/Logon.jsp
  • lloydslink.online.lloydsbank.com/*
  • www.ulsterbankanytimebanking.ie/default.aspx
  • www.ulsterbankanytimebanking.ie/*
  • banking.bankofscotland.co.uk/Logon/Logon.aspx*
  • banking.bankofscotland.co.uk/*
  • access.jpmorgan.com/jpmalogon
  • access.jpmorgan.com/*
  • gateway.citizenscommercialbanking.com/ccp/accessmoneymanager.jsp
  • gateway.citizenscommercialbanking.com/*
  • www.signatureny.web-access.com/signat/cgi-bin/login.cgi
  • www.signatureny.web-access.com/*
  • itreasury.regions.com/wcmfd/wcmpw/CustomerLogin
  • itreasury.regions.com/*
  • commercial.bnc.ca/auth/Login*
  • commercial.bnc.ca/*
  • ktt.key.com/ktt/cmd/logon
  • ktt.key.com/*
  • businessbanking.tdcommercialbanking.com/WBB/LoginDisplay
  • businessbanking.tdcommercialbanking.com/*
  • online-business.bankofscotland.co.uk/business/logon/login.jsp
  • online-business.bankofscotland.co.uk/*
  • cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
  • cityntl.webcashmgmt.com/*
  • www.treasury.pncbank.com/idp/esec/login.ht
  • www.treasury.pncbank.com/*
  • fnfgbusinessonline.enterprisebanker.com/wcmfd/wcmpw/CustomerLogin
  • fnfgbusinessonline.enterprisebanker.com/*
  • ffcw.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
  • ffcw.webcashmgmt.com/*
  • eastwestbank.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
  • eastwestbank.webcashmgmt.com/*
  • cib.bankofthewest.com/K1/servlet/com.fis.authentication.servlet.WelcomeServlet
  • cib.bankofthewest.com/*
  • www.frostcashmanager.com/CASHplus
  • www.frostcashmanager.com/*
  • www8.comerica.com/pkmslogin.form
  • www8.comerica.com/*
  • securentrycorp.amegybank.com/
  • securentrycorp.amegybank.com/*
  • securentrycorp.calbanktrust.com/
  • securentrycorp.calbanktrust.com/*
  • www2.pbebank.com/myIBK/apppbb/servlet/BxxxServlet*
  • www2.pbebank.com/*
  • www.hsbc.com.my/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDCxNvAz9vzyAXA2cPRxMPywBDAwgAykdiyjv5w-WJ0e1v6m5g6RNiYWngbeRvHGRqbECc7uDUvPjQYH0_j_zcVP1I_ShzDMWeniYwxZE5qemJyZXY1XljqgvN0w_Lyy_KBYZBQW5oRLm3jyMAwombdA!!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83XzA4NEswTktJUkQwQ0hBNEhJSTQwMDAwMDAwL3lSbVo6MjI4ODAwMDQ!
  • www.hsbc.com.my/*
  • securentrycorp.nsbank.com/
  • securentrycorp.nsbank.com/*
  • securentrycorp.zionsbank.com/
  • securentrycorp.zionsbank.com/*
  • ematchingnz1.online.anz.com/saam/SAAMLogin/Login.fcc*
  • ematchingnz1.online.anz.com/*
  • www.fcsolb.com/cb/pages/jsp-ns/login.jsp*
  • www.fcsolb.com/*
  • transtasman.online.anz.com/client
  • transtasman.online.anz.com/*
  • www.commercial.hsbc.com.hk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zPwtDAwgAykeaxTu7O3qYmPsA-WGergaeJk4mBqa-boYGnsbYdPsidBfkhioCAMGAADI!
  • www.commercial.hsbc.com.hk/*
  • www.anzdirect.co.nz/online/EnterANZDirect.do
  • www.anzdirect.co.nz/*
  • www.bostonprivatebank.com/index.cfm/pid/10540
  • www.bostonprivatebank.com/*
  • ebanking2.danskebank.co.uk/pub/logon/logon.aspx*
  • ebanking2.danskebank.co.uk/*
  • secure1.businesswaybnl.it/newcorporate/webcontoc/login/login
  • secure1.businesswaybnl.it/*
  • business2.danskebank.co.uk/pub/logon/logon.aspx*
  • business2.danskebank.co.uk/*
  • online.coutts.com/eBankingCouttsLogin/login
  • online.coutts.com/*
  • business.co-operativebank.co.uk/corp/BANKAWAY*
  • business.co-operativebank.co.uk/*
  • www.gs.reyrey.com/common/login/login.aspx
  • www.gs.reyrey.com/*
  • businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp
  • businessonline.mutualofomahabank.com/*
  • login.salesforce.com/
  • login.salesforce.com/*
  • www.natwestibanking.com/eai/IPB_EAI_Web/*
  • www.natwestibanking.com/*
  • online.adambank.com/eBankingAdamLogin/login
  • online.adambank.com/*
  • fdonline.co-operativebank.co.uk/corp/BANKAWAY*
  • fdonline.co-operativebank.co.uk/*
  • home?.cybusinessonline.co.uk/lmgruV8/ceblm-web/login.ctl
  • home?.cybusinessonline.co.uk/*
  • home?.ybonline.co.uk/raluV8/reglm-web/login.ctl
  • home?.ybonline.co.uk/*
  • top.capitalonebank.com/pub/html/login.html
  • top.capitalonebank.com/*
  • cmol.bbt.com/auth/prompt.tb*
  • cmol.bbt.com/*
  • business-eb.ibanking-services.com/K1/index.jsp
  • business-eb.ibanking-services.com/*
  • businessonline.tdbank.com/corporatebankingweb/core/login.aspx
  • businessonline.tdbank.com/*
  • tdetreasury.tdbank.com/s1gcb/logon/sbuser
  • tdetreasury.tdbank.com/*
  • www.iombankibanking.com/eai/IPB_EAI_Web/eai*
  • www.iombankibanking.com/*
  • www.rbsiibanking.com/ipb/IPB_Client_Web/Start.do
  • www.rbsiibanking.com/*
  • achieveaccess.charterone.com/exchange/basic/authentication
  • achieveaccess.charterone.com/*
  • express.53.com/portal/auth/login/Login
  • express.53.com/*
  • www22.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet*
  • www22.bmo.com/*
  • e-access.compassbank.com/bbw/cmserver/welcome/default/verify.cfm
  • e-access.compassbank.com/*
  • ht.businessonlinepayroll.com/SPF/login/ee_auth.aspx
  • ht.businessonlinepayroll.com/*
  • www1.rbcbankusa.com/cgi-bin/rbaccess/rbunxcgi*
  • www1.rbcbankusa.com/*
  • webcmpr.bancopopular.com/K1
  • webcmpr.bancopopular.com/*
  • www.onlinebanking.iombank.com/default.aspx*
  • www.onlinebanking.iombank.com/*
  • bank.barclays.co.uk/olb/auth/LoginLink.action
  • bank.barclays.co.uk/*
  • www.rbsidigital.com/default.aspx*
  • www.rbsidigital.com/*
  • www.svbconnect.com/auth
  • www.svbconnect.com/*
  • www.onlinebanking.natwestoffshore.com/default.aspx*
  • www.onlinebanking.natwestoffshore.com/*
  • charisma.btdirect.ro/CharismaWEB/_Public/Login.aspx
  • charisma.btdirect.ro/*
  • aibinternetbanking.aib.ie/inet/roi/login.htm
  • aibinternetbanking.aib.ie/*
  • business.santander.co.uk/LGSBBI_NS_ENS/BtoChannelDriver.ssobto*
  • business.santander.co.uk/*
  • retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto*
  • retail.santander.co.uk/*
  • www.internationalpayments.co.uk/
  • www.internationalpayments.co.uk/*
  • santander.hpdsc.com/main
  • santander.hpdsc.com/*
  • leumionline.bankleumi.co.uk/my.policy
  • leumionline.bankleumi.co.uk/*
  • www.caterallenonline.co.uk/
  • www.caterallenonline.co.uk/*
  • bolpp.bankofireland.com/Commercial*
  • bolpp.bankofireland.com/*
  • personal.co-operativebank.co.uk/CBIBSWeb/start.do
  • personal.co-operativebank.co.uk/*
  • www.boi-bol.com/newHome.jsp
  • www.boi-bol.com/*
  • cbfm.saas.cashfac.com/cbfm/Logon.aspx
  • cbfm.saas.cashfac.com/*
  • www.ingonline.com/ro/!UPR.Dispatcher*
  • www.ingonline.com/*
  • onlinebusiness.lloydsbank.co.uk/business/logon/login.jsp*
  • onlinebusiness.lloydsbank.co.uk/*
  • alolb1.arbuthnotlatham.co.uk/IB/Online
  • alolb1.arbuthnotlatham.co.uk/*
  • online.hoaresbank.co.uk/fi11512/bb/logon
  • online.hoaresbank.co.uk/*
  • butterfieldonline.co.uk/
  • butterfieldonline.co.uk/*
  • www.asbolb.com/servlet/ASB.ASBServlet
  • www.asbolb.com/*
  • online.ybs.co.uk/public/authentication/login1.do
  • online.ybs.co.uk/*
  • www.kbinternetbanking.com:8443/ARCIB-NEWF/index.html
  • www.kbinternetbanking.com:8443/*
  • ibank.reliancebankltd.com/logon.aspx
  • ibank.reliancebankltd.com/*
  • online.duncanlawrie.com/InternetBanking/faces/mdi/login.jsp
  • online.duncanlawrie.com/*
  • esavings.shawbrook.co.uk/BankFast/Shawbrook
  • esavings.shawbrook.co.uk/*
  • bureau.bottomline.co.uk/unity/index.aspx
  • bureau.bottomline.co.uk/*
  • ibb.firsttrustbank1.co.uk/ibb/controller*
  • ibb.firsttrustbank1.co.uk/*
  • www1.firstdirect.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeHkGGMN0FuaGKAPRSfDc!
  • www1.firstdirect.com/*
  • netbanking.ubluk.com/Login/Index
  • netbanking.ubluk.com/*
  • ibank.zenith-bank.co.uk/internetbanking/index.jsp
  • ibank.zenith-bank.co.uk/*
  • ibank.gtbankuk.com/Gaps_UK/Default.aspx
  • ibank.gtbankuk.com/*
  • online.bankofcyprus.co.uk/netteller/login.faces
  • online.bankofcyprus.co.uk/*
  • banking.ireland-bank.com/IrelandBankOnline_303/Authentication/Login.aspx
  • banking.ireland-bank.com/*
  • bankofirelandlifeonline.ie/
  • bankofirelandlifeonline.ie/*
  • secure.handelsbanken.com/bb/glss/servlet/prelogon*
  • secure.handelsbanken.com/*
