TSPY_DYRE.SLU
July 17, 2015
ALIASES:
Spyware.Dyre (Malwarebytes); PWS:Win32/Dyzap (Microsoft); Win32/Battdil.AC (ESET-NOD32)
PLATFORM:
Windows
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
INFORMATION EXPOSURE:
Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
Infection Channel: Downloaded from the Internet, Dropped by other malware
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may be dropped by other malware.
It connects to certain websites to send and receive information. It deletes itself after execution.
TECHNICAL DETAILS
File Size: 488,448 bytes
Memory Resident: Yes
Initial Samples Received Date: 16 Jul 2015
Payload: Steals information
Arrival Details
This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may be dropped by the following malware:
Installation
This spyware drops the following copies of itself into the affected system:
- %AppDataLocal%\{random filename}.exe (for Windows Vista and above)
- %Windows%\{random filename}.exe (for Windows XP and below)
(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- Global\u1nyj3rt20
It injects codes into the following process(es):
- explorer.exe
- svchost.exe
Autostart Technique
This spyware registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
ImagePath = "%Windows%\{random filename}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
DisplayName = "Google Update"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate
Start = "2"
It adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and above)
Other System Modifications
This spyware adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\googleupdate (for Windows XP and below)
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
LimitBlankPasswordUse = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"
(Note: The default value data of the said registry entry is 1.)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fSingleSessionPerUser = "0"
(Note: The default value data of the said registry entry is 1.)
Dropping Routine
This spyware drops the following files:
- %System%\config\systemprofile\Application Data\ea1bw72e0f4.dll (for Windows XP and below)
- %AppDataLocal%\ea1bw72e0f4.dll (for Windows Vista and above)
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Information Theft
This spyware gathers the following data:
- Host Name
- Public IP Address
- Computer Name
- OS Version
- OS Platform
- User Accounts
- System Info(CPU, Memory, No. of Processors)
- Installed programs
- Services
Other Details
This spyware connects to the following URL(s) to check for an Internet connection:
- google.com
- microsoft.com
It connects to the following URL(s) to get the affected system's IP address:
- http://icanhazip.com
It connects to the following website to send and receive information:
- http://{BLOCKED}.{BLOCKED}.199.58:4443
- http://{BLOCKED}.{BLOCKED}.63.98:443
- http://{BLOCKED}.{BLOCKED}.194.188:4443
- http://{BLOCKED}.{BLOCKED}.126.8:4443
- http://{BLOCKED}.{BLOCKED}.201.9:443
- http://{BLOCKED}.{BLOCKED}.10.23:443
- http://{BLOCKED}.{BLOCKED}.152.131:443
- http://{BLOCKED}.{BLOCKED}.33.98:443
- http://{BLOCKED}.{BLOCKED}.89.141:443
- http://{BLOCKED}.{BLOCKED}.190.84:443
- http://{BLOCKED}.{BLOCKED}.191.213:443
- http://{BLOCKED}.{BLOCKED}.206.204:443
- http://{BLOCKED}.{BLOCKED}.129.153:4443
- http://{BLOCKED}.{BLOCKED}.129.218:4443
- http://{BLOCKED}.{BLOCKED}.135.106:4443
- http://{BLOCKED}.{BLOCKED}.83.218:4443
- http://{BLOCKED}.{BLOCKED}.67.21:443
- http://{BLOCKED}.{BLOCKED}.67.211:443
- http://{BLOCKED}.{BLOCKED}.90.33:443
- http://{BLOCKED}.{BLOCKED}.81.96:4443
- http://{BLOCKED}.{BLOCKED}.14.89:443
- http://{BLOCKED}.{BLOCKED}.178.154:443
- http://{BLOCKED}.{BLOCKED}.151.10:443
- http://{BLOCKED}.{BLOCKED}.73.151:4443
- http://{BLOCKED}.{BLOCKED}.170.118:443
- http://{BLOCKED}.{BLOCKED}.172.36:443
- http://{BLOCKED}.{BLOCKED}.76.44:4443
- http://{BLOCKED}.{BLOCKED}.50.169:443
- http://{BLOCKED}.{BLOCKED}.51.25:443
- http://{BLOCKED}.{BLOCKED}.60.225:443
- http://{BLOCKED}.{BLOCKED}.61.13:443
- http://{BLOCKED}.{BLOCKED}.15.70:443
- http://{BLOCKED}.{BLOCKED}.96.30:443
- http://{BLOCKED}.{BLOCKED}.97.238:443
- http://{BLOCKED}.{BLOCKED}.228.144:443
- http://{BLOCKED}.{BLOCKED}.166.113:443
- http://{BLOCKED}.{BLOCKED}.61.101:443
- http://{BLOCKED}.{BLOCKED}.144.195:4443
- http://{BLOCKED}.{BLOCKED}.235.48:443
- http://{BLOCKED}.{BLOCKED}.34.137:443
- http://{BLOCKED}.{BLOCKED}.219.35:443
- http://{BLOCKED}.{BLOCKED}.54.22:443
- http://{BLOCKED}.{BLOCKED}.55.12:443
- http://{BLOCKED}.{BLOCKED}.55.122:443
- http://{BLOCKED}.{BLOCKED}.75.75:4443
- http://{BLOCKED}.{BLOCKED}.102.70:443
- http://{BLOCKED}.{BLOCKED}.154.243:443
- http://{BLOCKED}.{BLOCKED}.194.154:443
It does the following:
- Receive configuration(web injects)
- Receive New connections
- Download file and execute
- Download Module(VNC,TV)
- Browser Snapshot
- Terminate Process
- Add Users
- Shutdown/restart system
- Monitors the following browsers:
- chrome.exe
- firefox.exe
- iexplore.exe
- Connects to the following STUN (Session Traversal Utilities for NAT) server in order to determine the public IP address of the compromised computer:
- stun1.voiceeclipse.net
- stun.callwithus.com
- stun.sipgate.net
- stun.ekiga.net
- stun.internetcalls.com
- stun.noc.ams-ix.net
- stun.voip.aebc.com
- stun.voipbuster.com
- stun.voxgratia.org
- stun.ipshka.com
- stun.faktortel.com.au
- stun.iptel.org
- stun.voipstunt.com
- 203.183.172.196:3478
- s1.taraba.net
- stun.l.google.com:19302
- stun1.l.google.com:19302
- stun2.l.google.com:19302
- stun3.l.google.com:19302
- stun4.l.google.com:19302
- stun.schlund.de
- stun.rixtelecom.se
- stun.voiparound.com
- numb.viagenie.ca
- stun.stunprotocol.org
- stun.services.mozilla.com
- stun.2talk.co.nz
- Stop the following services:
- wscsvc
- MpsSvc
- WinDefend
It deletes itself after execution.
NOTES:
This spyware steals important banking/bitcoin information by injecting malicious codes to bank/Bitcoin login webpages with URLs containing any of the following:
- cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces
- cashproonline.bankofamerica.com/*
- businessaccess.citibank.citigroup.com/cbusol/signon.do
- businessaccess.citibank.citigroup.com/*
- www.bankline.natwest.com/CWSLogon/logon.do*
- www.bankline.natwest.com/*
- www.bankline.rbs.com/CWSLogon/logon.do*
- www.bankline.rbs.com/*
- www.bankline.ulsterbank.ie/CWSLogon/logon.do*
- www.bankline.ulsterbank.ie/*
- www.business.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR2LKuyHkgbotDB1dDZyDDTwMzM0sDTy93B1dnXz8DN0tTCC6nd0dPUzMfYCqwzxdDTxNnEwMTH3dDA08jQnoLsgNDQUAO-nOhw!!
- www.business.hsbc.co.uk/*
- www.nwolb.com/default.aspx
- www.nwolb.com/*
- www6.rbc.com/webapp/ukv0/signin/logon.xhtml
- www6.rbc.com/*
- online.bankofscotland.co.uk/personal/logon/login.jsp
- online.bankofscotland.co.uk/*
- www.rbsdigital.com/login.aspx*
- www.rbsdigital.com/*
- wellsoffice.wellsfargo.com/ceoportal/signon/index.jsp*
- wellsoffice.wellsfargo.com/*
- lloydslink.online.lloydsbank.com/Logon/Logon.jsp
- lloydslink.online.lloydsbank.com/*
- www.ulsterbankanytimebanking.ie/default.aspx
- www.ulsterbankanytimebanking.ie/*
- banking.bankofscotland.co.uk/Logon/Logon.aspx*
- banking.bankofscotland.co.uk/*
- access.jpmorgan.com/jpmalogon
- access.jpmorgan.com/*
- gateway.citizenscommercialbanking.com/ccp/accessmoneymanager.jsp
- gateway.citizenscommercialbanking.com/*
- www.signatureny.web-access.com/signat/cgi-bin/login.cgi
- www.signatureny.web-access.com/*
- itreasury.regions.com/wcmfd/wcmpw/CustomerLogin
- itreasury.regions.com/*
- commercial.bnc.ca/auth/Login*
- commercial.bnc.ca/*
- ktt.key.com/ktt/cmd/logon
- ktt.key.com/*
- businessbanking.tdcommercialbanking.com/WBB/LoginDisplay
- businessbanking.tdcommercialbanking.com/*
- online-business.bankofscotland.co.uk/business/logon/login.jsp
- online-business.bankofscotland.co.uk/*
- cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
- cityntl.webcashmgmt.com/*
- www.treasury.pncbank.com/idp/esec/login.ht
- www.treasury.pncbank.com/*
- fnfgbusinessonline.enterprisebanker.com/wcmfd/wcmpw/CustomerLogin
- fnfgbusinessonline.enterprisebanker.com/*
- ffcw.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
- ffcw.webcashmgmt.com/*
- eastwestbank.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin
- eastwestbank.webcashmgmt.com/*
- cib.bankofthewest.com/K1/servlet/com.fis.authentication.servlet.WelcomeServlet
- cib.bankofthewest.com/*
- www.frostcashmanager.com/CASHplus
- www.frostcashmanager.com/*
- www8.comerica.com/pkmslogin.form
- www8.comerica.com/*
- securentrycorp.amegybank.com/
- securentrycorp.amegybank.com/*
- securentrycorp.calbanktrust.com/
- securentrycorp.calbanktrust.com/*
- www2.pbebank.com/myIBK/apppbb/servlet/BxxxServlet*
- www2.pbebank.com/*
- www.hsbc.com.my/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDCxNvAz9vzyAXA2cPRxMPywBDAwgAykdiyjv5w-WJ0e1v6m5g6RNiYWngbeRvHGRqbECc7uDUvPjQYH0_j_zcVP1I_ShzDMWeniYwxZE5qemJyZXY1XljqgvN0w_Lyy_KBYZBQW5oRLm3jyMAwombdA!!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83XzA4NEswTktJUkQwQ0hBNEhJSTQwMDAwMDAwL3lSbVo6MjI4ODAwMDQ!
