TSPY_DYRE.YYSNZ

September 29, 2015

Analysis by: Janus Agcaoili

ALIASES:

Trojan:Win32/Dynamer!ac (Microsoft), Spyware.Dyre (MalwareBytes), UDS:DangerousObject.Multi.Generic (Kaspersky), Spyware/Win32.Dyre (AhnLab-V3)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Spyware
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It connects to certain websites to send and receive information.

TECHNICAL DETAILS

File Size: 504,320 bytes

File Type: EXE

Memory Resident: Yes

Initial Samples Received Date: 19 Sep 2015

Payload: Steals information, Compromises system security

Arrival Details

This spyware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This spyware drops the following copies of itself into the affected system:

%AppDataLocal%\{random filename}.exe (for Windows Vista and above)
%Windows%\{random filename}.exe (for Windows XP and below)
%AppDataLocal%\{random filename}.ex_ (for Windows Vista and above)
%Windows%\{random filename}.ex_ (for Windows XP and below)

(Note: %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %Windows% is the Windows folder, where it usually is C:\Windows on all Windows operating system versions.)

It uses the Windows Task Scheduler to add a scheduled task that executes the copies it drops.

It adds the following mutexes to ensure that only one of its copies runs at any one time:

Global\{random}

It injects codes into the following process(es):

explorer.exe
svchost.exe

Autostart Technique

The scheduled task executes the malware every:

1 minute

Other System Modifications

This spyware modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Lsa
LimitBlankPasswordUse = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fDenyTSConnections = "0"

(Note: The default value data of the said registry entry is 1.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Control\Terminal Server
fSingleSessionPerUser = "0"

(Note: The default value data of the said registry entry is 1.)

Dropping Routine

This spyware drops the following files:

%System%\config\systemprofile\Application Data\{random filename} (for Windows XP and below)
%AppDataLocal%\{random filename} (for Windows Vista and above)

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.. %AppDataLocal% is the Application Data folder found in Local Settings, where it is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

Information Theft

This spyware gathers the following data:

Host Name
Public IP Address
Computer Name
OS Version
OS Platform
User Accounts
System Info(CPU, Memory, No. of Processors)
Installed programs
Services

Other Details

This spyware connects to the following URL(s) to check for an Internet connection:

google.com
microsoft.com

It connects to the following URL(s) to get the affected system's IP address:

http://icanhazip.com

It connects to the following website to send and receive information:

http://{BLOCKED}.{BLOCKED}.135.106:4443
http://{BLOCKED}.{BLOCKED}.147.103:4443
http://{BLOCKED}.{BLOCKED}.156.216:4443
http://{BLOCKED}.{BLOCKED}.241.26:443
http://{BLOCKED}.{BLOCKED}.63.98:443
http://{BLOCKED}.{BLOCKED}.73.130:443
http://{BLOCKED}.{BLOCKED}.116.76:443
http://{BLOCKED}.{BLOCKED}.244.187:443
http://{BLOCKED}.{BLOCKED}.220.8:443
http://{BLOCKED}.{BLOCKED}.156.105:4443
http://{BLOCKED}.{BLOCKED}.146.67:4443
http://{BLOCKED}.{BLOCKED}.228.117:4443
http://{BLOCKED}.{BLOCKED}.171.216:443
http://{BLOCKED}.{BLOCKED}.201.9:443
http://{BLOCKED}.{BLOCKED}.237.115:443
http://{BLOCKED}.{BLOCKED}.143.60:443
http://{BLOCKED}.{BLOCKED}.174.25:443
http://{BLOCKED}.{BLOCKED}.179.197:443
http://{BLOCKED}.{BLOCKED}.60.93:4443
http://{BLOCKED}.{BLOCKED}.49.162:443
http://{BLOCKED}.{BLOCKED}.48.79:443
http://{BLOCKED}.{BLOCKED}.34.245:443
http://{BLOCKED}.{BLOCKED}.91.90:443
http://{BLOCKED}.{BLOCKED}.250.245:443
http://{BLOCKED}.{BLOCKED}.191.170:443
http://{BLOCKED}.{BLOCKED}.51.115:4443
http://{BLOCKED}.{BLOCKED}.204.37:443
http://{BLOCKED}.{BLOCKED}.64.35:4443
http://{BLOCKED}.{BLOCKED}.226.85:443
http://{BLOCKED}.{BLOCKED}.194.101:4443
http://{BLOCKED}.{BLOCKED}.45.40:443
http://{BLOCKED}.{BLOCKED}.166.94:4443
http://{BLOCKED}.{BLOCKED}.9.55:443
http://{BLOCKED}.{BLOCKED}.58.42:4443
http://{BLOCKED}.{BLOCKED}.104.102:443
http://{BLOCKED}.{BLOCKED}.77.76:443
http://{BLOCKED}.{BLOCKED}.165.182:443
http://{BLOCKED}.{BLOCKED}.63.207:443
http://{BLOCKED}.{BLOCKED}.101.2:4443
http://{BLOCKED}.{BLOCKED}.154.180:4443
http://{BLOCKED}.{BLOCKED}.50.124:4443
http://{BLOCKED}.{BLOCKED}.4.60:443
http://{BLOCKED}.{BLOCKED}.45.149:443
http://{BLOCKED}.{BLOCKED}.57.164:4443
http://{BLOCKED}.{BLOCKED}.48.147:443
http://{BLOCKED}.{BLOCKED}.38.100:443
http://{BLOCKED}.{BLOCKED}.153.202:443
http://{BLOCKED}.{BLOCKED}.142.66:443
http://{BLOCKED}.{BLOCKED}.49.139:443
http://{BLOCKED}.{BLOCKED}.176.230:4443
http://{BLOCKED}.{BLOCKED}.84.55:443
http://{BLOCKED}.221.146.107:4443
http://{BLOCKED}.221.156.165:443

It does the following:

Receive configuration(web injects/MitB)
Receive New connections
Download file and execute
Download Module(VNC,TV)
Browser Snapshot
Terminate Process
Add Users
Modifies Master Boot Record (MBR)
Shutdown/restart system
Monitors the following browsers:
- chrome.exe
- firefox.exe
- iexplore.exe
Connects to the following STUN (Session Traversal Utilities for NAT) server in order to determine the public IP address of the compromised computer:
- stun1.voiceeclipse.net
- stun.callwithus.com
- stun.sipgate.net
- stun.ekiga.net
- stun.internetcalls.com
- stun.noc.ams-ix.net
- stun.voip.aebc.com
- stun.voipbuster.com
- stun.voxgratia.org
- stun.ipshka.com
- stun.faktortel.com.au
- stun.iptel.org
- stun.voipstunt.com
- 203.183.172.196:3478
- s1.taraba.net
- stun.l.google.com:19302
- stun1.l.google.com:19302
- stun2.l.google.com:19302
- stun3.l.google.com:19302
- stun4.l.google.com:19302
- stun.schlund.de
- stun.rixtelecom.se
- stun.voiparound.com
- numb.viagenie.ca
- stun.stunprotocol.org
- stun.services.mozilla.com
- stun.2talk.co.nz
Stop the following services:
- wscsvc
- MpsSvc
- WinDefend

NOTES:

This spyware steals important banking/Bitcoin information by intercepting webpage requests with the following URLS. The malware is able to redirect the request to its malicious server and then poses as the legitimate webpage:

cashproonline.bankofamerica.com/
cashproonline.bankofamerica.com/*
businessaccess.citibank.citigroup.com/cbusol/signon.do*
businessaccess.citibank.citigroup.com/*
www.bankline.natwest.com/CWSLogon/logon.do*
www.bankline.natwest.com/*
www.bankline.rbs.com/CWSLogon/logon.do*
www.bankline.rbs.com/*
www.bankline.ulsterbank.*/CWSLogon/logon.do*
www.bankline.ulsterbank.*/*
www.business.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR2LKuyHkgbotDB1dDZyDDTwMzM0sDTy93B1dnXz8DN0tTCC6nd0dPUzMfYCqwzxdDTxNnEwMTH3dDA08jQnoLsgNDQUAO-nOhw!!/*
www.business.hsbc.co.uk/*
www.nwolb.com/default.aspx*
www.nwolb.com/*
www6.rbc.com/webapp/ukv0/signin/logon.xhtml*
www6.rbc.com/*
online.bankofscotland.co.uk/personal/logon/login.jsp*
online.bankofscotland.co.uk/*
www.rbsdigital.com/login.aspx*
www.rbsdigital.com/*
wellsoffice.wellsfargo.com/*/signon/index.jsp*
wellsoffice.wellsfargo.com/*
lloydslink.online.lloydsbank.com/Logon/Logon.jsp*
lloydslink.online.lloydsbank.com/*
www.ulsterbankanytimebanking.ie/default.aspx*
www.ulsterbankanytimebanking.ie/*
banking.bankofscotland.co.uk/Logon/Logon.aspx*
banking.bankofscotland.co.uk/*
access.jpmorgan.com/jpmalogon*
access.jpmorgan.com/*
securentrycorp.calbanktrust.com/
securentrycorp.calbanktrust.com/*
gateway.citizenscommercialbanking.com/ccp/accessmoneymanager.jsp*
gateway.citizenscommercialbanking.com/*
www.signatureny.web-access.com/signat/cgi-bin/login.cgi*
www.signatureny.web-access.com/*
onepass.regions.com/oaam_server/oamLoginPage.jsp*
onepass.regions.com/*
commercial.bnc.ca/auth/Login*
commercial.bnc.ca/*
ktt.key.com/ktt/cmd/logon*
ktt.key.com/*
businessbanking.tdcommercialbanking.com/WBB/LoginDisplay*
businessbanking.tdcommercialbanking.com/*
online-business.bankofscotland.co.uk/business/logon/login.jsp*
online-business.bankofscotland.co.uk/*
cityntl.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin*
cityntl.webcashmgmt.com/*
www.treasury.pncbank.com/idp/esec/login.ht*
www.treasury.pncbank.com/*
ffcw.webcashmgmt.com/wcmfd/wcmpw/CustomerLogin*
ffcw.webcashmgmt.com/*
cib.bankofthewest.com/K1/servlet/com.fis.authentication.servlet.WelcomeServlet*
cib.bankofthewest.com/*
www.frostcashmanager.com/CASHplus*
www.frostcashmanager.com/*
www.bankunitedbusinessonlinebanking.com/bbw/cmserver/welcome/default/verify.cfm*
www.bankunitedbusinessonlinebanking.com/*
www8.comerica.com/pkmslogin.form*
www8.comerica.com/*
securentrycorp.amegybank.com/
securentrycorp.amegybank.com/*
www2.pbebank.com/myIBK/apppbb/servlet/BxxxServlet*
www2.pbebank.com/*
www.hsbc.com.my/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDCxNvAz9vzyAXA2cPRxMPywBDAwgAykdiyjv5w-WJ0e1v6m5g6RNiYWngbeRvHGRqbECc7uDUvPjQYH0_j_zcVP1I_ShzDMWeniYwxZE5qemJyZXY1XljqgvN0w_Lyy_KBYZBQW5oRLm3jyMAwombdA!!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83XzA4NEswTktJUkQwQ0hBNEhJSTQwMDAwMDAwL*
www.hsbc.com.my/*
securentrycorp.nsbank.com/
securentrycorp.nsbank.com/*
securentrycorp.zionsbank.com/
securentrycorp.zionsbank.com/*
ematchingnz1.online.anz.com/saam/SAAMLogin/Login.fcc*
ematchingnz1.online.anz.com/*
www.fcsolb.com/cb/pages/jsp-ns/login.jsp*
www.fcsolb.com/*
transtasman.online.anz.com/client*
transtasman.online.anz.com/*
www.commercial.hsbc.com.hk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDd-NQv1BDg2AXA1-PEE9zPwtDAwgAykeaxTu7O3qYmPsA-WGergaeJk4mBqa-boYGnsbYdPsidBfkhioCAMGAADI!/*
www.commercial.hsbc.com.hk/*
www.anzdirect.co.nz/online/EnterANZDirect.do*
www.anzdirect.co.nz/*
www.bostonprivatebank.com/index.cfm/pid/10540*
www.bostonprivatebank.com/*
ebanking2.danskebank.co.uk/pub/logon/logon.aspx*
ebanking2.danskebank.co.uk/*
secure1.businesswaybnl.it/newcorporate/webcontoc/login/login*
secure1.businesswaybnl.it/*
business2.danskebank.co.uk/pub/logon/logon.aspx*
business2.danskebank.co.uk/*
online.coutts.com/eBankingCouttsLogin/login*
online.coutts.com/*
business.co-operativebank.co.uk/corp/BANKAWAY*
business.co-operativebank.co.uk/*
www.gs.reyrey.com/common/login/login.aspx*
www.gs.reyrey.com/*
businessonline.mutualofomahabank.com/cb/pages/jsp-ns/login.jsp*
businessonline.mutualofomahabank.com/*
login.salesforce.com/
login.salesforce.com/*
www.natwestibanking.com/eai/IPB_EAI_Web/*
www.natwestibanking.com/*
online.adambank.com/eBankingAdamLogin/login*
online.adambank.com/*
fdonline.co-operativebank.co.uk/corp/BANKAWAY*
fdonline.co-operativebank.co.uk/*
home?.cybusinessonline.co.uk/lmgruV8/ceblm-web/login.ctl*
home?.cybusinessonline.co.uk/*
home?.ybonline.co.uk/raluV8/reglm-web/login.ctl*
home?.ybonline.co.uk/*
top.capitalonebank.com/pub/html/login.html*
top.capitalonebank.com/*
cmol.bbt.com/auth/prompt.tb*
cmol.bbt.com/*
business-eb.ibanking-services.com/K1/index.jsp*
business-eb.ibanking-services.com/*
btultra.btrl.ro/sign/_mcologon*
btultra.btrl.ro/*
tdetreasury.tdbank.com/s1gcb/logon/sbuser*
tdetreasury.tdbank.com/*
www.iombankibanking.com/eai/IPB_EAI_Web/eai*
www.iombankibanking.com/*
www.rbsiibanking.com/ipb/IPB_Client_Web/Start.do*
www.rbsiibanking.com/*
express.53.com/portal/auth/login/Login*
express.53.com/*
www22.bmo.com/ctpauth/CTPEAILogin/CustUserPasswordAuthServlet*
www22.bmo.com/*
e-access.compassbank.com/bbw/cmserver/welcome/default/verify.cfm*
e-access.compassbank.com/*
ht.businessonlinepayroll.com/SPF/login/ee_auth.aspx*
ht.businessonlinepayroll.com/*
www1.rbcbankusa.com/cgi-bin/rbaccess/rbunxcgi*
www1.rbcbankusa.com/*
webcmpr.bancopopular.com/K1*
webcmpr.bancopopular.com/*
login.isso.db.com/websso/sso_multi_auth_Logon.sso*
login.isso.db.com/*
www.onlinebanking.iombank.com/default.aspx*
www.onlinebanking.iombank.com/*
bank.barclays.co.uk/olb/auth/LoginLink.action*
bank.barclays.co.uk/*
www.rbsidigital.com/default.aspx*
www.rbsidigital.com/*
www.svbconnect.com/auth*
www.svbconnect.com/*