  • www.365online.com/online365/spring/authentication*
  • www.365online.com/*
  • online.kbc.ie/kbc-online/onlinebanking/login*
  • online.kbc.ie/*
  • www.open24.ie/online/login.aspx*
  • www.open24.ie/*
  • business2.danskebank.ie/pub/logon/logon.aspx*
  • business2.danskebank.ie/*
  • online.ebs.ie/internet/login/index.jsp
  • online.ebs.ie/*
  • corporate.metrobankonline.co.uk/
  • corporate.metrobankonline.co.uk/*
  • secure2.alphabank.ro/corporate/CorpOTPLoginLangRom.jsp
  • secure2.alphabank.ro/*
  • ib.btrl.ro/BT24/bfo/channel/web/loginframe.jsp*
  • ib.btrl.ro/*
  • btultra.btrl.ro/sign/_mcologon
  • btultra.btrl.ro/*
  • fastbanking.bancpost.ro/iBankWeb/login.jsp
  • fastbanking.bancpost.ro/*
  • www.brdoffice.ro/smartoffice/_mcologon*
  • www.brdoffice.ro/*
  • www.ceconline.ro/smartoffice/logon.htm
  • www.ceconline.ro/*
  • ro.unicreditbanking.net/disp*
  • ro.unicreditbanking.net/*
  • secure.internetbanking.ro/IBK_SMS/Login/LoginFirstStep.aspx*
  • secure.internetbanking.ro/*
  • net.crediteurope.ro/ibank-cln/do/login/prompt
  • net.crediteurope.ro/*
  • www.raiffeisenonline.ro/eBankingWeb/login*
  • www.raiffeisenonline.ro/*
  • login.24banking.ro/casserver/login*
  • login.24banking.ro/*
  • www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsRouting
  • www.barclayswealth.com/*
  • s2b.standardchartered.com/ssoapp/login.jsp
  • s2b.standardchartered.com/*
  • eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login.jsp*
  • eadibcorp.adib.ae/*
  • corporate.adcb.com/corporateWeb/login.do
  • corporate.adcb.com/*
  • www.arabi-online.net/efs/servlet/efs/jsp-ns/login.jsp
  • www.arabi-online.net/*
  • cbionline.cbi.ae/bus/security/Welcome.do*
  • cbionline.cbi.ae/*
  • my.sjpbank.co.uk/Security/Auth/Logon
  • my.sjpbank.co.uk/*
  • login.smartbusiness.ae/bo-login.jsp
  • login.smartbusiness.ae/*
  • online.dib.ae/webapplication.ui/localoperations/login/loginpage.aspx
  • online.dib.ae/*
  • www.investbank.ae/ibank/loginAction.do
  • www.investbank.ae/*
  • netbanking.mashreqbank.com/B001/SMELogin.jsp
  • netbanking.mashreqbank.com/*
  • online.nbad.com/iportalweb/iportal/jsps/orbilogin.jsp
  • online.nbad.com/*
  • rakbankonline.ae/corp/BANKAWAY*
  • rakbankonline.ae/*
  • www.noorinternetbanking.com/CWCLIENT/loginClient.action
  • www.noorinternetbanking.com/*
  • secure.membersaccounts.com/SELFSERVICE/login.aspx*
  • secure.membersaccounts.com/*
  • cardonebanking.com/authlogin.aspx
  • cardonebanking.com/*
  • cardonebanking.com/authlogin.aspx?business*
  • cib.uab.ae/
  • cib.uab.ae/*
  • www.halifax-online.co.uk/personal/logon/login.jsp
  • www.halifax-online.co.uk/*
  • banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550*
  • banking.triodos.co.uk/*
  • banking.triodos.co.uk/ib-seam/login.seam?loginType=username*
  • ebank.turkishbank.co.uk/Default2.aspx
  • ebank.turkishbank.co.uk/*
  • nebasilicon.fdecs.com/eCustService/*
  • nebasilicon.fdecs.com/*
  • infinity.icicibank.co.uk/UKRET/BANKAWAY*
  • infinity.icicibank.co.uk/*
  • ibank.theaccessbankukltd.co.uk/entry/CorpLoginLang.html
  • ibank.theaccessbankukltd.co.uk/*
  • www.standardlife.co.uk/c1/login.page
  • www.standardlife.co.uk/*
  • apps.virginmoney.com/vmosws/loginWait.do
  • apps.virginmoney.com/*
  • ebaer.juliusbaer.com/*
  • ebanking-ch2.ubs.com/workbench/Index.do*
  • ebanking-ch2.ubs.com/*
  • onlinebanking.bankcoop.ch/
  • onlinebanking.bankcoop.ch/*
  • tb.raiffeisendirect.ch/
  • tb.raiffeisendirect.ch/*
  • wwwsec.ebanking.zugerkb.ch/authen/login
  • wwwsec.ebanking.zugerkb.ch/*
  • wwwsec.valiant.ch/authen/login*
  • wwwsec.valiant.ch/*
  • inba.lukb.ch/lukbLogin/*
  • inba.lukb.ch/*
  • www.bcv.ch/bcvd-login/authenticateAction.do
  • www.bcv.ch/*
  • www.bcv.ch/en
  • www.bcv.ch/fr
  • www.bcv.ch/de
  • online.citi.eu/GBIPB/JSO/signon/DisplayUsernameSignon.do*
  • online.citi.eu/*
  • clients.tilneybestinvest.co.uk/ORM/Login.aspx
  • clients.tilneybestinvest.co.uk/*
  • pro.skb.net/
  • pro.skb.net/*
  • db-sg.db.com/gen/login/index_4.cfm
  • db-sg.db.com/*
  • meine.deutsche-bank.de/trxm/db
  • meine.deutsche-bank.de/*
  • www.banking.axa.de/OnlineBankingWebfrontend/banking/common/login.xhtml;jsessionid=F05F46A7333D65031BD6C9B43C062C31*
  • www.banking.axa.de/*
  • my.banklenz.de/web/guest/login
  • my.banklenz.de/*
  • banking.martinbank.de/
  • banking.martinbank.de/*
  • auth.globalpay.westernunion.com/Sso/Login.aspx*
  • auth.globalpay.westernunion.com/*
  • www.firstmeritib.com/ec/DefaultCorp.aspx
  • www.firstmeritib.com/*
  • cmo.cibc.com/wp/wps/portal/bbdsignon*
  • cmo.cibc.com/*
  • blcweb.banquelaurentienne.ca/lang/en/BLCDirect
  • blcweb.banquelaurentienne.ca/*
  • blcweb.banquelaurentienne.ca/lang/fr/BLCDirect
  • secure.tddirectinvesting.co.uk/webbroker2/login.jsp
  • secure.tddirectinvesting.co.uk/*
  • online.hl.co.uk/my-accounts
  • online.hl.co.uk/*
  • www.youinvest.co.uk/LogIn/username
  • www.youinvest.co.uk/*
  • www.deutschebank-dbdirect.com/cas/login*
  • www.deutschebank-dbdirect.com/*
  • extra.unicreditbank.hu/eibpublic_SP/login.hu.html
  • extra.unicreditbank.hu/*
  • extra.unicreditbank.hu/eibpublic_SP/login.de.html
  • banking.bmwbank.de/s/b2cpws.fcc*
  • banking.bmwbank.de/*
  • banking.donner-reuschel.de/index.jsp
  • banking.donner-reuschel.de/*
  • www.degussa-bank.de/login
  • www.degussa-bank.de/*
  • finanzportal.fiducia.de/p01pebe/entry*
  • finanzportal.fiducia.de/*
  • login.isso.db.com/websso/sso_custom_multi_auth_flex_Logon.sso*
  • login.isso.db.com/*
  • db-direct.db.com/u/eb/Login_Main.serv*
  • db-direct.db.com/*
  • secure.ampbanking.com/au/Logon
  • secure.ampbanking.com/*
  • online.multiport.com.au/
  • online.multiport.com.au/*
  • globalpay.westernunion.com/GlobalPay/Login.aspx
  • globalpay.westernunion.com/*
  • www.anztransactive.anz.com/
  • www.anztransactive.anz.com/*
  • www.anz.com/INETBANK/bankmain.asp
  • www.anz.com/*
  • bbonline.banksa.com.au/html/cbank.asp*
  • bbonline.banksa.com.au/*
  • ibs.bankwest.com.au/BWLogin/bib.aspx
  • ibs.bankwest.com.au/*
  • netteller2.tsw.com.au/delphi/ntv451.asp*
  • netteller2.tsw.com.au/*
  • businessonline.westpac.com.au/esis/Login/SrvPage
  • businessonline.westpac.com.au/*
  • online.corp.westpac.com.au/*
  • www*.my.commbiz.commbank.com.au/Logon/UserMaintenance/Login.aspx
  • www*.my.commbiz.commbank.com.au/*
  • finanzportal.fiducia.de/p13pepe/entry*
  • banking.ing-diba.de/app/login*
  • banking.ing-diba.de/*
  • banking.valovisbank.de/portal/*
  • banking.valovisbank.de/*
  • kunden-mkb-bank.de/
  • kunden-mkb-bank.de/*
  • financepilot-pe.mlp.de/p12pepe/entry*
  • financepilot-pe.mlp.de/*
  • banking.greensill-bank.com/ptlweb/WebPortal*
  • banking.greensill-bank.com/*
  • hbciweb.olb.de/financebrowser5
  • hbciweb.olb.de/*
  • banking.oyakankerbank.de/*
  • bbonline.bankofmelbourne.com.au/html/cbank.asp*
  • bbonline.bankofmelbourne.com.au/*
  • ib.banksyd.com.au/
  • ib.banksyd.com.au/*
  • online.hbs.net.au/hbsv47/ntv471.asp*
  • online.hbs.net.au/*
  • www.ib.boq.com.au/boqbl
  • www.ib.boq.com.au/*
  • banking.lloydsbank.com/Logon/logon.aspx
  • banking.lloydsbank.com/*
  • www.my.commbank.com.au/netbank/Logon/Logon.aspx
  • www.my.commbank.com.au/*
  • bank.ruralbank.com.au/banking/RBLIBanking
  • bank.ruralbank.com.au/*
  • secure.macquarie.com.au/sepas/serve*
  • secure.macquarie.com.au/*
  • nabconnect*.nab.com.au/auth/nabclogin/login.do*
  • nabconnect*.nab.com.au/*
  • ib.tmbank.com.au/ib/signon/Login.aspx
  • ib.tmbank.com.au/*
  • www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
  • www.citibank.com.au/*
  • ap.ebs.bankofchina.com/login.html*
  • ap.ebs.bankofchina.com/*
  • netteller*.pnbank.com.au/InternetBanking/Login.aspx
  • netteller*.pnbank.com.au/*
  • secure.defencebank.com.au/daib/logon/cu3205/logon.asp
  • secure.defencebank.com.au/*
  • online.bankmecu.com.au/daib/logon/cu3140/logon.asp
  • online.bankmecu.com.au/*
  • private.bankofsingapore.com/Login/Login
  • private.bankofsingapore.com/*
  • fareastnationalbank.ebanking-services.com/EamWeb/account/login.aspx*
  • fareastnationalbank.ebanking-services.com/*