- www.hsbc.com.my/*
- securentrycorp.nsbank.com/
- securentrycorp.nsbank.com/*
- securentrycorp.zionsbank.com/
- securentrycorp.zionsbank.com/*
- ematchingnz1.online.anz.com/saam/SAAMLogin/Login.fcc*
- ematchingnz1.online.anz.com/*
- www.fcsolb.com/cb/pages/jsp-ns/login.jsp*
- www.fcsolb.com/*
- transtasman.online.anz.com/client
- transtasman.online.anz.com/*
- www.commercial.hsbc.com.hk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zPwtDAwgAykeaxTu7O3qYmPsA-WGergaeJk4mBqa-boYGnsbYdPsidBfkhioCAMGAADI!
- www.commercial.hsbc.com.hk/*
- www.anzdirect.co.nz/online/EnterANZDirect.do
- www.anzdirect.co.nz/*
- www.bostonprivatebank.com/index.cfm/pid/10540
- www.bostonprivatebank.com/*
- ebanking2.danskebank.co.uk/pub/logon/logon.aspx*
- ebanking2.danskebank.co.uk/*
- secure1.businesswaybnl.it/newcorporate/webcontoc/login/login
- secure1.businesswaybnl.it/*
- business2.danskebank.co.uk/pub/logon/logon.aspx*
- business2.danskebank.co.uk/*
- online.coutts.com/eBankingCouttsLogin/login
- online.coutts.com/*
- business.co-operativebank.co.uk/corp/BANKAWAY*
- business.co-operativebank.co.uk/*
- www.gs.reyrey.com/common/login/login.aspx
- www.gs.reyrey.com/*
- businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp
- businessonline.mutualofomahabank.com/*
- login.salesforce.com/
- login.salesforce.com/*
- www.natwestibanking.com/eai/IPB_EAI_Web/*
- www.natwestibanking.com/*
- online.adambank.com/eBankingAdamLogin/login
- online.adambank.com/*
- fdonline.co-operativebank.co.uk/corp/BANKAWAY*
- fdonline.co-operativebank.co.uk/*
- home?.cybusinessonline.co.uk/lmgruV8/ceblm-web/login.ctl
- home?.cybusinessonline.co.uk/*
- home?.ybonline.co.uk/raluV8/reglm-web/login.ctl
- home?.ybonline.co.uk/*
- top.capitalonebank.com/pub/html/login.html
- top.capitalonebank.com/*
- cmol.bbt.com/auth/prompt.tb*
- cmol.bbt.com/*
- business-eb.ibanking-services.com/K1/index.jsp
- business-eb.ibanking-services.com/*
- businessonline.tdbank.com/corporatebankingweb/core/login.aspx
- businessonline.tdbank.com/*
- tdetreasury.tdbank.com/s1gcb/logon/sbuser
- tdetreasury.tdbank.com/*
- www.iombankibanking.com/eai/IPB_EAI_Web/eai*
- www.iombankibanking.com/*
- www.rbsiibanking.com/ipb/IPB_Client_Web/Start.do
- www.rbsiibanking.com/*
- achieveaccess.charterone.com/exchange/basic/authentication
- achieveaccess.charterone.com/*
- express.53.com/portal/auth/login/Login
- express.53.com/*
- www22.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet*
- www22.bmo.com/*
- e-access.compassbank.com/bbw/cmserver/welcome/default/verify.cfm
- e-access.compassbank.com/*
- ht.businessonlinepayroll.com/SPF/login/ee_auth.aspx
- ht.businessonlinepayroll.com/*
- www1.rbcbankusa.com/cgi-bin/rbaccess/rbunxcgi*
- www1.rbcbankusa.com/*
- webcmpr.bancopopular.com/K1
- webcmpr.bancopopular.com/*
- www.onlinebanking.iombank.com/default.aspx*
- www.onlinebanking.iombank.com/*
- bank.barclays.co.uk/olb/auth/LoginLink.action
- bank.barclays.co.uk/*
- www.rbsidigital.com/default.aspx*
- www.rbsidigital.com/*
- www.svbconnect.com/auth
- www.svbconnect.com/*
- www.onlinebanking.natwestoffshore.com/default.aspx*
- www.onlinebanking.natwestoffshore.com/*
- charisma.btdirect.ro/CharismaWEB/_Public/Login.aspx
- charisma.btdirect.ro/*
- aibinternetbanking.aib.ie/inet/roi/login.htm
- aibinternetbanking.aib.ie/*
- business.santander.co.uk/LGSBBI_NS_ENS/BtoChannelDriver.ssobto*
- business.santander.co.uk/*
- retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto*
- retail.santander.co.uk/*
- www.internationalpayments.co.uk/
- www.internationalpayments.co.uk/*
- santander.hpdsc.com/main
- santander.hpdsc.com/*
- leumionline.bankleumi.co.uk/my.policy
- leumionline.bankleumi.co.uk/*
- www.caterallenonline.co.uk/
- www.caterallenonline.co.uk/*
- bolpp.bankofireland.com/Commercial*
- bolpp.bankofireland.com/*
- personal.co-operativebank.co.uk/CBIBSWeb/start.do
- personal.co-operativebank.co.uk/*
- www.boi-bol.com/newHome.jsp
- www.boi-bol.com/*
- cbfm.saas.cashfac.com/cbfm/Logon.aspx
- cbfm.saas.cashfac.com/*
- www.ingonline.com/ro/!UPR.Dispatcher*
- www.ingonline.com/*
- onlinebusiness.lloydsbank.co.uk/business/logon/login.jsp*
- onlinebusiness.lloydsbank.co.uk/*
- alolb1.arbuthnotlatham.co.uk/IB/Online
- alolb1.arbuthnotlatham.co.uk/*
- online.hoaresbank.co.uk/fi11512/bb/logon
- online.hoaresbank.co.uk/*
- butterfieldonline.co.uk/
- butterfieldonline.co.uk/*
- www.asbolb.com/servlet/ASB.ASBServlet
- www.asbolb.com/*
- online.ybs.co.uk/public/authentication/login1.do
- online.ybs.co.uk/*
- www.kbinternetbanking.com:8443/ARCIB-NEWF/index.html
- www.kbinternetbanking.com:8443/*
- ibank.reliancebankltd.com/logon.aspx
- ibank.reliancebankltd.com/*
- online.duncanlawrie.com/InternetBanking/faces/mdi/login.jsp
- online.duncanlawrie.com/*
- esavings.shawbrook.co.uk/BankFast/Shawbrook
- esavings.shawbrook.co.uk/*
- bureau.bottomline.co.uk/unity/index.aspx
- bureau.bottomline.co.uk/*
- ibb.firsttrustbank1.co.uk/ibb/controller*
- ibb.firsttrustbank1.co.uk/*
- www1.firstdirect.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeHkGGMN0FuaGKAPRSfDc!
- www1.firstdirect.com/*
- netbanking.ubluk.com/Login/Index
- netbanking.ubluk.com/*
- ibank.zenith-bank.co.uk/internetbanking/index.jsp
- ibank.zenith-bank.co.uk/*
- ibank.gtbankuk.com/Gaps_UK/Default.aspx
- ibank.gtbankuk.com/*
- online.bankofcyprus.co.uk/netteller/login.faces
- online.bankofcyprus.co.uk/*
- banking.ireland-bank.com/IrelandBankOnline_303/Authentication/Login.aspx
- banking.ireland-bank.com/*
- bankofirelandlifeonline.ie/
- bankofirelandlifeonline.ie/*
- secure.handelsbanken.com/bb/glss/servlet/prelogon*
- secure.handelsbanken.com/*
- www.365online.com/online365/spring/authentication*
- www.365online.com/*
- online.kbc.ie/kbc-online/onlinebanking/login*
- online.kbc.ie/*
- www.open24.ie/online/login.aspx*
- www.open24.ie/*
- business2.danskebank.ie/pub/logon/logon.aspx*
- business2.danskebank.ie/*
- online.ebs.ie/internet/login/index.jsp
- online.ebs.ie/*
- corporate.metrobankonline.co.uk/
- corporate.metrobankonline.co.uk/*
- secure2.alphabank.ro/corporate/CorpOTPLoginLangRom.jsp
- secure2.alphabank.ro/*
- ib.btrl.ro/BT24/bfo/channel/web/loginframe.jsp*
- ib.btrl.ro/*
- btultra.btrl.ro/sign/_mcologon
- btultra.btrl.ro/*
- fastbanking.bancpost.ro/iBankWeb/login.jsp
- fastbanking.bancpost.ro/*
- www.brdoffice.ro/smartoffice/_mcologon*
- www.brdoffice.ro/*
- www.ceconline.ro/smartoffice/logon.htm
- www.ceconline.ro/*
- ro.unicreditbanking.net/disp*
- ro.unicreditbanking.net/*
- secure.internetbanking.ro/IBK_SMS/Login/LoginFirstStep.aspx*
- secure.internetbanking.ro/*
- net.crediteurope.ro/ibank-cln/do/login/prompt
- net.crediteurope.ro/*
- www.raiffeisenonline.ro/eBankingWeb/login*
- www.raiffeisenonline.ro/*
- login.24banking.ro/casserver/login*
- login.24banking.ro/*
- www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsRouting
- www.barclayswealth.com/*
- s2b.standardchartered.com/ssoapp/login.jsp
- s2b.standardchartered.com/*
- eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login.jsp*
- eadibcorp.adib.ae/*
- corporate.adcb.com/corporateWeb/login.do
- corporate.adcb.com/*
- www.arabi-online.net/efs/servlet/efs/jsp-ns/login.jsp
- www.arabi-online.net/*
- cbionline.cbi.ae/bus/security/Welcome.do*
- cbionline.cbi.ae/*
- my.sjpbank.co.uk/Security/Auth/Logon
- my.sjpbank.co.uk/*
- login.smartbusiness.ae/bo-login.jsp
- login.smartbusiness.ae/*
- online.dib.ae/webapplication.ui/localoperations/login/loginpage.aspx
- online.dib.ae/*
- www.investbank.ae/ibank/loginAction.do
- www.investbank.ae/*
- netbanking.mashreqbank.com/B001/SMELogin.jsp
- netbanking.mashreqbank.com/*
- online.nbad.com/iportalweb/iportal/jsps/orbilogin.jsp
- online.nbad.com/*
- rakbankonline.ae/corp/BANKAWAY*
- rakbankonline.ae/*
- www.noorinternetbanking.com/CWCLIENT/loginClient.action
- www.noorinternetbanking.com/*
- secure.membersaccounts.com/SELFSERVICE/login.aspx*
- secure.membersaccounts.com/*
- cardonebanking.com/authlogin.aspx
- cardonebanking.com/*
- cardonebanking.com/authlogin.aspx?business*
- cib.uab.ae/