www.corporate-clients.commerzbank.com/S-Portal/SHTML/cdir2/companydirectportal/pgf.html*
www.corporate-clients.commerzbank.com/*
www.onlinebanking.natwestoffshore.com/default.aspx*
www.onlinebanking.natwestoffshore.com/*
charisma.btdirect.ro/CharismaWEB/_Public/Login.aspx*
charisma.btdirect.ro/*
aibinternetbanking.aib.ie/inet/roi/login.htm*
aibinternetbanking.aib.ie/*
business.santander.co.uk/LGSBBI_NS_ENS/BtoChannelDriver.ssobto*
business.santander.co.uk/*
retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto*
retail.santander.co.uk/*
www.internationalpayments.co.uk/
www.internationalpayments.co.uk/*
santander.hpdsc.com/main*
santander.hpdsc.com/*
leumionline.bankleumi.co.uk/my.policy*
leumionline.bankleumi.co.uk/*
www.caterallenonline.co.uk/
www.caterallenonline.co.uk/*
bolpp.bankofireland.com/Commercial*
bolpp.bankofireland.com/*
personal.co-operativebank.co.uk/CBIBSWeb/start.do*
personal.co-operativebank.co.uk/*
www.boi-bol.com/newHome.jsp*
www.boi-bol.com/*
cbfm.saas.cashfac.com/cbfm/Logon.aspx*
cbfm.saas.cashfac.com/*
www.ingonline.com/ro/!UPR.Dispatcher*
www.ingonline.com/*
onlinebusiness.lloydsbank.co.uk/business/logon/login.jsp*
onlinebusiness.lloydsbank.co.uk/*
alolb1.arbuthnotlatham.co.uk/IB/Online*
alolb1.arbuthnotlatham.co.uk/*
online.hoaresbank.co.uk/fi11512/bb/logon*
online.hoaresbank.co.uk/*
butterfieldonline.co.uk/
butterfieldonline.co.uk/*
www.asbolb.com/servlet/ASB.ASBServlet*
www.asbolb.com/*
online.ybs.co.uk/public/authentication/login1.do*
online.ybs.co.uk/*
www.kbinternetbanking.com:8443/ARCIB-NEWF/index.html*
www.kbinternetbanking.com:8443/*
fastbanking.bancpost.ro/iBankWeb/login.jsp*
fastbanking.bancpost.ro/*
ibank.reliancebankltd.com/logon.aspx*
ibank.reliancebankltd.com/*
online.duncanlawrie.com/InternetBanking/faces/mdi/login.jsp*
online.duncanlawrie.com/*
esavings.shawbrook.co.uk/BankFast/Shawbrook*
esavings.shawbrook.co.uk/*
bureau.bottomline.co.uk/unity/index.aspx*
bureau.bottomline.co.uk/*
ibb.firsttrustbank1.co.uk/ibb/controller*
ibb.firsttrustbank1.co.uk/*
www2.firstdirect.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeHkGGMN0FuaGKAPRSfDc!*
www2.firstdirect.com/*
netbanking.ubluk.com/Login/Index*
netbanking.ubluk.com/*
ibank.zenith-bank.co.uk/internetbanking/index.jsp*
ibank.zenith-bank.co.uk/*
ibank.gtbankuk.com/Gaps_UK/Default.aspx*
ibank.gtbankuk.com/*
online.bankofcyprus.co.uk/netteller/login.faces*
online.bankofcyprus.co.uk/*
banking.ireland-bank.com/IrelandBankOnline_303/Authentication/Login.aspx*
banking.ireland-bank.com/*
bankofirelandlifeonline.ie/
bankofirelandlifeonline.ie/*
www.365online.com/online365/spring/authentication*
www.365online.com/*
online.kbc.ie/kbc-online/onlinebanking/login*
online.kbc.ie/*
www.open24.ie/online/login.aspx*
www.open24.ie/*
business2.danskebank.ie/pub/logon/logon.aspx*
business2.danskebank.ie/*
online.ebs.ie/internet/login/index.jsp*
online.ebs.ie/*
corporate.metrobankonline.co.uk/
corporate.metrobankonline.co.uk/*
secure2.alphabank.ro/corporate/CorpOTPLoginLangRom.jsp*
secure2.alphabank.ro/*
ib.btrl.ro/BT24/bfo/channel/web/loginframe.jsp*
ib.btrl.ro/*
www.ceconline.ro/smartoffice/logon.htm*
www.ceconline.ro/*
ro.unicreditbanking.net/disp*
ro.unicreditbanking.net/*
secure.internetbanking.ro/IBK_SMS/Login/LoginFirstStep.aspx*
secure.internetbanking.ro/*
net.crediteurope.ro/ibank-cln/do/login/prompt*
net.crediteurope.ro/*
www.raiffeisenonline.ro/eBankingWeb/login*
www.raiffeisenonline.ro/*
login.24banking.ro/casserver/login*
login.24banking.ro/*
www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsRouting*
www.barclayswealth.com/*
s2b.standardchartered.com/ssoapp/login.jsp*
s2b.standardchartered.com/*
eadibcorp.adib.ae/cb/servlet/cb/jsp-ns/login.jsp*
eadibcorp.adib.ae/*
corporate.adcb.com/corporateWeb/login.do*
corporate.adcb.com/*
www.arabi-online.net/efs/servlet/efs/jsp-ns/login.jsp*
www.arabi-online.net/*
cbionline.cbi.ae/bus/security/Welcome.do*
cbionline.cbi.ae/*
my.sjpbank.co.uk/Security/Auth/Logon*
my.sjpbank.co.uk/*
www.cbdibusiness.ae/cb/servlet/cb/login.jsp*
www.cbdibusiness.ae/*
login.smartbusiness.ae/bo-login.jsp*
login.smartbusiness.ae/*
online.dib.ae/webapplication.ui/localoperations/login/loginpage.aspx*
online.dib.ae/*
www.investbank.ae/ibank/loginAction.do*
www.investbank.ae/*
netbanking.mashreqbank.com/B001/SMELogin.jsp*
netbanking.mashreqbank.com/*
online.nbad.com/iportalweb/iportal/jsps/orbilogin.jsp*
online.nbad.com/*
rakbankonline.ae/corp/BANKAWAY*
rakbankonline.ae/*
www.noorinternetbanking.com/CWCLIENT/loginClient.action*
www.noorinternetbanking.com/*
secure.membersaccounts.com/SELFSERVICE/login.aspx*
secure.membersaccounts.com/*
cardonebanking.com/authlogin.aspx*
cardonebanking.com/*
cardonebanking.com/authlogin.aspx?business*
cardonebanking.com/*
cib.uab.ae/
cib.uab.ae/*
www.halifax-online.co.uk/personal/logon/login.jsp*
www.halifax-online.co.uk/*
banking.triodos.co.uk/ib-seam/login.seam?loginType=dp550*
banking.triodos.co.uk/*
banking.triodos.co.uk/ib-seam/login.seam?loginType=username*
banking.triodos.co.uk/*
ebank.turkishbank.co.uk/Default2.aspx*
ebank.turkishbank.co.uk/*
nebasilicon.fdecs.com/eCustService/*
nebasilicon.fdecs.com/*
infinity.icicibank.co.uk/UKRET/BANKAWAY*
infinity.icicibank.co.uk/*
ibank.theaccessbankukltd.co.uk/entry/CorpLoginLang.html*
ibank.theaccessbankukltd.co.uk/*
www.standardlife.co.uk/c1/login.page*
www.standardlife.co.uk/*
apps.virginmoney.com/vmosws/loginWait.do*
apps.virginmoney.com/*
ebaer.juliusbaer.com/*
ebaer.juliusbaer.com/*
ebanking-ch2.ubs.com/workbench/Index.do*
ebanking-ch2.ubs.com/*
onlinebanking.bankcoop.ch/
onlinebanking.bankcoop.ch/*
tb.raiffeisendirect.ch/
tb.raiffeisendirect.ch/*
wwwsec.ebanking.zugerkb.ch/authen/login*
wwwsec.ebanking.zugerkb.ch/*
wwwsec.valiant.ch/authen/login*
wwwsec.valiant.ch/*
inba.lukb.ch/lukbLogin/*
inba.lukb.ch/*
www.bcv.ch/bcvd-login/authenticateAction.do*
www.bcv.ch/*
www.bcv.ch/en
www.bcv.ch/*
www.bcv.ch/fr
www.bcv.ch/*
www.bcv.ch/de
www.bcv.ch/*
online.citi.eu/GBIPB/JSO/signon/DisplayUsernameSignon.do*
online.citi.eu/*