  • velocity.ocbc.com/portal.view
  • velocity.ocbc.com/*
  • uniservices2.uobgroup.com/ELO/login.jsp
  • uniservices2.uobgroup.com/*
  • sg.bibplus.uobgroup.com/BIB/public
  • sg.bibplus.uobgroup.com/*
  • bbonline.stgeorge.com.au/html/cbank.asp*
  • bbonline.stgeorge.com.au/*
  • internetbanking.suncorpbank.com.au/
  • internetbanking.suncorpbank.com.au/*
  • inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank
  • inetbnkp.adelaidebank.com.au/*
  • secure.anz.co.nz/IBCS/service/login
  • secure.anz.co.nz/*
  • www.bnz.co.nz/ib4b/app/login
  • www.bnz.co.nz/*
  • bol.westpac.co.nz/s1gcb/logon/sbuser
  • bol.westpac.co.nz/*
  • www.ib.kiwibank.co.nz/
  • www.ib.kiwibank.co.nz/*
  • www.flexipurchase.com/secure/welcome.asp
  • www.flexipurchase.com/*
  • homebank.tsbbank.co.nz/online
  • homebank.tsbbank.co.nz/*
  • secure1.rabodirect.co.nz/exp/policyenforcer/pages/loginB2CDGPEN.jsf
  • secure1.rabodirect.co.nz/*
  • ibank.sbs.net.nz/ui/inetbankindex.aspx
  • ibank.sbs.net.nz/*
  • my.statestreet.com/
  • my.statestreet.com/*
  • www.mercantilcbonline.com/secure/banking/logon
  • www.mercantilcbonline.com/*
  • fx.regions.com/esn01/servlet/RSASingleSignOn
  • fx.regions.com/*
  • www.goldman.com/login/login_a.cgi*
  • www.goldman.com/*
  • wealth.goldman.com/login/login_a.cgi*
  • wealth.goldman.com/*
  • businesscenter.mysynchrony.com/BusinessCenterPortal
  • businesscenter.mysynchrony.com/*
  • commerceconnections.commercebank.com
  • commerceconnections.commercebank.com/*
  • www.bankdirect.co.nz
  • www.bankdirect.co.nz/*
  • pfo.us.hsbc.com
  • pfo.us.hsbc.com/*
  • bbonline.stgeorge.com.au/html/cbindex.asp*
  • ideal.dbs.com/loginSubscriber/login/pin.jsp
  • ideal.dbs.com/*
  • internet-banking.dbs.com.sg/IB/Welcome
  • internet-banking.dbs.com.sg/*
  • www.dbsvonline.com/english/index.asp*
  • www.dbsvonline.com/*
  • cashmanager.mizuhoe-treasurer.com/mz/servlet/SLogin*
  • cashmanager.mizuhoe-treasurer.com/*
  • www.superchoice.com.au/amp
  • www.superchoice.com.au/*
  • www.superorganised.com.au/dashboard/login*
  • www.superorganised.com.au/*
  • portal.northonline.com.au/WealthNET.PortalClient
  • portal.northonline.com.au/*
  • www.gecapitalbank.com/gecb/app/login
  • www.gecapitalbank.com/*
  • www.gemyaccounts.com/myaccounts/Index.html*
  • www.gemyaccounts.com/*
  • connect.bnymellon.com/ConnectLogin/login/LoginPage.jsp
  • connect.bnymellon.com/*
  • www.postfinance.ch/ap/ba/fp/html/e-finance/home*
  • www.postfinance.ch/*
  • clientlogin.ibb.ubs.com/login
  • clientlogin.ibb.ubs.com/*
  • www.ebanking.hsbc.co.nz/1/2/!ut/p/c5/jZBdC4IwGEZ_0vtuI6VLXTitmeGa6G5kiIigMyKK_n3rJrrpg-fynHPzgAE_Z6_jYC_j4uwENZigzYMQOd0yFLwIkJbZmsu4JCJhnjefecn-qkklokxTLEjquUxCKsUBxRF_1Kp3rVawT5e5hwZM-CYr8ZTzjVzFyDhn0Ez9YLv7d0-Rl6cdVG45z_6D06zr205GD_hDJm4!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83X002NzBDMkozMEdTRzYwMlJNREw1QjAzQ0MzL0FHVnNUNDc3MjAwMDQ!
  • www.ebanking.hsbc.co.nz/*
  • secure.heartland.co.nz/IB/index.zul
  • secure.heartland.co.nz/*
  • connect-ch2.ubs.com/workbench/Index.do*
  • connect-ch2.ubs.com/*
  • www.bendigobank.com.au/banking/BBLIBanking
  • www.bendigobank.com.au/*
  • www.hsbc.com.au/1/2/HUB_IDV2/IDV_EPP*
  • www.hsbc.com.au/*
  • www.citibusiness.citibank.com.sg/SGCBZ/JSO/signon/DisplayUsernameSignon.do
  • www.citibusiness.citibank.com.sg/*
  • internet.ocbc.com/internet-banking
  • internet.ocbc.com/*
  • ibank.standardchartered.com.sg/nfs/login.htm
  • ibank.standardchartered.com.sg/*
  • fastpay.asbbank.co.nz/Account/LogOn
  • fastpay.asbbank.co.nz/*
  • drob.santanderbank.com/cscobgss/Satellite*
  • drob.santanderbank.com/*
  • www2.secure.hsbcnet.com/uims/portal/IDV_CAM10_AUTHENTICATION*
  • www2.secure.hsbcnet.com/*
  • ebanking-es.ubs.com/
  • ebanking-es.ubs.com/*
  • ebanking-uk.ubs.com/
  • ebanking-uk.ubs.com/*
  • www.citibank.com.sg/SGGCB/JSO/signon/DisplayUsernameSignon.do
  • www.citibank.com.sg/*
  • www.onlinesbiglobal.com/64SG/BANKAWAY*
  • www.onlinesbiglobal.com/*
  • ebanking-bel.ubs.com/epexb
  • ebanking-bel.ubs.com/*
  • ebanking-bel.ubs.com/estmtb
  • ebanking-bel.ubs.com/fim
  • ebanking-bhs2.ubs.com/epex
  • ebanking-bhs2.ubs.com/*
  • ebanking-aut.ubs.com/fim
  • ebanking-aut.ubs.com/*
  • ebanking-aut.ubs.com/epexa
  • ebanking-aut.ubs.com/estmta
  • invest.etrade.com.au/Home.aspx
  • invest.etrade.com.au/*
  • www.hsbc.com.sg/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDf6NAZ8tQU3c3A0dDV5MAf2MTAwjQL8h2VAQAdKy3eg!!/*
  • www.hsbc.com.sg/*
  • www.asb.co.nz
  • www.asb.co.nz/*
  • cib.icicibank.com/corp/BANKAWAY*
  • cib.icicibank.com/*
  • group.unicreditbanking.net/
  • group.unicreditbanking.net/*
  • www.fidunet.lu/fidunet/loginFidu.jsp
  • www.fidunet.lu/*
  • www.corpnet.lu/corpnet/loginCorp.jsp
  • www.corpnet.lu/*
  • secure.unicreditbank.lu/
  • secure.unicreditbank.lu/*
  • www.unicreditbank.sk/i-banking-sk-https.html
  • www.unicreditbank.sk/*
  • www.unicreditbank.ba/eba/BHgradjani
  • www.unicreditbank.ba/*
  • ebanking-au.ubs.com/ebanking
  • ebanking-au.ubs.com/*
  • onlineservices.ubs.com/olsauth/ex/pbl/ubso/dl
  • onlineservices.ubs.com/*
  • clientportal.ibb.ubs.com/portal/index.htm*
  • clientportal.ibb.ubs.com/*
  • ebanking-fr.ubs.com/enquiries/*
  • ebanking-fr.ubs.com/*
  • ebanking-de1.ubs.com/workbench/Index.do*
  • ebanking-de1.ubs.com/*
  • ebanking-hksg.ubs.com/
  • ebanking-hksg.ubs.com/*
  • ebanking-can.ubs.com/epex
  • ebanking-can.ubs.com/*
  • ebanking-ca.ubs.com/safeloginc/Login*
  • ebanking-ca.ubs.com/*
  • ebanking-ca.ubs.com/gepc/MainAction
  • ebanking-can.ubs.com/estmtc
  • ebanking-ca.ubs.com/estmtc/action/login
  • trz.tranzact.org/LogonOTP.aspx
  • trz.tranzact.org/*
  • catalystcorp.org/*
  • www.tranzact.org/
  • www.tranzact.org/*
  • mdcommercial.jpmorgan.com/
  • mdcommercial.jpmorgan.com/*
  • jpmcsso-uk.jpmorgan.com/sso/action/federateLogin*
  • jpmcsso-uk.jpmorgan.com/*
  • jpmcsso.jpmorgan.com/sso/action/login*
  • jpmcsso.jpmorgan.com/*
  • online.lloydsbank.co.uk/personal/logon/login.jsp*
  • online.lloydsbank.co.uk/*
  • www.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeRiHGMN1-Hvm5qfoFuRHlABOr0sE!*
  • www.hsbc.co.uk/*
  • ebanking-it.ubs.com/
  • ebanking-it.ubs.com/*
  • ebanking-lux.ubs.com/estmt
  • ebanking-lux.ubs.com/*
  • ebanking-lux.ubs.com/epex
  • ebanking-lux.ubs.com/fim
  • ebanking-ch.ubs.com/workbench/Index.do*
  • ebanking-ch.ubs.com/*
  • quotes-global1.ubs.com/go/*
  • quotes-global1.ubs.com/*
  • ebanking-mc.ubs.com/
  • ebanking-mc.ubs.com/*
  • ebanking-nld.ubs.com/estmtn
  • ebanking-nld.ubs.com/*
  • www.ubs.com/connect
  • www.ubs.com/*
  • www.banorte.com/portal/personas/acceso.web*
  • www.banorte.com/*
  • privatebank-us.ubs.com/
  • privatebank-us.ubs.com/*
  • jpmcsso.jpmorgan.com/sso/action/federateLogin*
  • online.unicreditcorporate.it/login.htm
  • online.unicreditcorporate.it/*
  • online-smallbusiness.unicredit.it/login.htm
  • online-smallbusiness.unicredit.it/*
  • online-private.unicredit.it/login.htm
  • online-private.unicredit.it/*
  • online-retail.unicredit.it/login.htm
  • online-retail.unicredit.it/*
  • www.gtb.unicredit.eu/login
  • www.gtb.unicredit.eu/*
  • my.hypovereinsbank.de/login*
  • my.hypovereinsbank.de/*
  • online.bulbank.bg/page/default.aspx*
  • online.bulbank.bg/*
  • extra.unicreditbank.hu/eib_SP/loginpage.hu.html
  • www.hvbrsce.com/ebanking/Athens/Pages/ElectronicBanking.htm
  • www.hvbrsce.com/*
  • si.unicreditbanking.net/disp*
  • si.unicreditbanking.net/*
  • www.unicreditbank.cz/web/redirect.php*
  • www.unicreditbank.cz/*
  • online.privatebanking.societegenerale.be/sg/login_nl.html
  • online.privatebanking.societegenerale.be/*
  • online.privatebanking.societegenerale.be/sg/login_fr.html
  • www.zaba.hr/ebank/gradjani/Prijava
  • www.zaba.hr/*
  • an.rbcnetbank.com/
  • an.rbcnetbank.com/*
  • cashmanagement.barclays.net/portalservices/forms/login.pser*
  • cashmanagement.barclays.net/*
  • www.barclayswealth.com/login/action/logon/unauthenticated/corporate/loginSigningGemplus
  • www.unity-online.co.uk/
  • www.unity-online.co.uk/*