- cib.uab.ae/*
- www.halifax-online.co.uk/personal/logon/login.jsp
- www.halifax-online.co.uk/*
- banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550*
- banking.triodos.co.uk/*
- banking.triodos.co.uk/ib-seam/login.seam?loginType=username*
- ebank.turkishbank.co.uk/Default2.aspx
- ebank.turkishbank.co.uk/*
- nebasilicon.fdecs.com/eCustService/*
- nebasilicon.fdecs.com/*
- infinity.icicibank.co.uk/UKRET/BANKAWAY*
- infinity.icicibank.co.uk/*
- ibank.theaccessbankukltd.co.uk/entry/CorpLoginLang.html
- ibank.theaccessbankukltd.co.uk/*
- www.standardlife.co.uk/c1/login.page
- www.standardlife.co.uk/*
- apps.virginmoney.com/vmosws/loginWait.do
- apps.virginmoney.com/*
- ebaer.juliusbaer.com/*
- ebanking-ch2.ubs.com/workbench/Index.do*
- ebanking-ch2.ubs.com/*
- onlinebanking.bankcoop.ch/
- onlinebanking.bankcoop.ch/*
- tb.raiffeisendirect.ch/
- tb.raiffeisendirect.ch/*
- wwwsec.ebanking.zugerkb.ch/authen/login
- wwwsec.ebanking.zugerkb.ch/*
- wwwsec.valiant.ch/authen/login*
- wwwsec.valiant.ch/*
- inba.lukb.ch/lukbLogin/*
- inba.lukb.ch/*
- www.bcv.ch/bcvd-login/authenticateAction.do
- www.bcv.ch/*
- www.bcv.ch/en
- www.bcv.ch/fr
- www.bcv.ch/de
- online.citi.eu/GBIPB/JSO/signon/DisplayUsernameSignon.do*
- online.citi.eu/*
- clients.tilneybestinvest.co.uk/ORM/Login.aspx
- clients.tilneybestinvest.co.uk/*
- pro.skb.net/
- pro.skb.net/*
- db-sg.db.com/gen/login/index_4.cfm
- db-sg.db.com/*
- meine.deutsche-bank.de/trxm/db
- meine.deutsche-bank.de/*
- www.banking.axa.de/OnlineBankingWebfrontend/banking/common/login.xhtml;jsessionid=F05F46A7333D65031BD6C9B43C062C31*
- www.banking.axa.de/*
- my.banklenz.de/web/guest/login
- my.banklenz.de/*
- banking.martinbank.de/
- banking.martinbank.de/*
- auth.globalpay.westernunion.com/Sso/Login.aspx*
- auth.globalpay.westernunion.com/*
- www.firstmeritib.com/ec/DefaultCorp.aspx
- www.firstmeritib.com/*
- cmo.cibc.com/wp/wps/portal/bbdsignon*
- cmo.cibc.com/*
- blcweb.banquelaurentienne.ca/lang/en/BLCDirect
- blcweb.banquelaurentienne.ca/*
- blcweb.banquelaurentienne.ca/lang/fr/BLCDirect
- secure.tddirectinvesting.co.uk/webbroker2/login.jsp
- secure.tddirectinvesting.co.uk/*
- online.hl.co.uk/my-accounts
- online.hl.co.uk/*
- www.youinvest.co.uk/LogIn/username
- www.youinvest.co.uk/*
- www.deutschebank-dbdirect.com/cas/login*
- www.deutschebank-dbdirect.com/*
- extra.unicreditbank.hu/eibpublic_SP/login.hu.html
- extra.unicreditbank.hu/*
- extra.unicreditbank.hu/eibpublic_SP/login.de.html
- banking.bmwbank.de/s/b2cpws.fcc*
- banking.bmwbank.de/*
- banking.donner-reuschel.de/index.jsp
- banking.donner-reuschel.de/*
- www.degussa-bank.de/login
- www.degussa-bank.de/*
- finanzportal.fiducia.de/p01pebe/entry*
- finanzportal.fiducia.de/*
- login.isso.db.com/websso/sso_custom_multi_auth_flex_Logon.sso*
- login.isso.db.com/*
- db-direct.db.com/u/eb/Login_Main.serv*
- db-direct.db.com/*
- secure.ampbanking.com/au/Logon
- secure.ampbanking.com/*
- online.multiport.com.au/
- online.multiport.com.au/*
- globalpay.westernunion.com/GlobalPay/Login.aspx
- globalpay.westernunion.com/*
- www.anztransactive.anz.com/
- www.anztransactive.anz.com/*
- www.anz.com/INETBANK/bankmain.asp
- www.anz.com/*
- bbonline.banksa.com.au/html/cbank.asp*
- bbonline.banksa.com.au/*
- ibs.bankwest.com.au/BWLogin/bib.aspx
- ibs.bankwest.com.au/*
- netteller2.tsw.com.au/delphi/ntv451.asp*
- netteller2.tsw.com.au/*
- businessonline.westpac.com.au/esis/Login/SrvPage
- businessonline.westpac.com.au/*
- online.corp.westpac.com.au/*
- www*.my.commbiz.commbank.com.au/Logon/UserMaintenance/Login.aspx
- www*.my.commbiz.commbank.com.au/*
- finanzportal.fiducia.de/p13pepe/entry*
- banking.ing-diba.de/app/login*
- banking.ing-diba.de/*
- banking.valovisbank.de/portal/*
- banking.valovisbank.de/*
- kunden-mkb-bank.de/
- kunden-mkb-bank.de/*
- financepilot-pe.mlp.de/p12pepe/entry*
- financepilot-pe.mlp.de/*
- banking.greensill-bank.com/ptlweb/WebPortal*
- banking.greensill-bank.com/*
- hbciweb.olb.de/financebrowser5
- hbciweb.olb.de/*
- banking.oyakankerbank.de/*
- bbonline.bankofmelbourne.com.au/html/cbank.asp*
- bbonline.bankofmelbourne.com.au/*
- ib.banksyd.com.au/
- ib.banksyd.com.au/*
- online.hbs.net.au/hbsv47/ntv471.asp*
- online.hbs.net.au/*
- www.ib.boq.com.au/boqbl
- www.ib.boq.com.au/*
- banking.lloydsbank.com/Logon/logon.aspx
- banking.lloydsbank.com/*
- www.my.commbank.com.au/netbank/Logon/Logon.aspx
- www.my.commbank.com.au/*
- bank.ruralbank.com.au/banking/RBLIBanking
- bank.ruralbank.com.au/*
- secure.macquarie.com.au/sepas/serve*
- secure.macquarie.com.au/*
- nabconnect*.nab.com.au/auth/nabclogin/login.do*
- nabconnect*.nab.com.au/*
- ib.tmbank.com.au/ib/signon/Login.aspx
- ib.tmbank.com.au/*
- www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do
- www.citibank.com.au/*
- ap.ebs.bankofchina.com/login.html*
- ap.ebs.bankofchina.com/*
- netteller*.pnbank.com.au/InternetBanking/Login.aspx
- netteller*.pnbank.com.au/*
- secure.defencebank.com.au/daib/logon/cu3205/logon.asp
- secure.defencebank.com.au/*
- online.bankmecu.com.au/daib/logon/cu3140/logon.asp
- online.bankmecu.com.au/*
- private.bankofsingapore.com/Login/Login
- private.bankofsingapore.com/*
- fareastnationalbank.ebanking-services.com/EamWeb/account/login.aspx*
- fareastnationalbank.ebanking-services.com/*
- velocity.ocbc.com/portal.view
- velocity.ocbc.com/*
- uniservices2.uobgroup.com/ELO/login.jsp
- uniservices2.uobgroup.com/*
- sg.bibplus.uobgroup.com/BIB/public
- sg.bibplus.uobgroup.com/*
- bbonline.stgeorge.com.au/html/cbank.asp*
- bbonline.stgeorge.com.au/*
- internetbanking.suncorpbank.com.au/
- internetbanking.suncorpbank.com.au/*
- inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank
- inetbnkp.adelaidebank.com.au/*
- secure.anz.co.nz/IBCS/service/login
- secure.anz.co.nz/*
- www.bnz.co.nz/ib4b/app/login
- www.bnz.co.nz/*
- bol.westpac.co.nz/s1gcb/logon/sbuser
- bol.westpac.co.nz/*
- www.ib.kiwibank.co.nz/
- www.ib.kiwibank.co.nz/*
- www.flexipurchase.com/secure/welcome.asp
- www.flexipurchase.com/*
- homebank.tsbbank.co.nz/online
- homebank.tsbbank.co.nz/*
- secure1.rabodirect.co.nz/exp/policyenforcer/pages/loginB2CDGPEN.jsf
- secure1.rabodirect.co.nz/*
- ibank.sbs.net.nz/ui/inetbankindex.aspx
- ibank.sbs.net.nz/*
- my.statestreet.com/
- my.statestreet.com/*
- www.mercantilcbonline.com/secure/banking/logon
- www.mercantilcbonline.com/*
- fx.regions.com/esn01/servlet/RSASingleSignOn
- fx.regions.com/*
- www.goldman.com/login/login_a.cgi*
- www.goldman.com/*
- wealth.goldman.com/login/login_a.cgi*
- wealth.goldman.com/*
- businesscenter.mysynchrony.com/BusinessCenterPortal
- businesscenter.mysynchrony.com/*
- commerceconnections.commercebank.com
- commerceconnections.commercebank.com/*
- www.bankdirect.co.nz
- www.bankdirect.co.nz/*
- pfo.us.hsbc.com
- pfo.us.hsbc.com/*
- bbonline.stgeorge.com.au/html/cbindex.asp*
- ideal.dbs.com/loginSubscriber/login/pin.jsp
- ideal.dbs.com/*
- internet-banking.dbs.com.sg/IB/Welcome
- internet-banking.dbs.com.sg/*
- www.dbsvonline.com/english/index.asp*
- www.dbsvonline.com/*
- cashmanager.mizuhoe-treasurer.com/mz/servlet/SLogin*
- cashmanager.mizuhoe-treasurer.com/*
- www.superchoice.com.au/amp
- www.superchoice.com.au/*
- www.superorganised.com.au/dashboard/login*
- www.superorganised.com.au/*
- portal.northonline.com.au/WealthNET.PortalClient
- portal.northonline.com.au/*
- www.gecapitalbank.com/gecb/app/login
- www.gecapitalbank.com/*
- www.gemyaccounts.com/myaccounts/Index.html*
- www.gemyaccounts.com/*
- connect.bnymellon.com/ConnectLogin/login/LoginPage.jsp
- connect.bnymellon.com/*
- www.postfinance.ch/ap/ba/fp/html/e-finance/home*
- www.postfinance.ch/*
- clientlogin.ibb.ubs.com/login
- clientlogin.ibb.ubs.com/*
- www.ebanking.hsbc.co.nz/1/2/!ut/p/c5/jZBdC4IwGEZ_0vtuI6VLXTitmeGa6G5kiIigMyKK_n3rJrrpg-fynHPzgAE_Z6_jYC_j4uwENZigzYMQOd0yFLwIkJbZmsu4JCJhnjefecn-qkklokxTLEjquUxCKsUBxRF_1Kp3rVawT5e5hwZM-CYr8ZTzjVzFyDhn0Ez9YLv7d0-Rl6cdVG45z_6D06zr205GD_hDJm4!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83X002NzBDMkozMEdTRzYwMlJNREw1QjAzQ0MzL0FHVnNUNDc3MjAwMDQ!