clients.tilneybestinvest.co.uk/ORM/Login.aspx*
clients.tilneybestinvest.co.uk/*
my.hypovereinsbank.de/login*
my.hypovereinsbank.de/*
db-sg.db.com/gen/login/index_4.cfm*
db-sg.db.com/*
meine.deutsche-bank.de/trxm/db*
meine.deutsche-bank.de/*
www.banking.axa.de/OnlineBankingWebfrontend/banking/common/login.xhtml*
www.banking.axa.de/*
my.banklenz.de/web/guest/login*
my.banklenz.de/*
banking.martinbank.de/
banking.martinbank.de/*
apps.bhw.de/es600/index.jsp*
apps.bhw.de/*
auth.globalpay.westernunion.com/Sso/Login.aspx*
auth.globalpay.westernunion.com/*
extra.unicreditbank.hu/eibpublic_SP/login.en.html*
extra.unicreditbank.hu/*
extra.unicreditbank.hu/eibpublic_SP/login.hu.html*
extra.unicreditbank.hu/*
extra.unicreditbank.hu/eibpublic_SP/login.de.html*
extra.unicreditbank.hu/*
ib.banksyd.com.au/
ib.banksyd.com.au/*
banking.bmwbank.de/s/b2cpws.fcc*
banking.bmwbank.de/*
banking.donner-reuschel.de/index.jsp*
banking.donner-reuschel.de/*
www.firstmeritib.com/ec/DefaultCorp.aspx*
www.firstmeritib.com/*
cmo.cibc.com/wp/wps/portal/bbdsignon*
cmo.cibc.com/*
blcweb.banquelaurentienne.ca/lang/en/BLCDirect*
blcweb.banquelaurentienne.ca/*
blcweb.banquelaurentienne.ca/lang/fr/BLCDirect*
blcweb.banquelaurentienne.ca/*
secure.tddirectinvesting.co.uk/webbroker2/login.jsp*
secure.tddirectinvesting.co.uk/*
online.hl.co.uk/my-accounts*
online.hl.co.uk/*
www.youinvest.co.uk/LogIn/username*
www.youinvest.co.uk/*
www.dab-bank.de/Mein-Konto-Depot/Login*
www.dab-bank.de/*
www.degussa-bank.de/login*
www.degussa-bank.de/*
finanzportal.fiducia.de/p01pebe/entry*
finanzportal.fiducia.de/*
www.deutschebank-dbdirect.com/cas/login*
www.deutschebank-dbdirect.com/*
login.isso.db.com/websso/sso_custom_multi_auth_flex_Logon.sso*
login.isso.db.com/*
db-direct.db.com/u/eb/Login_Main.serv*
db-direct.db.com/*
finanzportal.fiducia.de/p13pepe/entry*
finanzportal.fiducia.de/*
online.hbs.net.au/hbsv47/ntv471.asp*
online.hbs.net.au/*
www.asl.com/asl/login/entryFrame.jsp*
www.asl.com/*
banking.ing-diba.de/app/login*
banking.ing-diba.de/*
banking.valovisbank.de/portal/*
banking.valovisbank.de/*
kunden-mkb-bank.de/
kunden-mkb-bank.de/*
financepilot-pe.mlp.de/p12pepe/entry*
financepilot-pe.mlp.de/*
banking.greensill-bank.com/ptlweb/WebPortal*
banking.greensill-bank.com/*
hbciweb.olb.de/financebrowser5*
hbciweb.olb.de/*
banking.oyakankerbank.de/[?]*
banking.oyakankerbank.de/*
secure.ampbanking.com/au/Logon*
secure.ampbanking.com/*
online.multiport.com.au/
online.multiport.com.au/*
globalpay.westernunion.com/GlobalPay/Login.aspx*
globalpay.westernunion.com/*
www.anztransactive.anz.com/
www.anztransactive.anz.com/*
www.anz.com/INETBANK/bankmain.asp*
www.anz.com/*
bbonline.banksa.com.au/html/cbank.asp*
bbonline.banksa.com.au/*
ibs.bankwest.com.au/BWLogin/bib.aspx*
ibs.bankwest.com.au/*
netteller2.tsw.com.au/delphi/ntv451.asp*
netteller2.tsw.com.au/*
businessonline.westpac.com.au/esis/Login/SrvPage*
businessonline.westpac.com.au/*
online.corp.westpac.com.au/
online.corp.westpac.com.au/*
www?.my.commbiz.commbank.com.au/Logon/UserMaintenance/Login.aspx*
www?.my.commbiz.commbank.com.au/*
bbonline.bankofmelbourne.com.au/html/cbank.asp*
bbonline.bankofmelbourne.com.au/*
www.ib.boq.com.au/boqbl*
www.ib.boq.com.au/*
banking.lloydsbank.com/Logon/logon.aspx
banking.lloydsbank.com/*
www.my.commbank.com.au/netbank/Logon/Logon.aspx*
www.my.commbank.com.au/*
bank.ruralbank.com.au/banking/RBLIBanking*
bank.ruralbank.com.au/*
secure.macquarie.com.au/sepas/serve*
secure.macquarie.com.au/*
nabconnect*.nab.com.au/auth/nabclogin/login.do*
nabconnect*.nab.com.au/*
ib.tmbank.com.au/ib/signon/Login.aspx*
ib.tmbank.com.au/*
www.citibank.com.au/AUGCB/JSO/signon/DisplayUsernameSignon.do*
www.citibank.com.au/*
ap.ebs.bankofchina.com/login.html*
ap.ebs.bankofchina.com/*
netteller?.pnbank.com.au/InternetBanking/Login.aspx*
netteller?.pnbank.com.au/*
secure.defencebank.com.au/daib/logon/*/logon.asp*
secure.defencebank.com.au/*
online.bankmecu.com.au/daib/logon/*/logon.asp*
online.bankmecu.com.au/*
private.bankofsingapore.com/Login/Login*
private.bankofsingapore.com/*
fareastnationalbank.ebanking-services.com/EamWeb/account/login.aspx*
fareastnationalbank.ebanking-services.com/*
velocity.ocbc.com/portal.view*
velocity.ocbc.com/*
uniservices2.uobgroup.com/ELO/login.jsp*
uniservices2.uobgroup.com/*
sg.bibplus.uobgroup.com/BIB/public*
sg.bibplus.uobgroup.com/*
bbonline.stgeorge.com.au/html/cbank.asp*
bbonline.stgeorge.com.au/*
internetbanking.suncorpbank.com.au/
internetbanking.suncorpbank.com.au/*
inetbnkp.adelaidebank.com.au/OnlineBanking/AdBank*
inetbnkp.adelaidebank.com.au/*
www.superchoice.com.au/amp*
www.superchoice.com.au/*
secure.anz.co.nz/IBCS/service/login*
secure.anz.co.nz/*
www.bnz.co.nz/ib4b/app/login*
www.bnz.co.nz/*
bol.westpac.co.nz/s1gcb/logon/sbuser*
bol.westpac.co.nz/*
www.ib.kiwibank.co.nz/
www.ib.kiwibank.co.nz/*
www.flexipurchase.com/secure/welcome.asp*
www.flexipurchase.com/*
homebank.tsbbank.co.nz/online*
homebank.tsbbank.co.nz/*
secure1.rabodirect.co.nz/exp/policyenforcer/pages/loginB2CDGPEN.jsf*
secure1.rabodirect.co.nz/*
my.statestreet.com/
my.statestreet.com/*
www.mercantilcbonline.com/secure/banking/logon*
www.mercantilcbonline.com/*
fx.regions.com/esn01/servlet/RSASingleSignOn*
fx.regions.com/*
www.goldman.com/login/login_a.cgi*
www.goldman.com/*
wealth.goldman.com/login/login_a.cgi*
wealth.goldman.com/*
businesscenter.mysynchrony.com/BusinessCenterPortal*
businesscenter.mysynchrony.com/*
commerceconnections.commercebank.com/
commerceconnections.commercebank.com/*
www.bankdirect.co.nz/
www.bankdirect.co.nz/*
pfo.us.hsbc.com/
pfo.us.hsbc.com/*
bbonline.stgeorge.com.au/html/cbindex.asp*
bbonline.stgeorge.com.au/*
ideal.dbs.com/loginSubscriber/login/pin.jsp*
ideal.dbs.com/*
internet-banking.dbs.com.sg/IB/Welcome*
internet-banking.dbs.com.sg/*
www.dbsvonline.com/english/index.asp*
www.dbsvonline.com/*
cashmanager.mizuhoe-treasurer.com/mz/servlet/SLogin*
cashmanager.mizuhoe-treasurer.com/*
www.superorganised.com.au/dashboard/login*