  • bancodicaribeonline.com/SIGNON.CFM
  • bancodicaribeonline.com/*
  • secure.aldermorebusinesssavings.co.uk/corporate
  • secure.aldermorebusinesssavings.co.uk/*
  • e-bank.unicreditbank.si/webbankBACX
  • e-bank.unicreditbank.si/*
  • www.vancity.com/BusinessBanking/OnlineBanking/MyAccounts
  • www.vancity.com/*
  • onlinebusinessplus.vancity.com/business/default.jsp*
  • onlinebusinessplus.vancity.com/*
  • bankonweb.sgeb.bg/page/default.aspx*
  • bankonweb.sgeb.bg/*
  • banques.exalog.net/authent.php*
  • banques.exalog.net/*
  • www.sogehomebank.com/Retail/login.aspx*
  • www.sogehomebank.com/*
  • ibank1.bib.barclays.com/logon
  • ibank1.bib.barclays.com/*
  • entreprises.societegenerale.fr/index.html
  • entreprises.societegenerale.fr/*
  • entreprises.societegenerale.fr/
  • entreprises.societegenerale.fr/associations-connexion.html
  • professionnels.societegenerale.fr/association_connexion.html
  • professionnels.societegenerale.fr/*
  • professionnels.societegenerale.fr/index.html
  • particuliers.societegenerale.fr/
  • particuliers.societegenerale.fr/*
  • www.sgcb.nc/part/fr/dciweb.htm*
  • www.sgcb.nc/*
  • www.sgcb.nc/part/en/dciweb.htm*
  • sogecashnet.societegenerale.cg/smartoffice/GB
  • sogecashnet.societegenerale.cg/*
  • sogecashnet.societegenerale.cg/smartoffice/index.htm
  • ebanking.societegenerale.al/webbankALB/loginCer.jsp*
  • ebanking.societegenerale.al/*
  • www.uibanking-net.com/smartoffice/fr/connexion.html
  • www.uibanking-net.com/*
  • www.uibanking-net.com/smartoffice/GB/connexion.html
  • www.privatebanking.societegenerale.com/en/banking/luxembourg
  • www.privatebanking.societegenerale.com/*
  • www.privatebanking.societegenerale.com/en/banking/monaco
  • banque.bfcoi.com/identificationClient.html*
  • banque.bfcoi.com/*
  • sogeonline.societegenerale.cn/eweb/prelogin.do*
  • sogeonline.societegenerale.cn/*
  • sikanet.sg-ssb.com.gh/priv/en/dciweb.htm*
  • sikanet.sg-ssb.com.gh/*
  • www.obsgnet.com.mk/Retail/LoginModule/LoginToken.aspx
  • www.obsgnet.com.mk/*
  • www.fineco.it/it/public
  • www.fineco.it/*
  • www.investimenti.unicredit.it/
  • www.investimenti.unicredit.it/*
  • ticari.yapikredi.com.tr/ifcapp/xrl/8a162dffc621811178834120027d2afa;jsessionid=c0a8913f30fcd76aff61c9b944afb647f480bfa640bc.e34KcheMc3iMaO0Rah4Oe0
  • ticari.yapikredi.com.tr/*
  • ticari.yapikredi.com.tr/ifcapp/xrl/0ae47e2458dc60906796609e8cf7763b
  • sgcib.pl/ib/Default.aspx*
  • sgcib.pl/*
  • www.interacciones.com/portalAgentes/login.jsp
  • www.interacciones.com/*
  • www.interacciones.com/loginUsuario.do
  • sogecashnet.sga.dz/smartoffice
  • sogecashnet.sga.dz/*
  • www.sogecashnet.ma/smartoffice/index.htm
  • www.sogecashnet.ma/*
  • unified-access.societegenerale.com/portal/site/SogecashWeb
  • unified-access.societegenerale.com/*
  • wibdirect.wib-bank.net/business/online
  • wibdirect.wib-bank.net/*
  • www.mercantilcbonline.com/secure/banking/individualLogon
  • admin.epymtservice.com/admin/index.jhtml*
  • admin.epymtservice.com/*
  • access.usbank.com/cpsApp1/AxolPreAuthServlet*
  • access.usbank.com/*
  • singlepoint.usbank.com/cs70_banking/logon/sbuser
  • singlepoint.usbank.com/*
  • top.capitalonebank.com/cashplus/
  • www.chase.com/commercial-bank/chase-commercial-online
  • www.chase.com/*
  • direct.capitecbank.co.za/ibank
  • direct.capitecbank.co.za/*
  • see.sbi.com.mx/invernet2000/home
  • see.sbi.com.mx/*
  • enlace.santander-serfin.com/eai/EaiEmpresasWAR/inicio.do
  • enlace.santander-serfin.com/*
  • cpn.hsbc.com.mx/cpn/default.htm*
  • cpn.hsbc.com.mx/*
  • nettbanken.nordea.no/login
  • nettbanken.nordea.no/*
  • www.scotiaweb.com.mx/hipotecario/hip_login.asp
  • www.scotiaweb.com.mx/*
  • www.bancaempresarialazteca.com.mx/BancaEmpresarial/login.htm
  • www.bancaempresarialazteca.com.mx/*
  • sites.scotiabank.com.mx/colproveedores/menu/entrada.asp
  • sites.scotiabank.com.mx/*
  • inbursamf.inbursa.com/
  • inbursamf.inbursa.com/*
  • direct.mcbgroup-ebanking.com/wiblogin/corporate_AuthenticateUserLocalEPF.html
  • direct.mcbgroup-ebanking.com/*
  • direct.mcbgroup-ebanking.com/mcbbonairelogin/corporate_AuthenticateUserLocalEPF.html
  • mcbdirect.mcb-bank.com/business/online
  • mcbdirect.mcb-bank.com/*
  • www.mcb-home.com/online/site001index.itm
  • www.mcb-home.com/*
  • www.cmb-home.com/online/site002index.itm
  • www.cmb-home.com/*
  • cmbdirect.cmbnv.com/business/online
  • cmbdirect.cmbnv.com/*
  • www.wib-home.com/online/site004index.itm
  • www.wib-home.com/*
  • www.mcbb-home.com/online/site003index.itm
  • www.mcbb-home.com/*
  • mcbdirect.mcbbonaire.com/business/online
  • mcbdirect.mcbbonaire.com/*
  • www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserRoamingEPF.bns
  • www.scotiaconnect.scotiabank.com/*
  • direct.mcbgroup-ebanking.com/mcblogin/corporate_AuthenticateUserLocalEPF.html
  • direct.mcbgroup-ebanking.com/cmblogin/corporate_AuthenticateUserLocalEPF.html
  • ib.absa.co.za/absa-online/login.jsp
  • ib.absa.co.za/*
  • www.fnb.co.za/
  • www.fnb.co.za/*
  • internetbanking.firstcaribbeanbank.com/index.jsp
  • internetbanking.firstcaribbeanbank.com/*
  • jpmpb001.jpmorgan.com/prelogin/index.jsp
  • jpmpb001.jpmorgan.com/*
  • jpmorgan.chase.com/Public/Logon
  • jpmorgan.chase.com/*
  • www.paymentnet.jpmorgan.com/
  • www.paymentnet.jpmorgan.com/*
  • www.sg-bdp.pf/
  • www.sg-bdp.pf/*
  • www.sogecashnet.ma/smartoffice/index_gb.htm
  • gg-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
  • gg-services.credit-suisse.com/*
  • it-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
  • it-services.credit-suisse.com/*
  • www.bancoinbursa.com/login/useraccessPortatil.asp
  • www.bancoinbursa.com/*
  • ebanking.societegenerale.in/corp/AuthenticationController*
  • ebanking.societegenerale.in/*
  • www.interacciones.com/analisis/login.do
  • subastas.scotiainlatrade.com/SubastasAppWeb/login.jsp
  • subastas.scotiainlatrade.com/*
  • pbusa.directnet.com/dn/c/cls/auth
  • pbusa.directnet.com/*
  • br.credit-suisse.com/sec/login/default.aspx
  • br.credit-suisse.com/*
  • onlinebanking-sg.credit-suisse.com/
  • onlinebanking-sg.credit-suisse.com/*
  • www.credit-suisse.com.sg/
  • www.credit-suisse.com.sg/*
  • securitiesexpert.credit-suisse.com/cs/eamnet/c/cls/auth
  • securitiesexpert.credit-suisse.com/*
  • mc-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
  • mc-services.credit-suisse.com/*
  • es-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
  • es-services.credit-suisse.com/*
  • au-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
  • au-services.credit-suisse.com/*
  • hk-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
  • hk-services.credit-suisse.com/*
  • clientview-mx.credit-suisse.com/pb/mexico/c/cls/auth
  • clientview-mx.credit-suisse.com/*
  • at-directnet.credit-suisse.com/dn/c/cls/auth
  • at-directnet.credit-suisse.com/*
  • fr-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
  • fr-services.credit-suisse.com/*
  • gi-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
  • gi-services.credit-suisse.com/*
  • lu-directnet.credit-suisse.com/dn/c/cls/auth
  • lu-directnet.credit-suisse.com/*
  • cs.directnet.com/dn/c/cls/auth*
  • cs.directnet.com/*
  • www.sft-ebanking.com/siteminderagent/forms/dbloginsft.fcc*
  • www.sft-ebanking.com/*
  • secure.internetbanking.firstcaribbeanbank.com/
  • secure.internetbanking.firstcaribbeanbank.com/*
  • bancodicaribeonline.com/aua/SIGNON.CFM
  • bancodicaribeonline.com/sxm/SIGNON.CFM
  • spib.wooribank.com/pib/Dream*
  • spib.wooribank.com/*
  • obank.kbstar.com/quics*
  • obank.kbstar.com/*
  • internetbanking.scu.net.au/mvpscu/SignOn/Login.aspx
  • internetbanking.scu.net.au/*
  • aw.rbcnetbank.com/
  • aw.rbcnetbank.com/*
  • bs-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
  • bs-services.credit-suisse.com/*
  • sponsor.voya.com/static/sponsor/SponsorLogin.fcc
  • sponsor.voya.com/*
  • nge01.bnymellon.com/NextGenV4/dflt/Login.ing
  • nge01.bnymellon.com/*
  • www.ingdirect.com.au/client/index.aspx
  • www.ingdirect.com.au/*
  • my.statestreet.com/secid-smpwservices.fcc*
  • uksecure.barclayswealth.com/