- www.ebanking.hsbc.co.nz/*
- secure.heartland.co.nz/IB/index.zul
- secure.heartland.co.nz/*
- connect-ch2.ubs.com/workbench/Index.do*
- connect-ch2.ubs.com/*
- www.bendigobank.com.au/banking/BBLIBanking
- www.bendigobank.com.au/*
- www.hsbc.com.au/1/2/HUB_IDV2/IDV_EPP*
- www.hsbc.com.au/*
- www.citibusiness.citibank.com.sg/SGCBZ/JSO/signon/DisplayUsernameSignon.do
- www.citibusiness.citibank.com.sg/*
- internet.ocbc.com/internet-banking
- internet.ocbc.com/*
- ibank.standardchartered.com.sg/nfs/login.htm
- ibank.standardchartered.com.sg/*
- fastpay.asbbank.co.nz/Account/LogOn
- fastpay.asbbank.co.nz/*
- drob.santanderbank.com/cscobgss/Satellite*
- drob.santanderbank.com/*
- www2.secure.hsbcnet.com/uims/portal/IDV_CAM10_AUTHENTICATION*
- www2.secure.hsbcnet.com/*
- ebanking-es.ubs.com/
- ebanking-es.ubs.com/*
- ebanking-uk.ubs.com/
- ebanking-uk.ubs.com/*
- www.citibank.com.sg/SGGCB/JSO/signon/DisplayUsernameSignon.do
- www.citibank.com.sg/*
- www.onlinesbiglobal.com/64SG/BANKAWAY*
- www.onlinesbiglobal.com/*
- ebanking-bel.ubs.com/epexb
- ebanking-bel.ubs.com/*
- ebanking-bel.ubs.com/estmtb
- ebanking-bel.ubs.com/fim
- ebanking-bhs2.ubs.com/epex
- ebanking-bhs2.ubs.com/*
- ebanking-aut.ubs.com/fim
- ebanking-aut.ubs.com/*
- ebanking-aut.ubs.com/epexa
- ebanking-aut.ubs.com/estmta
- invest.etrade.com.au/Home.aspx
- invest.etrade.com.au/*
- www.hsbc.com.sg/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDf6NAZ8tQU3c3A0dDV5MAf2MTAwjQL8h2VAQAdKy3eg!!/*
- www.hsbc.com.sg/*
- www.asb.co.nz
- www.asb.co.nz/*
- cib.icicibank.com/corp/BANKAWAY*
- cib.icicibank.com/*
- group.unicreditbanking.net/
- group.unicreditbanking.net/*
- www.fidunet.lu/fidunet/loginFidu.jsp
- www.fidunet.lu/*
- www.corpnet.lu/corpnet/loginCorp.jsp
- www.corpnet.lu/*
- secure.unicreditbank.lu/
- secure.unicreditbank.lu/*
- www.unicreditbank.sk/i-banking-sk-https.html
- www.unicreditbank.sk/*
- www.unicreditbank.ba/eba/BHgradjani
- www.unicreditbank.ba/*
- ebanking-au.ubs.com/ebanking
- ebanking-au.ubs.com/*
- onlineservices.ubs.com/olsauth/ex/pbl/ubso/dl
- onlineservices.ubs.com/*
- clientportal.ibb.ubs.com/portal/index.htm*
- clientportal.ibb.ubs.com/*
- ebanking-fr.ubs.com/enquiries/*
- ebanking-fr.ubs.com/*
- ebanking-de1.ubs.com/workbench/Index.do*
- ebanking-de1.ubs.com/*
- ebanking-hksg.ubs.com/
- ebanking-hksg.ubs.com/*
- ebanking-can.ubs.com/epex
- ebanking-can.ubs.com/*
- ebanking-ca.ubs.com/safeloginc/Login*
- ebanking-ca.ubs.com/*
- ebanking-ca.ubs.com/gepc/MainAction
- ebanking-can.ubs.com/estmtc
- ebanking-ca.ubs.com/estmtc/action/login
- trz.tranzact.org/LogonOTP.aspx
- trz.tranzact.org/*
- catalystcorp.org/*
- www.tranzact.org/
- www.tranzact.org/*
- mdcommercial.jpmorgan.com/
- mdcommercial.jpmorgan.com/*
- jpmcsso-uk.jpmorgan.com/sso/action/federateLogin*
- jpmcsso-uk.jpmorgan.com/*
- jpmcsso.jpmorgan.com/sso/action/login*
- jpmcsso.jpmorgan.com/*
- online.lloydsbank.co.uk/personal/logon/login.jsp*
- online.lloydsbank.co.uk/*
- www.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeRiHGMN1-Hvm5qfoFuRHlABOr0sE!*
- www.hsbc.co.uk/*
- ebanking-it.ubs.com/
- ebanking-it.ubs.com/*
- ebanking-lux.ubs.com/estmt
- ebanking-lux.ubs.com/*
- ebanking-lux.ubs.com/epex
- ebanking-lux.ubs.com/fim
- ebanking-ch.ubs.com/workbench/Index.do*
- ebanking-ch.ubs.com/*
- quotes-global1.ubs.com/go/*
- quotes-global1.ubs.com/*
- ebanking-mc.ubs.com/
- ebanking-mc.ubs.com/*
- ebanking-nld.ubs.com/estmtn
- ebanking-nld.ubs.com/*
- www.ubs.com/connect
- www.ubs.com/*
- www.banorte.com/portal/personas/acceso.web*
- www.banorte.com/*
- privatebank-us.ubs.com/
- privatebank-us.ubs.com/*
- jpmcsso.jpmorgan.com/sso/action/federateLogin*
- online.unicreditcorporate.it/login.htm
- online.unicreditcorporate.it/*
- online-smallbusiness.unicredit.it/login.htm
- online-smallbusiness.unicredit.it/*
- online-private.unicredit.it/login.htm
- online-private.unicredit.it/*
- online-retail.unicredit.it/login.htm
- online-retail.unicredit.it/*
- www.gtb.unicredit.eu/login
- www.gtb.unicredit.eu/*
- my.hypovereinsbank.de/login*
- my.hypovereinsbank.de/*
- online.bulbank.bg/page/default.aspx*
- online.bulbank.bg/*
- extra.unicreditbank.hu/eib_SP/loginpage.hu.html
- www.hvbrsce.com/ebanking/Athens/Pages/ElectronicBanking.htm
- www.hvbrsce.com/*
- si.unicreditbanking.net/disp*
- si.unicreditbanking.net/*
- www.unicreditbank.cz/web/redirect.php*
- www.unicreditbank.cz/*
- online.privatebanking.societegenerale.be/sg/login_nl.html
- online.privatebanking.societegenerale.be/*
- online.privatebanking.societegenerale.be/sg/login_fr.html
- www.zaba.hr/ebank/gradjani/Prijava
- www.zaba.hr/*
- an.rbcnetbank.com/
- an.rbcnetbank.com/*
- cashmanagement.barclays.net/portalservices/forms/login.pser*
- cashmanagement.barclays.net/*
- www.barclayswealth.com/login/action/logon/unauthenticated/corporate/loginSigningGemplus
- www.unity-online.co.uk/
- www.unity-online.co.uk/*
- bancodicaribeonline.com/SIGNON.CFM
- bancodicaribeonline.com/*
- secure.aldermorebusinesssavings.co.uk/corporate
- secure.aldermorebusinesssavings.co.uk/*
- e-bank.unicreditbank.si/webbankBACX
- e-bank.unicreditbank.si/*
- www.vancity.com/BusinessBanking/OnlineBanking/MyAccounts
- www.vancity.com/*
- onlinebusinessplus.vancity.com/business/default.jsp*
- onlinebusinessplus.vancity.com/*
- bankonweb.sgeb.bg/page/default.aspx*
- bankonweb.sgeb.bg/*
- banques.exalog.net/authent.php*
- banques.exalog.net/*
- www.sogehomebank.com/Retail/login.aspx*
- www.sogehomebank.com/*
- ibank1.bib.barclays.com/logon
- ibank1.bib.barclays.com/*
- entreprises.societegenerale.fr/index.html
- entreprises.societegenerale.fr/*
- entreprises.societegenerale.fr/
- entreprises.societegenerale.fr/associations-connexion.html
- professionnels.societegenerale.fr/association_connexion.html
- professionnels.societegenerale.fr/*
- professionnels.societegenerale.fr/index.html
- particuliers.societegenerale.fr/
- particuliers.societegenerale.fr/*
- www.sgcb.nc/part/fr/dciweb.htm*
- www.sgcb.nc/*
- www.sgcb.nc/part/en/dciweb.htm*
- sogecashnet.societegenerale.cg/smartoffice/GB
- sogecashnet.societegenerale.cg/*
- sogecashnet.societegenerale.cg/smartoffice/index.htm
- ebanking.societegenerale.al/webbankALB/loginCer.jsp*
- ebanking.societegenerale.al/*
- www.uibanking-net.com/smartoffice/fr/connexion.html
- www.uibanking-net.com/*
- www.uibanking-net.com/smartoffice/GB/connexion.html
- www.privatebanking.societegenerale.com/en/banking/luxembourg
- www.privatebanking.societegenerale.com/*
- www.privatebanking.societegenerale.com/en/banking/monaco
- banque.bfcoi.com/identificationClient.html*
- banque.bfcoi.com/*
- sogeonline.societegenerale.cn/eweb/prelogin.do*
- sogeonline.societegenerale.cn/*
- sikanet.sg-ssb.com.gh/priv/en/dciweb.htm*
- sikanet.sg-ssb.com.gh/*
- www.obsgnet.com.mk/Retail/LoginModule/LoginToken.aspx
- www.obsgnet.com.mk/*
- www.fineco.it/it/public
- www.fineco.it/*
- www.investimenti.unicredit.it/
- www.investimenti.unicredit.it/*
- ticari.yapikredi.com.tr/ifcapp/xrl/8a162dffc621811178834120027d2afa;jsessionid=c0a8913f30fcd76aff61c9b944afb647f480bfa640bc.e34KcheMc3iMaO0Rah4Oe0
- ticari.yapikredi.com.tr/*
- ticari.yapikredi.com.tr/ifcapp/xrl/0ae47e2458dc60906796609e8cf7763b
- sgcib.pl/ib/Default.aspx*
- sgcib.pl/*
- www.interacciones.com/portalAgentes/login.jsp
- www.interacciones.com/*
- www.interacciones.com/loginUsuario.do
- sogecashnet.sga.dz/smartoffice
- sogecashnet.sga.dz/*
- www.sogecashnet.ma/smartoffice/index.htm
- www.sogecashnet.ma/*
- unified-access.societegenerale.com/portal/site/SogecashWeb