www.superorganised.com.au/*
portal.northonline.com.au/WealthNET.PortalClient*
portal.northonline.com.au/*
www.gecapitalbank.com/gecb/app/login*
www.gecapitalbank.com/*
www.gemyaccounts.com/myaccounts/Index.html*
www.gemyaccounts.com/*
connect.bnymellon.com/ConnectLogin/login/LoginPage.jsp*
connect.bnymellon.com/*
www.postfinance.ch/ap/ba/fp/html/e-finance/home*
www.postfinance.ch/*
ebanking-ch2.ubs.com/workbench/Index.do*
ebanking-ch2.ubs.com/*
clientlogin.ibb.ubs.com/login*
clientlogin.ibb.ubs.com/*
www.ebanking.hsbc.co.nz/1/2/!ut/p/c5/jZBdC4IwGEZ_0vtuI6VLXTitmeGa6G5kiIigMyKK_n3rJrrpg-fynHPzgAE_Z6_jYC_j4uwENZigzYMQOd0yFLwIkJbZmsu4JCJhnjefecn-qkklokxTLEjquUxCKsUBxRF_1Kp3rVawT5e5hwZM-CYr8ZTzjVzFyDhn0Ez9YLv7d0-Rl6cdVG45z_6D06zr205GD_hDJm4!/dl3/d3/L0lJSklna21BL0lKakFBTXlBQkVSQ0pBISEvNEZHZ3NvMFZ2emE5SUFnIS83X002NzBDMkozMEdTRzYwMlJNREw1QjAzQ0MzL*
www.ebanking.hsbc.co.nz/*
secure.heartland.co.nz/IB/index.zul*
secure.heartland.co.nz/*
connect-ch2.ubs.com/workbench/Index.do*
connect-ch2.ubs.com/*
www.bendigobank.com.au/banking/BBLIBanking*
www.bendigobank.com.au/*
www.hsbc.com.au/1/2/HUB_IDV2/IDV_EPP*
www.hsbc.com.au/*
www.citibusiness.citibank.com.sg/SGCBZ/JSO/signon/DisplayUsernameSignon.do*
www.citibusiness.citibank.com.sg/*
internet.ocbc.com/internet-banking*
internet.ocbc.com/*
ibank.standardchartered.com.sg/nfs/login.htm*
ibank.standardchartered.com.sg/*
fastpay.asbbank.co.nz/Account/LogOn*
fastpay.asbbank.co.nz/*
drob.santanderbank.com/cscobgss/Satellite*
drob.santanderbank.com/*
ebanking-lux.ubs.com/fim*
ebanking-lux.ubs.com/*
www2.secure.hsbcnet.com/uims/portal/IDV_CAM10_AUTHENTICATION*
www2.secure.hsbcnet.com/*
ebanking-es.ubs.com/
ebanking-es.ubs.com/*
ebanking-uk.ubs.com/
ebanking-uk.ubs.com/*
www.citibank.com.sg/SGGCB/JSO/signon/DisplayUsernameSignon.do*
www.citibank.com.sg/*
www.onlinesbiglobal.com/64SG/BANKAWAY*
www.onlinesbiglobal.com/*
www.onlinesbiglobal.com/64SG/BANKAWAY*
www.onlinesbiglobal.com/*
ebanking-bel.ubs.com/epexb*
ebanking-bel.ubs.com/*
ebanking-bel.ubs.com/estmtb*
ebanking-bel.ubs.com/*
ebanking-bel.ubs.com/fim*
ebanking-bel.ubs.com/*
ebanking-bhs2.ubs.com/epex*
ebanking-bhs2.ubs.com/*
ebanking-aut.ubs.com/fim*
ebanking-aut.ubs.com/*
ebanking-aut.ubs.com/epexa*
ebanking-aut.ubs.com/*
ebanking-aut.ubs.com/estmta*
ebanking-aut.ubs.com/*
invest.etrade.com.au/Home.aspx*
invest.etrade.com.au/*
www.hsbc.com.sg/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDf6NAZ8tQU3c3A0dDV5MAf2MTAwjQL8h2VAQAdKy3eg!!/*
www.hsbc.com.sg/*
www.asb.co.nz/
www.asb.co.nz/*
cib.icicibank.com/corp/BANKAWAY*
cib.icicibank.com/*
group.unicreditbanking.net/
group.unicreditbanking.net/*
www.fidunet.lu/fidunet/loginFidu.jsp*
www.fidunet.lu/*
www.corpnet.lu/corpnet/loginCorp.jsp*
www.corpnet.lu/*
secure.unicreditbank.lu/
secure.unicreditbank.lu/*
www.unicreditbank.sk/i-banking-sk-https.html*
www.unicreditbank.sk/*
www.unicreditbank.ba/eba/BHgradjani*
www.unicreditbank.ba/*
ebanking-au.ubs.com/ebanking*
ebanking-au.ubs.com/*
onlineservices.ubs.com/olsauth/ex/pbl/ubso/dl*
onlineservices.ubs.com/*
clientportal.ibb.ubs.com/portal/index.htm*
clientportal.ibb.ubs.com/*
ebanking-fr.ubs.com/enquiries/*
ebanking-fr.ubs.com/*
ebanking-de1.ubs.com/workbench/Index.do*
ebanking-de1.ubs.com/*
ebanking-hksg.ubs.com/
ebanking-hksg.ubs.com/*
ebanking-can.ubs.com/epex*
ebanking-can.ubs.com/*
ebanking-ca.ubs.com/safeloginc/Login*
ebanking-ca.ubs.com/*
ebanking-ca.ubs.com/gepc/MainAction*
ebanking-ca.ubs.com/*
ebanking-can.ubs.com/estmtc*
ebanking-can.ubs.com/*
ebanking-ca.ubs.com/safeloginc/Login*
ebanking-ca.ubs.com/*
ebanking-ca.ubs.com/estmtc/action/login*
ebanking-ca.ubs.com/*
trz.tranzact.org/LogonOTP.aspx*
trz.tranzact.org/*
catalystcorp.org/*
catalystcorp.org/*
www.tranzact.org/
www.tranzact.org/*
mdcommercial.jpmorgan.com/
mdcommercial.jpmorgan.com/*
jpmcsso-uk.jpmorgan.com/sso/action/federateLogin*
jpmcsso-uk.jpmorgan.com/*
jpmcsso.jpmorgan.com/sso/action/login*
jpmcsso.jpmorgan.com/*
online.lloydsbank.co.uk/personal/logon/login.jsp*
online.lloydsbank.co.uk/*
www.hsbc.co.uk/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gDgzAfSycDUy8LAzNDbz8vbzMDKADKR5rFO7s7epiY-wD5YZ6uBp4mTiYGpr5uhgaexmDdFibeBn7enkEuBs4ejiYeRiHGMN1-Hvm5qfoFuRHlABOr0sE!*
www.hsbc.co.uk/*
ebanking-it.ubs.com/
ebanking-it.ubs.com/*
ebanking-lux.ubs.com/estmt*
ebanking-lux.ubs.com/*
ebanking-lux.ubs.com/epex*
ebanking-lux.ubs.com/*
ebanking-ch.ubs.com/workbench/Index.do*
ebanking-ch.ubs.com/*
quotes-global1.ubs.com/go/*
quotes-global1.ubs.com/*
ebanking-mc.ubs.com/
ebanking-mc.ubs.com/*
ebanking-nld.ubs.com/estmtn*
ebanking-nld.ubs.com/*
www.ubs.com/connect*
www.ubs.com/*
privatebank-us.ubs.com/
privatebank-us.ubs.com/*
jpmcsso.jpmorgan.com/sso/action/federateLogin*
jpmcsso.jpmorgan.com/*
online.unicreditcorporate.it/login.htm*
online.unicreditcorporate.it/*
online-smallbusiness.unicredit.it/login.htm*
online-smallbusiness.unicredit.it/*
online-private.unicredit.it/login.htm*
online-private.unicredit.it/*
online-retail.unicredit.it/login.htm*
online-retail.unicredit.it/*
www.gtb.unicredit.eu/login*
www.gtb.unicredit.eu/*
my.hypovereinsbank.de/login*
my.hypovereinsbank.de/*
online.bulbank.bg/page/default.aspx*
online.bulbank.bg/*
extra.unicreditbank.hu/eib_SP/loginpage.hu.html*
extra.unicreditbank.hu/*
www.hvbrsce.com/ebanking/Athens/Pages/ElectronicBanking.htm*
www.hvbrsce.com/*
si.unicreditbanking.net/disp*
si.unicreditbanking.net/*
www.unicreditbank.cz/web/redirect.php*
www.unicreditbank.cz/*
www.unicreditbank.cz/web/redirect.php*
www.unicreditbank.cz/*
online.privatebanking.societegenerale.be/sg/login_nl.html*
online.privatebanking.societegenerale.be/*
online.privatebanking.societegenerale.be/sg/login_fr.html*
online.privatebanking.societegenerale.be/*
www.zaba.hr/ebank/gradjani/Prijava*
www.zaba.hr/*
www.brdoffice.ro/smartoffice/_mcologon*
www.brdoffice.ro/*
an.rbcnetbank.com/
an.rbcnetbank.com/*
www.brdoffice.ro/smartoffice/_mcologon*
www.brdoffice.ro/*
cashmanagement.barclays.net/portalservices/forms/login.pser*