  • uksecure.barclayswealth.com/*
  • live.barcap.com/UAB/S/ecom/logon/1/barxcorporate*
  • live.barcap.com/*
  • www.gerrard.com/clientcentre/login.aspx
  • www.gerrard.com/*
  • tdwealth.netxinvestor.com/web/tdwealth/login
  • tdwealth.netxinvestor.com/*
  • clientpoint.fisglobal.com/tdcb/main/UserLogon*
  • clientpoint.fisglobal.com/*
  • www.volkswagenbank.de/PortalLogin/get/Error.aspx/*
  • www.volkswagenbank.de/*
  • konto.baaderbank.de/*
  • www.e-ambiz.com.my/bon/jsp/common/loginfiles/Login.bon*
  • www.e-ambiz.com.my/*
  • girovision.plusgirot.se/
  • girovision.plusgirot.se/*
  • www.credit-cooperatif.coop/portail/particuliers/login.do
  • www.credit-cooperatif.coop/*
  • onlinebanking.coutts.com/auth/login
  • onlinebanking.coutts.com/*
  • www.tmbbizdirect.com/
  • www.tmbbizdirect.com/*
  • www.ing.be/en/business/Pages/Login.aspx
  • www.ing.be/*
  • www.ing.be/fr/business/pages/login.aspx
  • www.ing.be/nl/business/pages/login.aspx
  • www.ing.be/de/business/Pages/Login.aspx
  • www.ing.be/fr/Retail/Pages/Login.aspx
  • www.ing.be/nl/retail/pages/login.aspx
  • www.bancorpsouthonline.com/BXS/Login.aspx
  • www.bancorpsouthonline.com/*
  • www.kbc.be/site*
  • www.kbc.be/*
  • online.hapoalimusa.com/BHCorporate/core/login.aspx
  • online.hapoalimusa.com/*
  • workbench.bnymellon.com/login.jsp*
  • workbench.bnymellon.com/*
  • solo3.nordea.fi/cgi-bin/SOLO0001*
  • solo3.nordea.fi/*
  • client.gemoneybank.fr/identification.do
  • client.gemoneybank.fr/*
  • ebanking.fransabank.com/LoginAE.aspx
  • ebanking.fransabank.com/*
  • www.epargne-entreprise.federal-finance.fr/ent/start.swe*
  • www.epargne-entreprise.federal-finance.fr/*
  • www.exane.com/*
  • onlinebanking.orcobank.com/orcobankonline/
  • onlinebanking.orcobank.com/*
  • www.alliancebizsmart.com.my/business
  • www.alliancebizsmart.com.my/*
  • www.publicmutualonline.com.my/
  • www.publicmutualonline.com.my/*
  • ebank.publicbank.com.hk/index0028.html
  • ebank.publicbank.com.hk/*
  • www2.pbebank.com/PBL
  • ambank.amonline.com.my/
  • ambank.amonline.com.my/*
  • epayday.e-ambiz.com.my/epayroll/login.do
  • epayday.e-ambiz.com.my/*
  • www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do*
  • www.maybank2u.com.my/*
  • www.maybank2e.net/M2E/mbbcustomer
  • www.maybank2e.net/*
  • www.maybank2e.com/SEA/m2e/portal/portal.view
  • www.maybank2e.com/*
  • rib.affinonline.com/rib/pb/logon
  • rib.affinonline.com/*
  • afactorcontact.com/ClientManagerCMA/formulaire.html
  • afactorcontact.com/*
  • cgaoi.c-g-a.fr/ClientManagerOI/formulaire.html
  • cgaoi.c-g-a.fr/*
  • cgaetoile.c-g-a.fr/ClientManagerCDN/formulaire.html
  • cgaetoile.c-g-a.fr/*
  • cgacontact.c-g-a.fr/ClientManagerSG/formulaire.html
  • cgacontact.c-g-a.fr/*
  • cgi-hp.espace-clients.fr/
  • cgi-hp.espace-clients.fr/*
  • bourse.cholet-dupont.fr/login.asp
  • bourse.cholet-dupont.fr/*
  • cib.affinonline.com/business/login.html
  • cib.affinonline.com/*
  • www.factocicpartnet.com/factocicWeb
  • www.factocicpartnet.com/*
  • secure.boqspecialist.com.au/BOQ/BOQSpecialist
  • secure.boqspecialist.com.au/*
  • sec.westpac.co.nz/IOLB/Login.jsp
  • sec.westpac.co.nz/*
  • e-cash.alrajhibank.com.my/CashWebAlrajhi/index.jsp
  • e-cash.alrajhibank.com.my/*
  • www.cimb.bizchannel.com.my/corp/common2/login.do*
  • www.cimb.bizchannel.com.my/*
  • online-business.tsb.co.uk/business/logon/login.jsp
  • online-business.tsb.co.uk/*
  • banking.secure.bnl.it/
  • banking.secure.bnl.it/*
  • webbanking.bgl.lu/en/Main.html
  • webbanking.bgl.lu/*
  • entreprises.bnpparibas.net/NSAccess
  • entreprises.bnpparibas.net/*
  • connexis.bnpparibas.com/*
  • webbanking.bgl.lu/fr/Main.html
  • webbanking.bgl.lu/de/Main.html
  • webbanking.bgl.lu/nl/Main.html
  • webbanking.bgl.lu/pt/Main.html
  • www.co-operativebank.co.nz/InternetBankingSecure/t/iblogin.aspx
  • www.co-operativebank.co.nz/*
  • businessbank.tsbbank.co.nz/BusinessBank/login.jsp
  • businessbank.tsbbank.co.nz/*
  • probank.tsbbank.co.nz/ProBank/login.action
  • probank.tsbbank.co.nz/*
  • global.kbstar.com/quics*
  • global.kbstar.com/*
  • portal.northonline.com.au/WealthNET.PortalClient/DUBLE
  • ib.mebank.com.au/auth/ib/login.html
  • ib.mebank.com.au/*
  • online.mystate.com.au/Banking/Personal
  • online.mystate.com.au/*
  • online.mystate.com.au/Banking/Business
  • ibanking.bankofmelbourne.com.au/ibank/loginPage.action
  • ibanking.bankofmelbourne.com.au/*
  • www.sbisyd.com.au/eremit/index.php
  • www.sbisyd.com.au/*
  • ribs.rabobank.com.au/RIBSAU/AU
  • ribs.rabobank.com.au/*
  • online.westpac.com.au/esis/Login/SrvPage*
  • online.westpac.com.au/*
  • netaccess3.qtmb.com.au/QTMB/NetTeller/login.aspx
  • netaccess3.qtmb.com.au/*
  • www.citibank.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do
  • www.citibank.com.my/*
  • logon.reflex.rhbbank.com.my/rhbcams/corporate/login.jsp
  • logon.reflex.rhbbank.com.my/*
  • logon.rhb.com.my/
  • logon.rhb.com.my/*
  • www.citigold.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do
  • www.citigold.com.my/*
  • www.benefitaccess.com/cba.html
  • www.benefitaccess.com/*
  • transactgateway.svb.com/siliconvalley/customerlogin.aspx
  • transactgateway.svb.com/*
  • leumionline.leumiusa.com/uniquesiga2fb1806b2b3831412436dd67c0ba0085419e78b8eb462c3cbbdd1d547afe055/uniquesig0
  • leumionline.leumiusa.com/*
  • internationalfx.bannerbank.com/servlet/VTDController
  • internationalfx.bannerbank.com/*
  • fxpayments.americanexpress.com/*
  • www.cashanalyzer.com/
  • www.cashanalyzer.com/*
  • accesd.affaires.desjardins.com/en/ada
  • accesd.affaires.desjardins.com/*
  • accesd.affaires.desjardins.com/fr/ada
  • www.ml.com/
  • www.ml.com/*
  • www.mymerrill.com/ml/home.aspx*
  • www.mymerrill.com/*
  • bankinguk.secure.investec.com/login.html*
  • bankinguk.secure.investec.com/*
  • secureprivateebanking.nordea.lu/eServices/Login.aspx*
  • secureprivateebanking.nordea.lu/*
  • secureprivateebanking.nordea.ch/ESERVICES/Login.aspx*
  • secureprivateebanking.nordea.ch/*
  • secureprivateebanking.nordea.sg/eServices/Login.aspx*
  • secureprivateebanking.nordea.sg/*
  • ssologin.bnpparibas.com/cib/LoginForm.aspx*
  • ssologin.bnpparibas.com/*
  • clientlogin.ibb.ubs.com/login*
  • uk.hkbea-cyberbanking.com/UCBWeb/Index.action
  • uk.hkbea-cyberbanking.com/*
  • uk.hkbea-cyberbanking.com/UCBCorp/Index.action
  • sharinbox.societegenerale.com/login.do
  • sharinbox.societegenerale.com/*
  • secure1.entreprises.bnpparibas.net/sommaire/jsp/identification.jsp
  • secure1.entreprises.bnpparibas.net/*
  • ebanking.procreditbank-kos.com/User/LogOn
  • ebanking.procreditbank-kos.com/*
  • probanking.procreditbank.ba/User/LogOn*
  • probanking.procreditbank.ba/*
  • classic.nordea.fi/cgi-bin/SOLO0001*
  • classic.nordea.fi/*
  • www.danskebank.fi/fi-fi/Henkiloasiakkaat/Pages/henkiloasiakkaat.aspx*
  • www.danskebank.fi/*
  • www.danskebank.fi/fi-fi/yritysasiakkaat/Pages/yritysasiakkaat.aspx*
  • www.danskebank.fi/sv-fi/Privat/Pages/Privat.aspx*
  • www.danskebank.fi/sv-fi/Foretag/Medelstora-foretag/Webbtjanster/Pages/Webbtjanster.aspx*
  • www.danskebank.fi/sv-fi/OmBanken/Ombanken/Pages/Ombanken.aspx*
  • www.danskebank.fi/en-fi/Personal/Pages/Personal.aspx*
  • www.danskebank.fi/en-fi/business/Medium-business/Online-services/Pages/Online-services.aspx*
  • www.corealdirect.de/corealcredit/abaxx-*
  • www.corealdirect.de/*
  • casextern.creditplus.de/casextern_prod1/login
  • casextern.creditplus.de/*
  • www.asl.com/c/portal/login
  • www.asl.com/*
  • meine.norisbank.de/*
  • ufo.union-investment.de/process*
  • ufo.union-investment.de/*
  • www.mercedes-benz-bank.de/intrade/login/login.jsf
  • www.mercedes-benz-bank.de/*
  • cfi.mb.seb.se/pqq_portal/sebflow/login
  • cfi.mb.seb.se/*
  • securebank.santander.de/LICCMG_SCB_ENS/BtoChannelDriver.ssobto*
  • securebank.santander.de/*
  • wertpapier.hafnerbank.de/*
  • www.bankhaus-lampe.de/en/client-portal
  • www.bankhaus-lampe.de/*
  • securebanking.hanseaticbank.de/onlinebanking-hb/loginFormAction.do
  • securebanking.hanseaticbank.de/*