- unified-access.societegenerale.com/*
- wibdirect.wib-bank.net/business/online
- wibdirect.wib-bank.net/*
- www.mercantilcbonline.com/secure/banking/individualLogon
- admin.epymtservice.com/admin/index.jhtml*
- admin.epymtservice.com/*
- access.usbank.com/cpsApp1/AxolPreAuthServlet*
- access.usbank.com/*
- singlepoint.usbank.com/cs70_banking/logon/sbuser
- singlepoint.usbank.com/*
- top.capitalonebank.com/cashplus/
- www.chase.com/commercial-bank/chase-commercial-online
- www.chase.com/*
- direct.capitecbank.co.za/ibank
- direct.capitecbank.co.za/*
- see.sbi.com.mx/invernet2000/home
- see.sbi.com.mx/*
- enlace.santander-serfin.com/eai/EaiEmpresasWAR/inicio.do
- enlace.santander-serfin.com/*
- cpn.hsbc.com.mx/cpn/default.htm*
- cpn.hsbc.com.mx/*
- nettbanken.nordea.no/login
- nettbanken.nordea.no/*
- www.scotiaweb.com.mx/hipotecario/hip_login.asp
- www.scotiaweb.com.mx/*
- www.bancaempresarialazteca.com.mx/BancaEmpresarial/login.htm
- www.bancaempresarialazteca.com.mx/*
- sites.scotiabank.com.mx/colproveedores/menu/entrada.asp
- sites.scotiabank.com.mx/*
- inbursamf.inbursa.com/
- inbursamf.inbursa.com/*
- direct.mcbgroup-ebanking.com/wiblogin/corporate_AuthenticateUserLocalEPF.html
- direct.mcbgroup-ebanking.com/*
- direct.mcbgroup-ebanking.com/mcbbonairelogin/corporate_AuthenticateUserLocalEPF.html
- mcbdirect.mcb-bank.com/business/online
- mcbdirect.mcb-bank.com/*
- www.mcb-home.com/online/site001index.itm
- www.mcb-home.com/*
- www.cmb-home.com/online/site002index.itm
- www.cmb-home.com/*
- cmbdirect.cmbnv.com/business/online
- cmbdirect.cmbnv.com/*
- www.wib-home.com/online/site004index.itm
- www.wib-home.com/*
- www.mcbb-home.com/online/site003index.itm
- www.mcbb-home.com/*
- mcbdirect.mcbbonaire.com/business/online
- mcbdirect.mcbbonaire.com/*
- www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserRoamingEPF.bns
- www.scotiaconnect.scotiabank.com/*
- direct.mcbgroup-ebanking.com/mcblogin/corporate_AuthenticateUserLocalEPF.html
- direct.mcbgroup-ebanking.com/cmblogin/corporate_AuthenticateUserLocalEPF.html
- ib.absa.co.za/absa-online/login.jsp
- ib.absa.co.za/*
- www.fnb.co.za/
- www.fnb.co.za/*
- internetbanking.firstcaribbeanbank.com/index.jsp
- internetbanking.firstcaribbeanbank.com/*
- jpmpb001.jpmorgan.com/prelogin/index.jsp
- jpmpb001.jpmorgan.com/*
- jpmorgan.chase.com/Public/Logon
- jpmorgan.chase.com/*
- www.paymentnet.jpmorgan.com/
- www.paymentnet.jpmorgan.com/*
- www.sg-bdp.pf/
- www.sg-bdp.pf/*
- www.sogecashnet.ma/smartoffice/index_gb.htm
- gg-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
- gg-services.credit-suisse.com/*
- it-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
- it-services.credit-suisse.com/*
- www.bancoinbursa.com/login/useraccessPortatil.asp
- www.bancoinbursa.com/*
- ebanking.societegenerale.in/corp/AuthenticationController*
- ebanking.societegenerale.in/*
- www.interacciones.com/analisis/login.do
- subastas.scotiainlatrade.com/SubastasAppWeb/login.jsp
- subastas.scotiainlatrade.com/*
- pbusa.directnet.com/dn/c/cls/auth
- pbusa.directnet.com/*
- br.credit-suisse.com/sec/login/default.aspx
- br.credit-suisse.com/*
- onlinebanking-sg.credit-suisse.com/
- onlinebanking-sg.credit-suisse.com/*
- www.credit-suisse.com.sg/
- www.credit-suisse.com.sg/*
- securitiesexpert.credit-suisse.com/cs/eamnet/c/cls/auth
- securitiesexpert.credit-suisse.com/*
- mc-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
- mc-services.credit-suisse.com/*
- es-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
- es-services.credit-suisse.com/*
- au-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
- au-services.credit-suisse.com/*
- hk-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
- hk-services.credit-suisse.com/*
- clientview-mx.credit-suisse.com/pb/mexico/c/cls/auth
- clientview-mx.credit-suisse.com/*
- at-directnet.credit-suisse.com/dn/c/cls/auth
- at-directnet.credit-suisse.com/*
- fr-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth
- fr-services.credit-suisse.com/*
- gi-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
- gi-services.credit-suisse.com/*
- lu-directnet.credit-suisse.com/dn/c/cls/auth
- lu-directnet.credit-suisse.com/*
- cs.directnet.com/dn/c/cls/auth*
- cs.directnet.com/*
- www.sft-ebanking.com/siteminderagent/forms/dbloginsft.fcc*
- www.sft-ebanking.com/*
- secure.internetbanking.firstcaribbeanbank.com/
- secure.internetbanking.firstcaribbeanbank.com/*
- bancodicaribeonline.com/aua/SIGNON.CFM
- bancodicaribeonline.com/sxm/SIGNON.CFM
- spib.wooribank.com/pib/Dream*
- spib.wooribank.com/*
- obank.kbstar.com/quics*
- obank.kbstar.com/*
- internetbanking.scu.net.au/mvpscu/SignOn/Login.aspx
- internetbanking.scu.net.au/*
- aw.rbcnetbank.com/
- aw.rbcnetbank.com/*
- bs-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
- bs-services.credit-suisse.com/*
- sponsor.voya.com/static/sponsor/SponsorLogin.fcc
- sponsor.voya.com/*
- nge01.bnymellon.com/NextGenV4/dflt/Login.ing
- nge01.bnymellon.com/*
- www.ingdirect.com.au/client/index.aspx
- www.ingdirect.com.au/*
- my.statestreet.com/secid-smpwservices.fcc*
- uksecure.barclayswealth.com/
- uksecure.barclayswealth.com/*
- live.barcap.com/UAB/S/ecom/logon/1/barxcorporate*
- live.barcap.com/*
- www.gerrard.com/clientcentre/login.aspx
- www.gerrard.com/*
- tdwealth.netxinvestor.com/web/tdwealth/login
- tdwealth.netxinvestor.com/*
- clientpoint.fisglobal.com/tdcb/main/UserLogon*
- clientpoint.fisglobal.com/*
- www.volkswagenbank.de/PortalLogin/get/Error.aspx/*
- www.volkswagenbank.de/*
- konto.baaderbank.de/*
- www.e-ambiz.com.my/bon/jsp/common/loginfiles/Login.bon*
- www.e-ambiz.com.my/*
- girovision.plusgirot.se/
- girovision.plusgirot.se/*
- www.credit-cooperatif.coop/portail/particuliers/login.do
- www.credit-cooperatif.coop/*
- onlinebanking.coutts.com/auth/login
- onlinebanking.coutts.com/*
- www.tmbbizdirect.com/
- www.tmbbizdirect.com/*
- www.ing.be/en/business/Pages/Login.aspx
- www.ing.be/*
- www.ing.be/fr/business/pages/login.aspx
- www.ing.be/nl/business/pages/login.aspx
- www.ing.be/de/business/Pages/Login.aspx
- www.ing.be/fr/Retail/Pages/Login.aspx
- www.ing.be/nl/retail/pages/login.aspx
- www.bancorpsouthonline.com/BXS/Login.aspx
- www.bancorpsouthonline.com/*
- www.kbc.be/site*
- www.kbc.be/*
- online.hapoalimusa.com/BHCorporate/core/login.aspx
- online.hapoalimusa.com/*
- workbench.bnymellon.com/login.jsp*
- workbench.bnymellon.com/*
- solo3.nordea.fi/cgi-bin/SOLO0001*
- solo3.nordea.fi/*
- client.gemoneybank.fr/identification.do
- client.gemoneybank.fr/*
- ebanking.fransabank.com/LoginAE.aspx
- ebanking.fransabank.com/*
- www.epargne-entreprise.federal-finance.fr/ent/start.swe*
- www.epargne-entreprise.federal-finance.fr/*
- www.exane.com/*
- onlinebanking.orcobank.com/orcobankonline/
- onlinebanking.orcobank.com/*
- www.alliancebizsmart.com.my/business
- www.alliancebizsmart.com.my/*
- www.publicmutualonline.com.my/
- www.publicmutualonline.com.my/*
- ebank.publicbank.com.hk/index0028.html
- ebank.publicbank.com.hk/*
- www2.pbebank.com/PBL
- ambank.amonline.com.my/
- ambank.amonline.com.my/*
- epayday.e-ambiz.com.my/epayroll/login.do
- epayday.e-ambiz.com.my/*
- www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do*
- www.maybank2u.com.my/*
- www.maybank2e.net/M2E/mbbcustomer
- www.maybank2e.net/*
- www.maybank2e.com/SEA/m2e/portal/portal.view
- www.maybank2e.com/*
- rib.affinonline.com/rib/pb/logon
- rib.affinonline.com/*
- afactorcontact.com/ClientManagerCMA/formulaire.html
- afactorcontact.com/*
- cgaoi.c-g-a.fr/ClientManagerOI/formulaire.html