cashmanagement.barclays.net/*
www.barclayswealth.com/login/action/logon/unauthenticated/corporate/loginSigningGemplus*
www.barclayswealth.com/*
www.unity-online.co.uk/
www.unity-online.co.uk/*
secure.aldermorebusinesssavings.co.uk/corporate*
secure.aldermorebusinesssavings.co.uk/*
e-bank.unicreditbank.si/webbankBACX*
e-bank.unicreditbank.si/*
www.vancity.com/BusinessBanking/OnlineBanking/MyAccounts*
www.vancity.com/*
onlinebusinessplus.vancity.com/business/default.jsp*
onlinebusinessplus.vancity.com/*
bankonweb.sgeb.bg/page/default.aspx*
bankonweb.sgeb.bg/*
bankonweb.sgeb.bg/page/default.aspx*
bankonweb.sgeb.bg/*
banques.exalog.net/authent.php*
banques.exalog.net/*
www.sogehomebank.com/Retail/login.aspx*
www.sogehomebank.com/*
ibank1.bib.barclays.com/logon
ibank1.bib.barclays.com/*
entreprises.societegenerale.fr/index.html*
entreprises.societegenerale.fr/*
entreprises.societegenerale.fr/
entreprises.societegenerale.fr/*
entreprises.societegenerale.fr/associations-connexion.html*
entreprises.societegenerale.fr/*
professionnels.societegenerale.fr/association_connexion.html*
professionnels.societegenerale.fr/*
professionnels.societegenerale.fr/index.html*
professionnels.societegenerale.fr/*
particuliers.societegenerale.fr/
particuliers.societegenerale.fr/*
www.sgcb.nc/part/fr/dciweb.htm*
www.sgcb.nc/*
www.sgcb.nc/part/en/dciweb.htm*
www.sgcb.nc/*
sogecashnet.societegenerale.cg/smartoffice/GB*
sogecashnet.societegenerale.cg/*
sogecashnet.societegenerale.cg/smartoffice/index.htm*
sogecashnet.societegenerale.cg/*
ebanking.societegenerale.al/webbankALB/loginCer.jsp*
ebanking.societegenerale.al/*
www.uibanking-net.com/smartoffice/fr/connexion.html*
www.uibanking-net.com/*
www.uibanking-net.com/smartoffice/GB/connexion.html*
www.uibanking-net.com/*
www.privatebanking.societegenerale.com/en/banking/luxembourg*
www.privatebanking.societegenerale.com/*
www.privatebanking.societegenerale.com/en/banking/monaco*
www.privatebanking.societegenerale.com/*
banque.bfcoi.com/identificationClient.html*
banque.bfcoi.com/*
sogeonline.societegenerale.cn/eweb/prelogin.do*
sogeonline.societegenerale.cn/*
pro.skb.net/
pro.skb.net/*
sikanet.sg-ssb.com.gh/priv/en/dciweb.htm*
sikanet.sg-ssb.com.gh/*
sikanet.sg-ssb.com.gh/priv/fr/dciweb.htm*
sikanet.sg-ssb.com.gh/*
www.obsgnet.com.mk/Retail/LoginModule/LoginToken.aspx*
www.obsgnet.com.mk/*
www.fineco.it/it/public*
www.fineco.it/*
www.investimenti.unicredit.it/
www.investimenti.unicredit.it/*
ticari.yapikredi.com.tr/ifcapp/xrl/*
ticari.yapikredi.com.tr/*
ticari.yapikredi.com.tr/ifcapp/xrl/*
ticari.yapikredi.com.tr/*
sgcib.pl/ib/Default.aspx*
sgcib.pl/*
www.interacciones.com/portalAgentes/login.jsp*
www.interacciones.com/*
www.interacciones.com/loginUsuario.do*
www.interacciones.com/*
sogecashnet.sga.dz/smartoffice*
sogecashnet.sga.dz/*
www.sogecashnet.ma/smartoffice/index.htm*
www.sogecashnet.ma/*
unified-access.societegenerale.com/portal/site/SogecashWeb*
unified-access.societegenerale.com/*
wibdirect.wib-bank.net/business/online*
wibdirect.wib-bank.net/*
www.mercantilcbonline.com/secure/banking/individualLogon*
www.mercantilcbonline.com/*
admin.epymtservice.com/admin/index.jhtml*
admin.epymtservice.com/*
access.usbank.com/cpsApp1/AxolPreAuthServlet*
access.usbank.com/*
top.capitalonebank.com/cashplus/*
top.capitalonebank.com/*
www.chase.com/commercial-bank/chase-commercial-online*
www.chase.com/*
direct.capitecbank.co.za/ibank*
direct.capitecbank.co.za/*
see.sbi.com.mx/invernet2000/home*
see.sbi.com.mx/*
enlace.santander-serfin.com/eai/EaiEmpresasWAR/inicio.do*
enlace.santander-serfin.com/*
cpn.hsbc.com.mx/cpn/default.htm*
cpn.hsbc.com.mx/*
www.scotiaweb.com.mx/hipotecario/hip_login.asp*
www.scotiaweb.com.mx/*
www.bancaempresarialazteca.com.mx/BancaEmpresarial/login.htm*
www.bancaempresarialazteca.com.mx/*
sites.scotiabank.com.mx/colproveedores/menu/entrada.asp*
sites.scotiabank.com.mx/*
inbursamf.inbursa.com/
inbursamf.inbursa.com/*
direct.mcbgroup-ebanking.com/wiblogin/corporate_AuthenticateUserLocalEPF.html*
direct.mcbgroup-ebanking.com/*
direct.mcbgroup-ebanking.com/mcbbonairelogin/corporate_AuthenticateUserLocalEPF.html*
direct.mcbgroup-ebanking.com/*
mcbdirect.mcb-bank.com/business/online*
mcbdirect.mcb-bank.com/*
www.mcb-home.com/online/site001index.itm*
www.mcb-home.com/*
www.cmb-home.com/online/site002index.itm*
www.cmb-home.com/*
cmbdirect.cmbnv.com/business/online*
cmbdirect.cmbnv.com/*
www.wib-home.com/online/site004index.itm*
www.wib-home.com/*
www.mcbb-home.com/online/site003index.itm*
www.mcbb-home.com/*
mcbdirect.mcbbonaire.com/business/online*
mcbdirect.mcbbonaire.com/*
www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserRoamingEPF.bns*
www.scotiaconnect.scotiabank.com/*
direct.mcbgroup-ebanking.com/mcblogin/corporate_AuthenticateUserLocalEPF.html*
direct.mcbgroup-ebanking.com/*
direct.mcbgroup-ebanking.com/cmblogin/corporate_AuthenticateUserLocalEPF.html*
direct.mcbgroup-ebanking.com/*
ib.absa.co.za/absa-online/login.jsp*
ib.absa.co.za/*
www.fnb.co.za/
www.fnb.co.za/*
internetbanking.firstcaribbeanbank.com/index.jsp*
internetbanking.firstcaribbeanbank.com/*
jpmpb001.jpmorgan.com/prelogin/index.jsp*
jpmpb001.jpmorgan.com/*
jpmorgan.chase.com/Public/Logon*
jpmorgan.chase.com/*
www.paymentnet.jpmorgan.com/
www.paymentnet.jpmorgan.com/*
www.sg-bdp.pf/
www.sg-bdp.pf/*
www.sogecashnet.ma/smartoffice/index_gb.htm*
www.sogecashnet.ma/*
gg-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
gg-services.credit-suisse.com/*
it-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
it-services.credit-suisse.com/*
www.banorte.com/portal/personas/acceso.web*
www.banorte.com/*
www.bancoinbursa.com/login/useraccessPortatil.asp*
www.bancoinbursa.com/*
ebanking.societegenerale.in/corp/AuthenticationController*
ebanking.societegenerale.in/*
www.interacciones.com/analisis/login.do*
www.interacciones.com/*
subastas.scotiainlatrade.com/SubastasAppWeb/login.jsp*
subastas.scotiainlatrade.com/*
pbusa.directnet.com/dn/c/cls/auth*