  • www.bancomernetcash.com/local_pibee/KDPOSolicitarCredenciales_es.html
  • www.bancomernetcash.com/*
  • www.provincialnetcash.com/KDPOSolicitarCredenciales_es.html
  • www.provincialnetcash.com/*
  • netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_CAS.html
  • netredex.grupobbva.com/*
  • netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_CAS.html
  • portal.sutorbank.de/*
  • e-bank.wuestenrot.de/ebanking/eb/index.html
  • e-bank.wuestenrot.de/*
  • banking.bankofscotland.de/netbanking/RetailLoginHome.html
  • banking.bankofscotland.de/*
  • ebank.garantibank.nl/scripts/gbide.dll*
  • ebank.garantibank.nl/*
  • www.hypotirol.com/at/privatkunden/hypo-online/hypo-online-banking/login.html
  • www.hypotirol.com/*
  • banking.oberbank.de/smartoffice/de/_mcologon*
  • banking.oberbank.de/*
  • www.oberbank-banking.at/obk/tiles/start.action
  • www.oberbank-banking.at/*
  • kunde.onvista-bank.de/login.html*
  • kunde.onvista-bank.de/*
  • banking.bw-bank.de/*
  • secure.moneyou.de/thc/policyenforcer/pages/loginB2C.jsf
  • secure.moneyou.de/*
  • portal.berenberg.de/MULTIVERSA-IFP/faces/login/login.jsf
  • portal.berenberg.de/*
  • ssl2.haspa.de/OnlineFiliale/banking/authenticate/login
  • ssl2.haspa.de/*
  • www.dslbank.de/dienste/partner/login.html*
  • www.dslbank.de/*
  • www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_es.html
  • www.francesnetcash.com.ar/*
  • www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_en.html
  • www.continentalnetcash.com.pe/KDPOSolicitarCredenciales_es.html
  • www.continentalnetcash.com.pe/*
  • www.bbvanetcash.cl/local_pibee/indexPibee.html
  • www.bbvanetcash.cl/*
  • www.bbvanetcash.com/local_kyop/KYOPSolicitarCredenciales.html
  • www.bbvanetcash.com/*
  • ve1.provinet.net/nhvp_ve_web/atpn_es_web_jsp/login.jsp*
  • ve1.provinet.net/*
  • www.provincialnetcash.com/KDPOSolicitarCredenciales_en.html
  • netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_FRA.html
  • netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_FRA.html
  • netredex.grupobbva.com/local_telnsp/TELNLogin_bbva_londres_CAS.html
  • netredex.grupobbva.com/local_teln/TELNLogin_bbva_londres_ING.html
  • www.bbvanet.com.co/index.html*
  • www.bbvanet.com.co/*
  • www.provincial.com/personas/BBVAProvincial.jsp
  • www.provincial.com/*
  • secure.provinet.net/cgi-bin.cgi/bbvanettxtencr.cgi*
  • secure.provinet.net/*
  • www.bbvanet.cl/bbvanet/Process*
  • www.bbvanet.cl/*
  • www.bbvanet.cl/bbvanet/personas.html
  • privat.bhf-bank.ch/Authentification/GetAuthentificationVersion*
  • privat.bhf-bank.ch/*
  • onba.zkb.ch/*
  • www.neuehelvetischebank.ch/e-banking.html
  • www.neuehelvetischebank.ch/*
  • onlinebanking.bankcoop.ch/coopLogin
  • www.fibi-online.co.il/web/swisswwwc
  • www.fibi-online.co.il/*
  • online.bankvonroll.ch/*
  • sobanet.baloise.ch/ibfLogin/*
  • sobanet.baloise.ch/*
  • eservice.cembra.ch/*
  • banking.bekb.ch/ident.html
  • banking.bekb.ch/*
  • www.barclayswealth.ch/Login/fedsso.do*
  • www.barclayswealth.ch/*
  • netbanking.sparkasse.at/*
  • online.bankaustria.at/*
  • ebanking.es.rbcis.com/ebancoval/control/login
  • ebanking.es.rbcis.com/*
  • www2.targobank.es/empresasI
  • www2.targobank.es/*
  • www.volkswagenbank.es/html/central_empresas.jsp
  • www.volkswagenbank.es/*
  • www.volkswagenbank.es/clientes/central_particular.jsp
  • clientes.selfbank.es/conexion
  • clientes.selfbank.es/*
  • clientes.selfbank.es/login.phtml
  • bancoonline.openbank.es/servlet/PProxy*
  • bancoonline.openbank.es/*
  • www.oney.es/OneyES_PrivateArea
  • www.oney.es/*
  • clientes.uci.es/*
  • ib.swedbank.lv/business*
  • ib.swedbank.lv/*
  • webapp.sebgroup.com/nauth4/Authentication/login.jsp*
  • webapp.sebgroup.com/*
  • factoring.mb.seb.se/nauth3/Authentication/login.jsp*
  • factoring.mb.seb.se/*
  • factoring.seb.de/nauth3/Authentication/login.jsp*
  • factoring.seb.de/*
  • ib.baltikums.eu/x/login;jsessionid=BB003BE9FD76AAB7C6C99F3D944F7152*
  • ib.baltikums.eu/*
  • ib.bib.lv/web/guest;jsessionid=0125DB8D917675A75518DC10BDE4100F
  • ib.bib.lv/*
  • www.norvik.eu/en/intl
  • www.norvik.eu/*
  • ibank.humebank.com.au/mvp/signon/login.aspx
  • ibank.humebank.com.au/*
  • mittval.maxm.se/companyservices
  • mittval.maxm.se/*
  • inloggad.volvofinans.se/foretag/inloggning/forenklad.html
  • inloggad.volvofinans.se/*
  • cpe.erste-group.com/*
  • www.online-kundenservice.at/index.php*
  • www.online-kundenservice.at/*
  • www.denzelbank.at/Sparen/Login.aspx
  • www.denzelbank.at/*
  • www.factorbank.com/clients.php
  • www.factorbank.com/*
  • ef3web.factorbank.com/efweb/servlet/efweb.RCServlet
  • ef3web.factorbank.com/*
  • online.gutmann.at/pobapp/LoginForm.aspx*
  • online.gutmann.at/*
  • vip.valartis.at/Pages/Login/Login.aspx
  • vip.valartis.at/*
  • newentreprises.interepargne.natixis.com/nie_psd_ee/EC_EE_TRANSV_AUTH_01.action*
  • newentreprises.interepargne.natixis.com/*
  • cib.natixis.com/net/default.aspx
  • cib.natixis.com/*
  • www.novobanco.es/site/cms.aspx*
  • www.novobanco.es/*
  • online.popularbancaprivada.es/index.html
  • online.popularbancaprivada.es/*
  • conecta.es.rbcis.com/tafval
  • conecta.es.rbcis.com/*
  • nbnet.novobanco.es/*
  • conecta.es.rbcis.com/person-online/dologin
  • www.ing.be/en/retail/pages/login.aspx
  • www.ing.be/de/retail/Pages/Login.aspx
  • www.ingonline.com/cz
  • www.ingonline.com/bg
  • www.ingonline.com/hu
  • www.ingonline.com/pl
  • www.ingonline.com/ro
  • www.ingonline.com/sk
  • secure.ingdirect.fr/public/displayLogin.jsf
  • secure.ingdirect.fr/*
  • esipub.esi-sa.com/INGArchive/Account/Login.aspx*
  • esipub.esi-sa.com/*
  • banking.ing-diba.de/app/obligo
  • secure.ingdirect.it/login.aspx
  • secure.ingdirect.it/*
  • www.ing.lu/web/ING/EN/Personal/Login/index.htm
  • www.ing.lu/*
  • www.ing.lu/ING/FR/Particuliers/Login/index.htm
  • www.ing.lu/web/ING/FR/Personal/Login/index.htm
  • www.ing.lu/web/ING/NL/Particuliers/Login/index.htm
  • mijnzakelijk.ing.nl/
  • mijnzakelijk.ing.nl/*
  • mijn.ing.nl/
  • mijn.ing.nl/*
  • banking.ing-diba.at/online-banking
  • banking.ing-diba.at/*
  • start.ingbusinessonline.pl/ing/do/sms
  • start.ingbusinessonline.pl/*
  • solo.nordea.com/nsc/engine*
  • solo.nordea.com/*
  • www.netbank.nordea.dk/netbank/index.jsp
  • www.netbank.nordea.dk/*
  • solo1.nordea.fi/nsp/engine
  • solo1.nordea.fi/*
  • solo1.nordea.fi/nsp/login
  • internetbanken.privat.nordea.se/nsp/login
  • internetbanken.privat.nordea.se/*
  • internetbanken.privat.nordea.se/nsp/engine*
  • nb.nordea.no/jlogin/nettbank/login/login
  • nb.nordea.no/*
  • www.nordeaim.nordea.com/ImExt/WebportExt.nsf
  • www.nordeaim.nordea.com/*
  • eplusgiro.plusgirot.se/eplusgiro.html
  • eplusgiro.plusgirot.se/*
  • eplusgiro.plusgirot.se/eplusgiro_comp.html
  • gfs.nb.se/privat/bank/index_foretag.html
  • gfs.nb.se/*
  • girolink.plusgirot.se/
  • girolink.plusgirot.se/*
  • www.bcif.fr/Compte/Login.aspx
  • www.bcif.fr/*
  • www.ubibanca.com/Login_utilio
  • www.ubibanca.com/*
  • www.intesasanpaolo.com/script/Login2Servlet*
  • www.intesasanpaolo.com/*
  • extranet.bpifrance.fr/etresosesame/connexion.do
  • extranet.bpifrance.fr/*
  • basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_fr.html
  • basfnet.france.banqueaudi.com/*
  • basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_en.html
  • www.banque-tahiti.pf/pauth.aspx*
  • www.banque-tahiti.pf/*
  • www.mydegroof.fr/*
  • www4.banquewormser.com/
  • www4.banquewormser.com/*
  • esecure.banque-edel.fr/es@b/fr/index.jsp
  • esecure.banque-edel.fr/*
  • www.ct6.e-i.com/wlib_sharedresources/sson/ssonsign/sign_extranet.asp*
  • www.ct6.e-i.com/*
  • boursebesv.besv.fr/fr/index.html
  • boursebesv.besv.fr/*
  • clients.banque-fiducial.fr/comptes/fr/index.htm
  • clients.banque-fiducial.fr/*
  • web.procapital.fr/bami/public/form_login.html
  • web.procapital.fr/*
  • web.procapital.fr/bami/public/form_procap_login.html
  • www.bamibanque.fr/WD110AWP/WD110awp.exe/CONNECT/GESCOMPTE2010
  • www.bamibanque.fr/*
  • www.bami.lmpatrimonline.com/bol-sb-web/EP01Action.do
  • www.bami.lmpatrimonline.com/*