- cgaoi.c-g-a.fr/*
- cgaetoile.c-g-a.fr/ClientManagerCDN/formulaire.html
- cgaetoile.c-g-a.fr/*
- cgacontact.c-g-a.fr/ClientManagerSG/formulaire.html
- cgacontact.c-g-a.fr/*
- cgi-hp.espace-clients.fr/
- cgi-hp.espace-clients.fr/*
- bourse.cholet-dupont.fr/login.asp
- bourse.cholet-dupont.fr/*
- cib.affinonline.com/business/login.html
- cib.affinonline.com/*
- www.factocicpartnet.com/factocicWeb
- www.factocicpartnet.com/*
- secure.boqspecialist.com.au/BOQ/BOQSpecialist
- secure.boqspecialist.com.au/*
- sec.westpac.co.nz/IOLB/Login.jsp
- sec.westpac.co.nz/*
- e-cash.alrajhibank.com.my/CashWebAlrajhi/index.jsp
- e-cash.alrajhibank.com.my/*
- www.cimb.bizchannel.com.my/corp/common2/login.do*
- www.cimb.bizchannel.com.my/*
- online-business.tsb.co.uk/business/logon/login.jsp
- online-business.tsb.co.uk/*
- banking.secure.bnl.it/
- banking.secure.bnl.it/*
- webbanking.bgl.lu/en/Main.html
- webbanking.bgl.lu/*
- entreprises.bnpparibas.net/NSAccess
- entreprises.bnpparibas.net/*
- connexis.bnpparibas.com/*
- webbanking.bgl.lu/fr/Main.html
- webbanking.bgl.lu/de/Main.html
- webbanking.bgl.lu/nl/Main.html
- webbanking.bgl.lu/pt/Main.html
- www.co-operativebank.co.nz/InternetBankingSecure/t/iblogin.aspx
- www.co-operativebank.co.nz/*
- businessbank.tsbbank.co.nz/BusinessBank/login.jsp
- businessbank.tsbbank.co.nz/*
- probank.tsbbank.co.nz/ProBank/login.action
- probank.tsbbank.co.nz/*
- global.kbstar.com/quics*
- global.kbstar.com/*
- portal.northonline.com.au/WealthNET.PortalClient/DUBLE
- ib.mebank.com.au/auth/ib/login.html
- ib.mebank.com.au/*
- online.mystate.com.au/Banking/Personal
- online.mystate.com.au/*
- online.mystate.com.au/Banking/Business
- ibanking.bankofmelbourne.com.au/ibank/loginPage.action
- ibanking.bankofmelbourne.com.au/*
- www.sbisyd.com.au/eremit/index.php
- www.sbisyd.com.au/*
- ribs.rabobank.com.au/RIBSAU/AU
- ribs.rabobank.com.au/*
- online.westpac.com.au/esis/Login/SrvPage*
- online.westpac.com.au/*
- netaccess3.qtmb.com.au/QTMB/NetTeller/login.aspx
- netaccess3.qtmb.com.au/*
- www.citibank.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do
- www.citibank.com.my/*
- logon.reflex.rhbbank.com.my/rhbcams/corporate/login.jsp
- logon.reflex.rhbbank.com.my/*
- logon.rhb.com.my/
- logon.rhb.com.my/*
- www.citigold.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do
- www.citigold.com.my/*
- www.benefitaccess.com/cba.html
- www.benefitaccess.com/*
- transactgateway.svb.com/siliconvalley/customerlogin.aspx
- transactgateway.svb.com/*
- leumionline.leumiusa.com/uniquesiga2fb1806b2b3831412436dd67c0ba0085419e78b8eb462c3cbbdd1d547afe055/uniquesig0
- leumionline.leumiusa.com/*
- internationalfx.bannerbank.com/servlet/VTDController
- internationalfx.bannerbank.com/*
- fxpayments.americanexpress.com/*
- www.cashanalyzer.com/
- www.cashanalyzer.com/*
- accesd.affaires.desjardins.com/en/ada
- accesd.affaires.desjardins.com/*
- accesd.affaires.desjardins.com/fr/ada
- www.ml.com/
- www.ml.com/*
- www.mymerrill.com/ml/home.aspx*
- www.mymerrill.com/*
- bankinguk.secure.investec.com/login.html*
- bankinguk.secure.investec.com/*
- secureprivateebanking.nordea.lu/eServices/Login.aspx*
- secureprivateebanking.nordea.lu/*
- secureprivateebanking.nordea.ch/ESERVICES/Login.aspx*
- secureprivateebanking.nordea.ch/*
- secureprivateebanking.nordea.sg/eServices/Login.aspx*
- secureprivateebanking.nordea.sg/*
- ssologin.bnpparibas.com/cib/LoginForm.aspx*
- ssologin.bnpparibas.com/*
- clientlogin.ibb.ubs.com/login*
- uk.hkbea-cyberbanking.com/UCBWeb/Index.action
- uk.hkbea-cyberbanking.com/*
- uk.hkbea-cyberbanking.com/UCBCorp/Index.action
- sharinbox.societegenerale.com/login.do
- sharinbox.societegenerale.com/*
- secure1.entreprises.bnpparibas.net/sommaire/jsp/identification.jsp
- secure1.entreprises.bnpparibas.net/*
- ebanking.procreditbank-kos.com/User/LogOn
- ebanking.procreditbank-kos.com/*
- probanking.procreditbank.ba/User/LogOn*
- probanking.procreditbank.ba/*
- classic.nordea.fi/cgi-bin/SOLO0001*
- classic.nordea.fi/*
- www.danskebank.fi/fi-fi/Henkiloasiakkaat/Pages/henkiloasiakkaat.aspx*
- www.danskebank.fi/*
- www.danskebank.fi/fi-fi/yritysasiakkaat/Pages/yritysasiakkaat.aspx*
- www.danskebank.fi/sv-fi/Privat/Pages/Privat.aspx*
- www.danskebank.fi/sv-fi/Foretag/Medelstora-foretag/Webbtjanster/Pages/Webbtjanster.aspx*
- www.danskebank.fi/sv-fi/OmBanken/Ombanken/Pages/Ombanken.aspx*
- www.danskebank.fi/en-fi/Personal/Pages/Personal.aspx*
- www.danskebank.fi/en-fi/business/Medium-business/Online-services/Pages/Online-services.aspx*
- www.corealdirect.de/corealcredit/abaxx-*
- www.corealdirect.de/*
- casextern.creditplus.de/casextern_prod1/login
- casextern.creditplus.de/*
- www.asl.com/c/portal/login
- www.asl.com/*
- meine.norisbank.de/*
- ufo.union-investment.de/process*
- ufo.union-investment.de/*
- www.mercedes-benz-bank.de/intrade/login/login.jsf
- www.mercedes-benz-bank.de/*
- cfi.mb.seb.se/pqq_portal/sebflow/login
- cfi.mb.seb.se/*
- securebank.santander.de/LICCMG_SCB_ENS/BtoChannelDriver.ssobto*
- securebank.santander.de/*
- wertpapier.hafnerbank.de/*
- www.bankhaus-lampe.de/en/client-portal
- www.bankhaus-lampe.de/*
- securebanking.hanseaticbank.de/onlinebanking-hb/loginFormAction.do
- securebanking.hanseaticbank.de/*
- www.bancomernetcash.com/local_pibee/KDPOSolicitarCredenciales_es.html
- www.bancomernetcash.com/*
- www.provincialnetcash.com/KDPOSolicitarCredenciales_es.html
- www.provincialnetcash.com/*
- netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_CAS.html
- netredex.grupobbva.com/*
- netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_CAS.html
- portal.sutorbank.de/*
- e-bank.wuestenrot.de/ebanking/eb/index.html
- e-bank.wuestenrot.de/*
- banking.bankofscotland.de/netbanking/RetailLoginHome.html
- banking.bankofscotland.de/*
- ebank.garantibank.nl/scripts/gbide.dll*
- ebank.garantibank.nl/*
- www.hypotirol.com/at/privatkunden/hypo-online/hypo-online-banking/login.html
- www.hypotirol.com/*
- banking.oberbank.de/smartoffice/de/_mcologon*
- banking.oberbank.de/*
- www.oberbank-banking.at/obk/tiles/start.action
- www.oberbank-banking.at/*
- kunde.onvista-bank.de/login.html*
- kunde.onvista-bank.de/*
- banking.bw-bank.de/*
- secure.moneyou.de/thc/policyenforcer/pages/loginB2C.jsf
- secure.moneyou.de/*
- portal.berenberg.de/MULTIVERSA-IFP/faces/login/login.jsf
- portal.berenberg.de/*
- ssl2.haspa.de/OnlineFiliale/banking/authenticate/login
- ssl2.haspa.de/*
- www.dslbank.de/dienste/partner/login.html*
- www.dslbank.de/*
- www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_es.html
- www.francesnetcash.com.ar/*
- www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_en.html
- www.continentalnetcash.com.pe/KDPOSolicitarCredenciales_es.html
- www.continentalnetcash.com.pe/*
- www.bbvanetcash.cl/local_pibee/indexPibee.html
- www.bbvanetcash.cl/*
- www.bbvanetcash.com/local_kyop/KYOPSolicitarCredenciales.html
- www.bbvanetcash.com/*
- ve1.provinet.net/nhvp_ve_web/atpn_es_web_jsp/login.jsp*
- ve1.provinet.net/*
- www.provincialnetcash.com/KDPOSolicitarCredenciales_en.html
- netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_FRA.html
- netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_FRA.html
- netredex.grupobbva.com/local_telnsp/TELNLogin_bbva_londres_CAS.html
- netredex.grupobbva.com/local_teln/TELNLogin_bbva_londres_ING.html
- www.bbvanet.com.co/index.html*
- www.bbvanet.com.co/*
- www.provincial.com/personas/BBVAProvincial.jsp
- www.provincial.com/*
- secure.provinet.net/cgi-bin.cgi/bbvanettxtencr.cgi*
- secure.provinet.net/*
- www.bbvanet.cl/bbvanet/Process*