pbusa.directnet.com/*
br.credit-suisse.com/sec/login/default.aspx*
br.credit-suisse.com/*
onlinebanking-sg.credit-suisse.com/
onlinebanking-sg.credit-suisse.com/*
www.credit-suisse.com.sg/
www.credit-suisse.com.sg/*
securitiesexpert.credit-suisse.com/cs/eamnet/c/cls/auth*
securitiesexpert.credit-suisse.com/*
mc-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
mc-services.credit-suisse.com/*
es-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
es-services.credit-suisse.com/*
au-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
au-services.credit-suisse.com/*
hk-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
hk-services.credit-suisse.com/*
clientview-mx.credit-suisse.com/pb/mexico/c/cls/auth*
clientview-mx.credit-suisse.com/*
at-directnet.credit-suisse.com/dn/c/cls/auth*
at-directnet.credit-suisse.com/*
fr-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
fr-services.credit-suisse.com/*
gi-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
gi-services.credit-suisse.com/*
lu-directnet.credit-suisse.com/dn/c/cls/auth*
lu-directnet.credit-suisse.com/*
cs.directnet.com/dn/c/cls/auth*
cs.directnet.com/*
www.sft-ebanking.com/siteminderagent/forms/dbloginsft.fcc*
www.sft-ebanking.com/*
secure.internetbanking.firstcaribbeanbank.com/
secure.internetbanking.firstcaribbeanbank.com/*
bancodicaribeonline.com/aua/SIGNON.CFM*
bancodicaribeonline.com/*
bancodicaribeonline.com/sxm/SIGNON.CFM*
bancodicaribeonline.com/*
bancodicaribeonline.com/SIGNON.CFM*
bancodicaribeonline.com/*
spib.wooribank.com/pib/Dream*
spib.wooribank.com/*
spib.wooribank.com/pib/Dream*
spib.wooribank.com/*
obank.kbstar.com/quics*
obank.kbstar.com/*
internetbanking.scu.net.au/mvpscu/SignOn/Login.aspx*
internetbanking.scu.net.au/*
aw.rbcnetbank.com/
aw.rbcnetbank.com/*
bs-services.credit-suisse.com/cs/ibip/frontend/c/cls/auth*
bs-services.credit-suisse.com/*
ebanking-de1.ubs.com/enquiries/controller/*
ebanking-de1.ubs.com/*
www.volkswagenbank.de/PortalLogin/get/Error.aspx/*
www.volkswagenbank.de/*
konto.baaderbank.de/*
konto.baaderbank.de/*
banking.varengold.de/OnlineBankingWebfrontend/banking/common/login.xhtml*
banking.varengold.de/*
sponsor.voya.com/static/sponsor/SponsorLogin.fcc*
sponsor.voya.com/*
nge01.bnymellon.com/NextGenV4/dflt/Login.ing*
nge01.bnymellon.com/*
www.ingdirect.com.au/client/index.aspx*
www.ingdirect.com.au/*
my.statestreet.com/secid-smpwservices.fcc*
my.statestreet.com/*
uksecure.barclayswealth.com/
uksecure.barclayswealth.com/*
live.barcap.com/UAB/S/ecom/logon/1/barxcorporate*
live.barcap.com/*
www.gerrard.com/clientcentre/login.aspx*
www.gerrard.com/*
tdwealth.netxinvestor.com/web/tdwealth/login*
tdwealth.netxinvestor.com/*
clientpoint.fisglobal.com/tdcb/main/UserLogon*
clientpoint.fisglobal.com/*
nettbanken.nordea.no/login*
nettbanken.nordea.no/*
www.e-ambiz.com.my/bon/jsp/common/loginfiles/Login.bon*
www.e-ambiz.com.my/*
girovision.plusgirot.se/
girovision.plusgirot.se/*
www.credit-cooperatif.coop/portail/particuliers/login.do*
www.credit-cooperatif.coop/*
onlinebanking.coutts.com/auth/login*
onlinebanking.coutts.com/*
www.tmbbizdirect.com/
www.tmbbizdirect.com/*
www.ing.be/en/business/Pages/Login.aspx*
www.ing.be/*
www.ing.be/fr/business/pages/login.aspx*
www.ing.be/*
www.ing.be/nl/business/pages/login.aspx*
www.ing.be/*
www.ing.be/de/business/Pages/Login.aspx*
www.ing.be/*
www.ing.be/fr/Retail/Pages/Login.aspx*
www.ing.be/*
www.ing.be/nl/retail/pages/login.aspx*
www.ing.be/*
www.bancorpsouthonline.com/BXS/Login.aspx*
www.bancorpsouthonline.com/*
www.kbc.be/site*
www.kbc.be/*
online.hapoalimusa.com/BHCorporate/core/login.aspx*
online.hapoalimusa.com/*
workbench.bnymellon.com/login.jsp*
workbench.bnymellon.com/*
solo3.nordea.fi/cgi-bin/SOLO0001*
solo3.nordea.fi/*
client.gemoneybank.fr/identification.do*
client.gemoneybank.fr/*
ebanking.fransabank.com/LoginAE.aspx*
ebanking.fransabank.com/*
www.epargne-entreprise.federal-finance.fr/ent/start.swe*
www.epargne-entreprise.federal-finance.fr/*
www.exane.com/
www.exane.com/*
onlinebanking.orcobank.com/orcobankonline/
onlinebanking.orcobank.com/*
www.alliancebizsmart.com.my/business
www.alliancebizsmart.com.my/*
www.publicmutualonline.com.my/
www.publicmutualonline.com.my/*
ebank.publicbank.com.hk/index0028.html*
ebank.publicbank.com.hk/*
www2.pbebank.com/PBL
www2.pbebank.com/*
ambank.amonline.com.my/
ambank.amonline.com.my/*
epayday.e-ambiz.com.my/epayroll/login.do*
epayday.e-ambiz.com.my/*
www.maybank2u.com.my/mbb/m2u/common/M2ULogin.do*
www.maybank2u.com.my/*
www.maybank2e.net/M2E/mbbcustomer/
www.maybank2e.net/*
www.maybank2e.com/SEA/m2e/portal/portal.view*
www.maybank2e.com/*
rib.affinonline.com/rib/pb/logon*
rib.affinonline.com/*
afactorcontact.com/ClientManagerCMA/formulaire.html*
afactorcontact.com/*
cgaoi.c-g-a.fr/ClientManagerOI/formulaire.html*
cgaoi.c-g-a.fr/*
cgaetoile.c-g-a.fr/ClientManagerCDN/formulaire.html*
cgaetoile.c-g-a.fr/*
cgacontact.c-g-a.fr/ClientManagerSG/formulaire.html*
cgacontact.c-g-a.fr/*
cgi-hp.espace-clients.fr/
cgi-hp.espace-clients.fr/*
bourse.cholet-dupont.fr/login.asp*
bourse.cholet-dupont.fr/*
cib.affinonline.com/business/login.html*
cib.affinonline.com/*
www.factocicpartnet.com/factocicWeb*
www.factocicpartnet.com/*
sec.westpac.co.nz/IOLB/Login.jsp*
sec.westpac.co.nz/*
e-cash.alrajhibank.com.my/CashWebAlrajhi/index.jsp*
e-cash.alrajhibank.com.my/*
www.cimb.bizchannel.com.my/corp/common2/login.do*
www.cimb.bizchannel.com.my/*
online-business.tsb.co.uk/business/logon/login.jsp
online-business.tsb.co.uk/*
banking.secure.bnl.it/
banking.secure.bnl.it/*
webbanking.bgl.lu/en/Main.html*
webbanking.bgl.lu/*
entreprises.bnpparibas.net/NSAccess*
entreprises.bnpparibas.net/*
ebanking.procreditbank-kos.com/User/LogOn*
ebanking.procreditbank-kos.com/*
connexis.bnpparibas.com/
connexis.bnpparibas.com/*
webbanking.bgl.lu/fr/Main.html*
webbanking.bgl.lu/*
webbanking.bgl.lu/de/Main.html*
webbanking.bgl.lu/*
webbanking.bgl.lu/nl/Main.html*
webbanking.bgl.lu/*
webbanking.bgl.lu/pt/Main.html*