  • www.bami.lmpatrimonline.com/bol-sb-web/EC01Action.do
  • www.palatine.fr/espace-client-entreprises.html
  • www.palatine.fr/*
  • www.pouyanne.net/
  • www.pouyanne.net/*
  • espace-client.cora.fr/FrHomeBK/cora/logon.do
  • espace-client.cora.fr/*
  • verkkopankki2.danskebank.fi/pub/logon/logon.aspx*
  • verkkopankki2.danskebank.fi/*
  • www.portail.banque-solfea.fr/user/login
  • www.portail.banque-solfea.fr/*
  • www.bybloseuropeonline.com/finsebanking_enu_europe
  • www.bybloseuropeonline.com/*
  • www.byblosonline.com/finsebanking_enu
  • www.byblosonline.com/*
  • www.casden.fr/simu/view/accueil.seam
  • www.casden.fr/*
  • www.ing.lu/web/ING/DE/Privatpersonen/Einloggen/index.htm
  • www.ingbank.cz/ib/login
  • www.ingbank.cz/*
  • www.internationalmoneytransfers.com.au/login/login
  • www.internationalmoneytransfers.com.au/*
  • www.bnpparibasfortis.be/private/Start.asp
  • www.bnpparibasfortis.be/*
  • nab.directnet.com/dn/c/cls/auth
  • nab.directnet.com/*
  • www.secure.bnpparibas.net/banque/portail/particulier/HomeConnexion*
  • www.secure.bnpparibas.net/*
  • www.secure.bnpparibas.net/banque/portail/entrepros/HomeConnexion*
  • www.secure.bnpparibas.net/banque/portail/particulier/Fiche*
  • ssologin-bp2s.bnpparibas.com/*
  • factor.bnpparibas.com/factoring/fr/Portail_Connexion.or*
  • factor.bnpparibas.com/*
  • personeo.epargne-retraite-entreprises.bnpparibas.com/portal/salarie-bnp/*
  • personeo.epargne-retraite-entreprises.bnpparibas.com/*
  • personal.gironet.com/DIBS_GIRO_BANK/pages/loginP.jsp
  • personal.gironet.com/*
  • business.firstcitizensonline.com/cb/pages/jsp-ns/loginfcbsc.jsp
  • business.firstcitizensonline.com/*
  • ibs.medbank.lt/login.aspx
  • ibs.medbank.lt/*
  • business2.danskebank.dk/pub/logon/logon.aspx*
  • business2.danskebank.dk/*
  • ebankas.danskebank.lt/ib/site/login*
  • ebankas.danskebank.lt/*
  • business2.danskebank.com/pub/logon/logon.aspx*
  • business2.danskebank.com/*
  • www.danskebank.no/nb-no/Bedrift/Mellomstore-bedrifter/Nettbank/Pages/Nettbank.aspx*
  • www.danskebank.no/*
  • business2.danskebank.no/pub/logon/logon.aspx*
  • business2.danskebank.no/*
  • businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
  • businessonline.huntington.com/*
  • www.colonialfirststate.com.au/firstnet/login.aspx*
  • www.colonialfirststate.com.au/*
  • www.colonialfirststate.com.au/FNMaster/masterLoginFrames.asp
  • bizpermonline.newcastlepermanent.com.au/NPBSBusiness
  • bizpermonline.newcastlepermanent.com.au/*
  • internetbanking.imb.com.au/IB/personal
  • internetbanking.imb.com.au/*
  • www.cardservicesdirect.com.au/AUCRD/JSO/signon/DisplayUsernameSignon.do
  • www.cardservicesdirect.com.au/*
  • banking.beyondbank.com.au/daib/logon/cu5022/logon.asp
  • banking.beyondbank.com.au/*
  • logon.online.anz.com/auth/Logon/CentralLogin.fcc*
  • logon.online.anz.com/*
  • sslsecure.maybank.com.sg/cgi-bin/mbs/scripts/mbb_login.jsp
  • sslsecure.maybank.com.sg/*
  • www.bizchannel.cimb.com.sg/corp/common2/login.do*
  • www.bizchannel.cimb.com.sg/*
  • www.hongleongonline.com.my/business/index.jsp
  • www.hongleongonline.com.my/*
  • www.mybsn.com.my/mybsn/login/login.do
  • www.mybsn.com.my/*
  • bbmy.ocbc.com/baliweb/59341/site/defaultskin/en_US/html/static/logon_box.htm
  • bbmy.ocbc.com/*
  • online.akbank.de/onlinebanking/de/Login.html
  • online.akbank.de/*
  • webzr.aktivbank.de/webzr/login/ShowLogin.do
  • webzr.aktivbank.de/*
  • akp.aab.de/akp/vermoegensstatus/uebersicht.do
  • akp.aab.de/*
  • www.baaderbank.de/en/login.html
  • www.baaderbank.de/*
  • www.hsbctrinkaus.de/global/display/user*
  • www.hsbctrinkaus.de/*
  • business.memberdirect.net/business/default.jsp*
  • business.memberdirect.net/*
  • www.bankdirect.co.nz/
  • www.hsbc.fr/1/2/hsbc-france/entreprises-institutionnels/connexion
  • www.hsbc.fr/*
  • online.asb.co.nz/auth/
  • online.asb.co.nz/*
  • fnb.asb.co.nz/SignOn.aspx
  • fnb.asb.co.nz/*
  • newentreprises.interepargne.natixis.com/
  • entreprises.retraite.assurances.natixis.com/*
  • epargnants.interepargne.natixis.fr/def_int_ep/ep/home.do*
  • epargnants.interepargne.natixis.fr/*
  • be.abanca.com/
  • be.abanca.com/*
  • private.lombardodier.com/login/login.jsp
  • private.lombardodier.com/*
  • cs1.credistar.com/p/
  • cs1.credistar.com/*
  • www.eurocredito.es/zonaClienteEurocredito/FcControlador.srvl*
  • www.eurocredito.es/*
  • caixadirecta.colonya.es/BEWeb/2056/6056/login_identificacion.action
  • caixadirecta.colonya.es/*
  • caixadirecta.colonya.es/BEWeb/2056/6056/inicia_identificacion.action*
  • www.sydbank.de/Sign/DE/_mcologon*
  • www.sydbank.de/*
  • ssl.icoio.de/account
  • ssl.icoio.de/*
  • ssl.icoio.de/cash
  • ssl.icoio.de/realestate
  • banking.bmwbank.de/
  • ob.cua.com.au/ib/f7bba4b88b84645e0ff8787e159be60d/LoginAuth.action
  • ob.cua.com.au/*
  • bcaixanet-empresas.bancocaixageral.es/
  • bcaixanet-empresas.bancocaixageral.es/*
  • bcaixanet-particulares.bancocaixageral.es/
  • bcaixanet-particulares.bancocaixageral.es/*
  • barclaysnet.barclays.es/accesoBarclaysNet.html
  • barclaysnet.barclays.es/*
  • www.bsfincomonline.com/
  • www.bsfincomonline.com/*
  • moj.multibank.pl/
  • moj.multibank.pl/*
  • companynet.mbank.pl/mt/
  • companynet.mbank.pl/*
  • online.mbank.pl/pl/Login
  • online.mbank.pl/*
  • aliorbank.pl/hades/do/Login
  • aliorbank.pl/*
  • www.ipko.pl/
  • www.ipko.pl/*
  • www.centrum24.pl/centrum24-web/login
  • www.centrum24.pl/*
  • www.citibankonline.pl/PLGCB/JPS/portal/SignonLocaleSwitch.do*
  • www.citibankonline.pl/*
  • www.ubank.com.au/
  • www.ubank.com.au/*
  • my.hsbcprivatebank.com/1/2/*
  • my.hsbcprivatebank.com/*
  • www.bancorpsouthinview.web-cashplus.com/Cashplus/
  • www.bancorpsouthinview.web-cashplus.com/*
  • banking.smile.co.uk/SmileWeb/start.do
  • banking.smile.co.uk/*
  • bankonline.sboff.com/OFS2/InternetBanking
  • bankonline.sboff.com/*
  • online.alrayanbank.co.uk/online/aspscripts/Logon.asp
  • online.alrayanbank.co.uk/*
  • mybbsaccounts.bucksbs.co.uk/mlogn01.asp
  • mybbsaccounts.bucksbs.co.uk/*
  • online.ccbank.co.uk/main.asp*
  • online.ccbank.co.uk/*
  • u-2-view.chorleybs.co.uk/mlogn01.asp
  • u-2-view.chorleybs.co.uk/*
  • wealthclient.closebrothers.com/Login
  • wealthclient.closebrothers.com/*
  • www.coventrybuildingsociety.co.uk/onlineservices/login/ols_login.aspx
  • www.coventrybuildingsociety.co.uk/*
  • myaccounts.newbury.co.uk/main.asp*
  • myaccounts.newbury.co.uk/*
  • cbforex.citizensbank.com/CitizensWebApplication/cbforex/loginScreen*
  • cbforex.citizensbank.com/*
  • login.isso.db.com/websso/sso_multi_auth_Logon.sso*
  • www.corporate-clients.commerzbank.com/S-Portal/SHTML/cdir2/companydirectportal/pgf.html*
  • www.corporate-clients.commerzbank.com/*
  • apps.bhw.de/es600/index.jsp
  • apps.bhw.de/*
  • extra.unicreditbank.hu/eibpublic_SP/login.en.html
  • www.dab-bank.de/Mein-Konto-Depot/Login
  • www.dab-bank.de/*
  • www.asl.com/asl/login/entryFrame.jsp
  • ebanking-de1.ubs.com/enquiries/controller/*
  • banking.varengold.de/OnlineBankingWebfrontend/banking/common/login.xhtml;jsessionid=6B6D8E978F9BF46846D30C85AF534497*
  • banking.varengold.de/*
  • kunde.comdirect.de/lp/wt/login
  • kunde.comdirect.de/*
  • meine.sutorbank.de/*
  • www.accessonline.abnamro.com/fss/open/welcome.do*
  • www.accessonline.abnamro.com/*
  • banking.postbank.de/rai/login
  • banking.postbank.de/*
  • portal4.sydbank.dk/wps/bankdata/jsp/html/da/PortalFrame.jsp*
  • portal4.sydbank.dk/*
  • konto.biw-bank.de/onlinebanking-biwvp/login
  • konto.biw-bank.de/*
  • online.citibank.com/snapshoot/3
  • www.discovercard.com/snapshoot/29
  • www.paypal.com/snapshoot/7
  • banking.bw-bank.de
  • banking.oyakankerbank.de
  • clientes.uci.es
  • cpe.erste-group.com
  • entreprises.retraite.assurances.natixis.com
  • eservice.cembra.ch
  • kunden-mkb-bank.de
  • meine.norisbank.de
  • meine.sutorbank.de
  • netbanking.sparkasse.at
  • onba.zkb.ch
  • online.bankaustria.at
  • online.bankvonroll.ch
  • online.corp.westpac.com.au
  • portal.sutorbank.de
  • wertpapier.hafnerbank.de
  • www.exane.com
  • www.mydegroof.fr