- www.bbvanet.cl/*
- www.bbvanet.cl/bbvanet/personas.html
- privat.bhf-bank.ch/Authentification/GetAuthentificationVersion*
- privat.bhf-bank.ch/*
- onba.zkb.ch/*
- www.neuehelvetischebank.ch/e-banking.html
- www.neuehelvetischebank.ch/*
- onlinebanking.bankcoop.ch/coopLogin
- www.fibi-online.co.il/web/swisswwwc
- www.fibi-online.co.il/*
- online.bankvonroll.ch/*
- sobanet.baloise.ch/ibfLogin/*
- sobanet.baloise.ch/*
- eservice.cembra.ch/*
- banking.bekb.ch/ident.html
- banking.bekb.ch/*
- www.barclayswealth.ch/Login/fedsso.do*
- www.barclayswealth.ch/*
- netbanking.sparkasse.at/*
- online.bankaustria.at/*
- ebanking.es.rbcis.com/ebancoval/control/login
- ebanking.es.rbcis.com/*
- www2.targobank.es/empresasI
- www2.targobank.es/*
- www.volkswagenbank.es/html/central_empresas.jsp
- www.volkswagenbank.es/*
- www.volkswagenbank.es/clientes/central_particular.jsp
- clientes.selfbank.es/conexion
- clientes.selfbank.es/*
- clientes.selfbank.es/login.phtml
- bancoonline.openbank.es/servlet/PProxy*
- bancoonline.openbank.es/*
- www.oney.es/OneyES_PrivateArea
- www.oney.es/*
- clientes.uci.es/*
- ib.swedbank.lv/business*
- ib.swedbank.lv/*
- webapp.sebgroup.com/nauth4/Authentication/login.jsp*
- webapp.sebgroup.com/*
- factoring.mb.seb.se/nauth3/Authentication/login.jsp*
- factoring.mb.seb.se/*
- factoring.seb.de/nauth3/Authentication/login.jsp*
- factoring.seb.de/*
- ib.baltikums.eu/x/login;jsessionid=BB003BE9FD76AAB7C6C99F3D944F7152*
- ib.baltikums.eu/*
- ib.bib.lv/web/guest;jsessionid=0125DB8D917675A75518DC10BDE4100F
- ib.bib.lv/*
- www.norvik.eu/en/intl
- www.norvik.eu/*
- ibank.humebank.com.au/mvp/signon/login.aspx
- ibank.humebank.com.au/*
- mittval.maxm.se/companyservices
- mittval.maxm.se/*
- inloggad.volvofinans.se/foretag/inloggning/forenklad.html
- inloggad.volvofinans.se/*
- cpe.erste-group.com/*
- www.online-kundenservice.at/index.php*
- www.online-kundenservice.at/*
- www.denzelbank.at/Sparen/Login.aspx
- www.denzelbank.at/*
- www.factorbank.com/clients.php
- www.factorbank.com/*
- ef3web.factorbank.com/efweb/servlet/efweb.RCServlet
- ef3web.factorbank.com/*
- online.gutmann.at/pobapp/LoginForm.aspx*
- online.gutmann.at/*
- vip.valartis.at/Pages/Login/Login.aspx
- vip.valartis.at/*
- newentreprises.interepargne.natixis.com/nie_psd_ee/EC_EE_TRANSV_AUTH_01.action*
- newentreprises.interepargne.natixis.com/*
- cib.natixis.com/net/default.aspx
- cib.natixis.com/*
- www.novobanco.es/site/cms.aspx*
- www.novobanco.es/*
- online.popularbancaprivada.es/index.html
- online.popularbancaprivada.es/*
- conecta.es.rbcis.com/tafval
- conecta.es.rbcis.com/*
- nbnet.novobanco.es/*
- conecta.es.rbcis.com/person-online/dologin
- www.ing.be/en/retail/pages/login.aspx
- www.ing.be/de/retail/Pages/Login.aspx
- www.ingonline.com/cz
- www.ingonline.com/bg
- www.ingonline.com/hu
- www.ingonline.com/pl
- www.ingonline.com/ro
- www.ingonline.com/sk
- secure.ingdirect.fr/public/displayLogin.jsf
- secure.ingdirect.fr/*
- esipub.esi-sa.com/INGArchive/Account/Login.aspx*
- esipub.esi-sa.com/*
- banking.ing-diba.de/app/obligo
- secure.ingdirect.it/login.aspx
- secure.ingdirect.it/*
- www.ing.lu/web/ING/EN/Personal/Login/index.htm
- www.ing.lu/*
- www.ing.lu/ING/FR/Particuliers/Login/index.htm
- www.ing.lu/web/ING/FR/Personal/Login/index.htm
- www.ing.lu/web/ING/NL/Particuliers/Login/index.htm
- mijnzakelijk.ing.nl/
- mijnzakelijk.ing.nl/*
- mijn.ing.nl/
- mijn.ing.nl/*
- banking.ing-diba.at/online-banking
- banking.ing-diba.at/*
- start.ingbusinessonline.pl/ing/do/sms
- start.ingbusinessonline.pl/*
- solo.nordea.com/nsc/engine*
- solo.nordea.com/*
- www.netbank.nordea.dk/netbank/index.jsp
- www.netbank.nordea.dk/*
- solo1.nordea.fi/nsp/engine
- solo1.nordea.fi/*
- solo1.nordea.fi/nsp/login
- internetbanken.privat.nordea.se/nsp/login
- internetbanken.privat.nordea.se/*
- internetbanken.privat.nordea.se/nsp/engine*
- nb.nordea.no/jlogin/nettbank/login/login
- nb.nordea.no/*
- www.nordeaim.nordea.com/ImExt/WebportExt.nsf
- www.nordeaim.nordea.com/*
- eplusgiro.plusgirot.se/eplusgiro.html
- eplusgiro.plusgirot.se/*
- eplusgiro.plusgirot.se/eplusgiro_comp.html
- gfs.nb.se/privat/bank/index_foretag.html
- gfs.nb.se/*
- girolink.plusgirot.se/
- girolink.plusgirot.se/*
- www.bcif.fr/Compte/Login.aspx
- www.bcif.fr/*
- www.ubibanca.com/Login_utilio
- www.ubibanca.com/*
- www.intesasanpaolo.com/script/Login2Servlet*
- www.intesasanpaolo.com/*
- extranet.bpifrance.fr/etresosesame/connexion.do
- extranet.bpifrance.fr/*
- basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_fr.html
- basfnet.france.banqueaudi.com/*
- basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_en.html
- www.banque-tahiti.pf/pauth.aspx*
- www.banque-tahiti.pf/*
- www.mydegroof.fr/*
- www4.banquewormser.com/
- www4.banquewormser.com/*
- esecure.banque-edel.fr/es@b/fr/index.jsp
- esecure.banque-edel.fr/*
- www.ct6.e-i.com/wlib_sharedresources/sson/ssonsign/sign_extranet.asp*
- www.ct6.e-i.com/*
- boursebesv.besv.fr/fr/index.html
- boursebesv.besv.fr/*
- clients.banque-fiducial.fr/comptes/fr/index.htm
- clients.banque-fiducial.fr/*
- web.procapital.fr/bami/public/form_login.html
- web.procapital.fr/*
- web.procapital.fr/bami/public/form_procap_login.html
- www.bamibanque.fr/WD110AWP/WD110awp.exe/CONNECT/GESCOMPTE2010
- www.bamibanque.fr/*
- www.bami.lmpatrimonline.com/bol-sb-web/EP01Action.do
- www.bami.lmpatrimonline.com/*
- www.bami.lmpatrimonline.com/bol-sb-web/EC01Action.do
- www.palatine.fr/espace-client-entreprises.html
- www.palatine.fr/*
- www.pouyanne.net/
- www.pouyanne.net/*
- espace-client.cora.fr/FrHomeBK/cora/logon.do
- espace-client.cora.fr/*
- verkkopankki2.danskebank.fi/pub/logon/logon.aspx*
- verkkopankki2.danskebank.fi/*
- www.portail.banque-solfea.fr/user/login
- www.portail.banque-solfea.fr/*
- www.bybloseuropeonline.com/finsebanking_enu_europe
- www.bybloseuropeonline.com/*
- www.byblosonline.com/finsebanking_enu
- www.byblosonline.com/*
- www.casden.fr/simu/view/accueil.seam
- www.casden.fr/*
- www.ing.lu/web/ING/DE/Privatpersonen/Einloggen/index.htm
- www.ingbank.cz/ib/login
- www.ingbank.cz/*
- www.internationalmoneytransfers.com.au/login/login
- www.internationalmoneytransfers.com.au/*
- www.bnpparibasfortis.be/private/Start.asp
- www.bnpparibasfortis.be/*
- nab.directnet.com/dn/c/cls/auth
- nab.directnet.com/*
- www.secure.bnpparibas.net/banque/portail/particulier/HomeConnexion*
- www.secure.bnpparibas.net/*
- www.secure.bnpparibas.net/banque/portail/entrepros/HomeConnexion*
- www.secure.bnpparibas.net/banque/portail/particulier/Fiche*
- ssologin-bp2s.bnpparibas.com/*
- factor.bnpparibas.com/factoring/fr/Portail_Connexion.or*
- factor.bnpparibas.com/*
- personeo.epargne-retraite-entreprises.bnpparibas.com/portal/salarie-bnp/*
- personeo.epargne-retraite-entreprises.bnpparibas.com/*
- personal.gironet.com/DIBS_GIRO_BANK/pages/loginP.jsp
- personal.gironet.com/*
- business.firstcitizensonline.com/cb/pages/jsp-ns/loginfcbsc.jsp
- business.firstcitizensonline.com/*
- ibs.medbank.lt/login.aspx
- ibs.medbank.lt/*
- business2.danskebank.dk/pub/logon/logon.aspx*
- business2.danskebank.dk/*
- ebankas.danskebank.lt/ib/site/login*
- ebankas.danskebank.lt/*
- business2.danskebank.com/pub/logon/logon.aspx*
- business2.danskebank.com/*
- www.danskebank.no/nb-no/Bedrift/Mellomstore-bedrifter/Nettbank/Pages/Nettbank.aspx*
- www.danskebank.no/*
- business2.danskebank.no/pub/logon/logon.aspx*
- business2.danskebank.no/*
- businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx
- businessonline.huntington.com/*