The following are proxy addresses for man-in-the-middle attacks:

  • {BLOCKED}.{BLOCKED}.246.10:443
  • {BLOCKED}.{BLOCKED}.237.94:443

It sends the following GET request:

  • /0607uk12/{Computer name}_{OS patform}.{value}/{value}/{data/variable}/{BLOCKED}.{BLOCKED}.43.38/

It sends a POST request to send stolen information from the injection.

  SOLUTION

Minimum Scan Engine: 9.750

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Remove the malware/grayware file that dropped/downloaded TSPY_DYRE.SLU. (Note: Please skip this step if the threat(s) listed below have already been removed.)

     
    • TROJ_UPATRE.YYSLU

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    • GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and above)

Step 6

Delete this registry key

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

 
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    • googleupdate (for Windows XP and below)

Step 7

Search and delete these files

[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.
  • %System%\config\systemprofile\Application Data\ea1bw72e0f4.dll (for Windows XP and below)
  • %AppDataLocal%\ea1bw72e0f4.dll (for Windows Vista and above)

Step 8

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    • From: LimitBlankPasswordUse = "0"
      To: LimitBlankPasswordUse = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    • From: fDenyTSConnections = "0"
      To: fDenyTSConnections = 1
  • In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    • From: fSingleSessionPerUser = "0"
      To: fSingleSessionPerUser = 1

Step 9

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_DYRE.SLU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 10

Scan your computer with your Trend Micro product to delete files detected as TSPY_DYRE.SLU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.


Did this description help? Tell us how we did.