- www.colonialfirststate.com.au/firstnet/login.aspx*
- www.colonialfirststate.com.au/*
- www.colonialfirststate.com.au/FNMaster/masterLoginFrames.asp
- bizpermonline.newcastlepermanent.com.au/NPBSBusiness
- bizpermonline.newcastlepermanent.com.au/*
- internetbanking.imb.com.au/IB/personal
- internetbanking.imb.com.au/*
- www.cardservicesdirect.com.au/AUCRD/JSO/signon/DisplayUsernameSignon.do
- www.cardservicesdirect.com.au/*
- banking.beyondbank.com.au/daib/logon/cu5022/logon.asp
- banking.beyondbank.com.au/*
- logon.online.anz.com/auth/Logon/CentralLogin.fcc*
- logon.online.anz.com/*
- sslsecure.maybank.com.sg/cgi-bin/mbs/scripts/mbb_login.jsp
- sslsecure.maybank.com.sg/*
- www.bizchannel.cimb.com.sg/corp/common2/login.do*
- www.bizchannel.cimb.com.sg/*
- www.hongleongonline.com.my/business/index.jsp
- www.hongleongonline.com.my/*
- www.mybsn.com.my/mybsn/login/login.do
- www.mybsn.com.my/*
- bbmy.ocbc.com/baliweb/59341/site/defaultskin/en_US/html/static/logon_box.htm
- bbmy.ocbc.com/*
- online.akbank.de/onlinebanking/de/Login.html
- online.akbank.de/*
- webzr.aktivbank.de/webzr/login/ShowLogin.do
- webzr.aktivbank.de/*
- akp.aab.de/akp/vermoegensstatus/uebersicht.do
- akp.aab.de/*
- www.baaderbank.de/en/login.html
- www.baaderbank.de/*
- www.hsbctrinkaus.de/global/display/user*
- www.hsbctrinkaus.de/*
- business.memberdirect.net/business/default.jsp*
- business.memberdirect.net/*
- www.bankdirect.co.nz/
- www.hsbc.fr/1/2/hsbc-france/entreprises-institutionnels/connexion
- www.hsbc.fr/*
- online.asb.co.nz/auth/
- online.asb.co.nz/*
- fnb.asb.co.nz/SignOn.aspx
- fnb.asb.co.nz/*
- newentreprises.interepargne.natixis.com/
- entreprises.retraite.assurances.natixis.com/*
- epargnants.interepargne.natixis.fr/def_int_ep/ep/home.do*
- epargnants.interepargne.natixis.fr/*
- be.abanca.com/
- be.abanca.com/*
- private.lombardodier.com/login/login.jsp
- private.lombardodier.com/*
- cs1.credistar.com/p/
- cs1.credistar.com/*
- www.eurocredito.es/zonaClienteEurocredito/FcControlador.srvl*
- www.eurocredito.es/*
- caixadirecta.colonya.es/BEWeb/2056/6056/login_identificacion.action
- caixadirecta.colonya.es/*
- caixadirecta.colonya.es/BEWeb/2056/6056/inicia_identificacion.action*
- www.sydbank.de/Sign/DE/_mcologon*
- www.sydbank.de/*
- ssl.icoio.de/account
- ssl.icoio.de/*
- ssl.icoio.de/cash
- ssl.icoio.de/realestate
- banking.bmwbank.de/
- ob.cua.com.au/ib/f7bba4b88b84645e0ff8787e159be60d/LoginAuth.action
- ob.cua.com.au/*
- bcaixanet-empresas.bancocaixageral.es/
- bcaixanet-empresas.bancocaixageral.es/*
- bcaixanet-particulares.bancocaixageral.es/
- bcaixanet-particulares.bancocaixageral.es/*
- barclaysnet.barclays.es/accesoBarclaysNet.html
- barclaysnet.barclays.es/*
- www.bsfincomonline.com/
- www.bsfincomonline.com/*
- moj.multibank.pl/
- moj.multibank.pl/*
- companynet.mbank.pl/mt/
- companynet.mbank.pl/*
- online.mbank.pl/pl/Login
- online.mbank.pl/*
- aliorbank.pl/hades/do/Login
- aliorbank.pl/*
- www.ipko.pl/
- www.ipko.pl/*
- www.centrum24.pl/centrum24-web/login
- www.centrum24.pl/*
- www.citibankonline.pl/PLGCB/JPS/portal/SignonLocaleSwitch.do*
- www.citibankonline.pl/*
- www.ubank.com.au/
- www.ubank.com.au/*
- my.hsbcprivatebank.com/1/2/*
- my.hsbcprivatebank.com/*
- www.bancorpsouthinview.web-cashplus.com/Cashplus/
- www.bancorpsouthinview.web-cashplus.com/*
- banking.smile.co.uk/SmileWeb/start.do
- banking.smile.co.uk/*
- bankonline.sboff.com/OFS2/InternetBanking
- bankonline.sboff.com/*
- online.alrayanbank.co.uk/online/aspscripts/Logon.asp
- online.alrayanbank.co.uk/*
- mybbsaccounts.bucksbs.co.uk/mlogn01.asp
- mybbsaccounts.bucksbs.co.uk/*
- online.ccbank.co.uk/main.asp*
- online.ccbank.co.uk/*
- u-2-view.chorleybs.co.uk/mlogn01.asp
- u-2-view.chorleybs.co.uk/*
- wealthclient.closebrothers.com/Login
- wealthclient.closebrothers.com/*
- www.coventrybuildingsociety.co.uk/onlineservices/login/ols_login.aspx
- www.coventrybuildingsociety.co.uk/*
- myaccounts.newbury.co.uk/main.asp*
- myaccounts.newbury.co.uk/*
- cbforex.citizensbank.com/CitizensWebApplication/cbforex/loginScreen*
- cbforex.citizensbank.com/*
- login.isso.db.com/websso/sso_multi_auth_Logon.sso*
- www.corporate-clients.commerzbank.com/S-Portal/SHTML/cdir2/companydirectportal/pgf.html*
- www.corporate-clients.commerzbank.com/*
- apps.bhw.de/es600/index.jsp
- apps.bhw.de/*
- extra.unicreditbank.hu/eibpublic_SP/login.en.html
- www.dab-bank.de/Mein-Konto-Depot/Login
- www.dab-bank.de/*
- www.asl.com/asl/login/entryFrame.jsp
- ebanking-de1.ubs.com/enquiries/controller/*
- banking.varengold.de/OnlineBankingWebfrontend/banking/common/login.xhtml;jsessionid=6B6D8E978F9BF46846D30C85AF534497*
- banking.varengold.de/*
- kunde.comdirect.de/lp/wt/login
- kunde.comdirect.de/*
- meine.sutorbank.de/*
- www.accessonline.abnamro.com/fss/open/welcome.do*
- www.accessonline.abnamro.com/*
- banking.postbank.de/rai/login
- banking.postbank.de/*
- portal4.sydbank.dk/wps/bankdata/jsp/html/da/PortalFrame.jsp*
- portal4.sydbank.dk/*
- konto.biw-bank.de/onlinebanking-biwvp/login
- konto.biw-bank.de/*
- online.citibank.com/snapshoot/3
- www.discovercard.com/snapshoot/29
- www.paypal.com/snapshoot/7
- banking.bw-bank.de
- banking.oyakankerbank.de
- clientes.uci.es
- cpe.erste-group.com
- entreprises.retraite.assurances.natixis.com
- eservice.cembra.ch
- kunden-mkb-bank.de
- meine.norisbank.de
- meine.sutorbank.de
- netbanking.sparkasse.at
- onba.zkb.ch
- online.bankaustria.at
- online.bankvonroll.ch
- online.corp.westpac.com.au
- portal.sutorbank.de
- wertpapier.hafnerbank.de
- www.exane.com
- www.mydegroof.fr
The following are proxy addresses for man-in-the-middle attacks:
- {BLOCKED}.{BLOCKED}.246.10:443
- {BLOCKED}.{BLOCKED}.237.94:443
It sends the following GET request:
- /0607uk12/{Computer name}_{OS patform}.{value}/{value}/{data/variable}/{BLOCKED}.{BLOCKED}.43.38/
It sends a POST request to send stolen information from the injection.
SOLUTION
Minimum Scan Engine: 9.750
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Remove the malware/grayware file that dropped/downloaded TSPY_DYRE.SLU. (Note: Please skip this step if the threat(s) listed below have already been removed.)
- TROJ_UPATRE.YYSLU
Step 4
Restart in Safe Mode
[ Learn More ]
Step 5
Delete this registry value
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and above)
- GoogleUpdate = "%AppDataLocal%\{random filename}.exe" (for Windows Vista and above)
Step 6
Delete this registry key
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
- googleupdate (for Windows XP and below)
- googleupdate (for Windows XP and below)
Step 7
Search and delete these files
[ Learn More ]
There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result. - %System%\config\systemprofile\Application Data\ea1bw72e0f4.dll (for Windows XP
Step 8
Restore this modified registry value
[ Learn More ]
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- From: LimitBlankPasswordUse = "0"
To: LimitBlankPasswordUse = 1
- From: LimitBlankPasswordUse = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- From: fDenyTSConnections = "0"
To: fDenyTSConnections = 1
- From: fDenyTSConnections = "0"
- In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- From: fSingleSessionPerUser = "0"
To: fSingleSessionPerUser = 1
- From: fSingleSessionPerUser = "0"
Step 9
Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_DYRE.SLU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Step 10
Scan your computer with your Trend Micro product to delete files detected as TSPY_DYRE.SLU. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.