webbanking.bgl.lu/*
www.co-operativebank.co.nz/InternetBankingSecure/t/iblogin.aspx*
www.co-operativebank.co.nz/*
businessbank.tsbbank.co.nz/BusinessBank/login.jsp*
businessbank.tsbbank.co.nz/*
probank.tsbbank.co.nz/ProBank/login.action*
probank.tsbbank.co.nz/*
ibank.sbs.net.nz/ui/inetbankindex.aspx*
ibank.sbs.net.nz/*
global.kbstar.com/quics*
global.kbstar.com/*
portal.northonline.com.au/WealthNET.PortalClient/DUBLE
portal.northonline.com.au/*
ib.mebank.com.au/auth/ib/login.html*
ib.mebank.com.au/*
ib.tmbank.com.au/ib/SignOn/Login.aspx*
ib.tmbank.com.au/*
online.mystate.com.au/Banking/Personal/
online.mystate.com.au/*
online.mystate.com.au/Banking/Business/
online.mystate.com.au/*
ibanking.bankofmelbourne.com.au/ibank/loginPage.action*
ibanking.bankofmelbourne.com.au/*
www.sbisyd.com.au/eremit/index.php*
www.sbisyd.com.au/*
ribs.rabobank.com.au/RIBSAU/AU*
ribs.rabobank.com.au/*
secure.boqspecialist.com.au/BOQ/BOQSpecialist*
secure.boqspecialist.com.au/*
online.westpac.com.au/esis/Login/SrvPage*
online.westpac.com.au/*
netaccess3.qtmb.com.au/QTMB/NetTeller/login.aspx*
netaccess3.qtmb.com.au/*
www.citibank.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do*
www.citibank.com.my/*
logon.reflex.rhbbank.com.my/rhbcams/corporate/login.jsp*
logon.reflex.rhbbank.com.my/*
logon.rhb.com.my/
logon.rhb.com.my/*
www.citigold.com.my/MYGCB/JSO/signon/DisplayUsernameSignon.do*
www.citigold.com.my/*
www.benefitaccess.com/cba.html*
www.benefitaccess.com/*
transactgateway.svb.com/siliconvalley/customerlogin.aspx*
transactgateway.svb.com/*
leumionline.leumiusa.com/uniquesiga2fb1806b2b3831412436dd67c0ba0085419e78b8eb462c3cbbdd1d547afe055/uniquesig0
leumionline.leumiusa.com/*
internationalfx.bannerbank.com/servlet/VTDController*
internationalfx.bannerbank.com/*
fxpayments.americanexpress.com/
fxpayments.americanexpress.com/*
www.cashanalyzer.com/
www.cashanalyzer.com/*
accesd.affaires.desjardins.com/en/ada
accesd.affaires.desjardins.com/*
accesd.affaires.desjardins.com/fr/ada
accesd.affaires.desjardins.com/*
www.ml.com/
www.ml.com/*
www.mymerrill.com/ml/home.aspx*
www.mymerrill.com/*
bankinguk.secure.investec.com/login.html*
bankinguk.secure.investec.com/*
secureprivateebanking.nordea.lu/eServices/Login.aspx*
secureprivateebanking.nordea.lu/*
secureprivateebanking.nordea.ch/ESERVICES/Login.aspx*
secureprivateebanking.nordea.ch/*
secureprivateebanking.nordea.sg/eServices/Login.aspx*
secureprivateebanking.nordea.sg/*
ssologin.bnpparibas.com/cib/LoginForm.aspx*
ssologin.bnpparibas.com/*
clientlogin.ibb.ubs.com/login*
clientlogin.ibb.ubs.com/*
uk.hkbea-cyberbanking.com/UCBWeb/Index.action*
uk.hkbea-cyberbanking.com/*
uk.hkbea-cyberbanking.com/UCBCorp/Index.action*
uk.hkbea-cyberbanking.com/*
banking.ing-diba.de/app/login*
banking.ing-diba.de/*
sharinbox.societegenerale.com/login.do*
sharinbox.societegenerale.com/*
secure1.entreprises.bnpparibas.net/sommaire/jsp/identification.jsp*
secure1.entreprises.bnpparibas.net/*
probanking.procreditbank.ba/User/LogOn*
probanking.procreditbank.ba/*
classic.nordea.fi/cgi-bin/SOLO0001*
classic.nordea.fi/*
www.danskebank.fi/fi-fi/Henkiloasiakkaat/Pages/henkiloasiakkaat.aspx*
www.danskebank.fi/*
www.danskebank.fi/fi-fi/yritysasiakkaat/Pages/yritysasiakkaat.aspx*
www.danskebank.fi/*
www.danskebank.fi/sv-fi/Privat/Pages/Privat.aspx*
www.danskebank.fi/*
www.danskebank.fi/sv-fi/Foretag/Medelstora-foretag/Webbtjanster/Pages/Webbtjanster.aspx*
www.danskebank.fi/*
www.danskebank.fi/sv-fi/OmBanken/Ombanken/Pages/Ombanken.aspx*
www.danskebank.fi/*
www.danskebank.fi/en-fi/Personal/Pages/Personal.aspx*
www.danskebank.fi/*
www.danskebank.fi/en-fi/business/Medium-business/Online-services/Pages/Online-services.aspx*
www.danskebank.fi/*
kunde.comdirect.de/lp/wt/login*
kunde.comdirect.de/*
www.corealdirect.de/corealcredit/abaxx-*
www.corealdirect.de/*
casextern.creditplus.de/casextern_prod1/login*
casextern.creditplus.de/*
www.asl.com/c/portal/login*
www.asl.com/*
meine.norisbank.de/
meine.norisbank.de/*
kunden-mkb-bank.de/
kunden-mkb-bank.de/*
ufo.union-investment.de/process*
ufo.union-investment.de/*
www.mercedes-benz-bank.de/intrade/login/login.jsf*
www.mercedes-benz-bank.de/*
banking.oyakankerbank.de/
banking.oyakankerbank.de/*
cfi.mb.seb.se/pqq_portal/sebflow/login*
cfi.mb.seb.se/*
securebank.santander.de/LICCMG_SCB_ENS/BtoChannelDriver.ssobto*
securebank.santander.de/*
wertpapier.hafnerbank.de/
wertpapier.hafnerbank.de/*
www.bankhaus-lampe.de/en/client-portal*
www.bankhaus-lampe.de/*
securebanking.hanseaticbank.de/onlinebanking-hb/loginFormAction.do*
securebanking.hanseaticbank.de/*
meine.sutorbank.de/
meine.sutorbank.de/*
portal.sutorbank.de/
portal.sutorbank.de/*
e-bank.wuestenrot.de/ebanking/eb/index.html*
e-bank.wuestenrot.de/*
abconline.arabbanking.com/abconlinen/login.asp*
abconline.arabbanking.com/*
banking.bankofscotland.de/netbanking/RetailLoginHome.html*
banking.bankofscotland.de/*
ebank.garantibank.nl/scripts/gbide.dll*
ebank.garantibank.nl/*
www.hypotirol.com/at/privatkunden/hypo-online/hypo-online-banking/login.html*
www.hypotirol.com/*
banking.oberbank.de/smartoffice/de/_mcologon*
banking.oberbank.de/*
www.oberbank-banking.at/obk/tiles/start.action*
www.oberbank-banking.at/*
kunde.onvista-bank.de/login.html*
kunde.onvista-bank.de/*
www.accessonline.abnamro.com/fss/open/welcome.do*
www.accessonline.abnamro.com/*
banking.bw-bank.de/
banking.bw-bank.de/*
secure.moneyou.de/thc/policyenforcer/pages/loginB2C.jsf*
secure.moneyou.de/*
ssl2.haspa.de/OnlineFiliale/banking/authenticate/login
ssl2.haspa.de/*
www.bancomernetcash.com/local_pibee/KDPOSolicitarCredenciales_es.html*
www.bancomernetcash.com/*
www.dslbank.de/dienste/partner/login.html*
www.dslbank.de/*
ebanking.denizbank.at/login.aspx*
ebanking.denizbank.at/*
www.provincialnetcash.com/KDPOSolicitarCredenciales_es.html*
www.provincialnetcash.com/*
netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_CAS.html*
netredex.grupobbva.com/*
netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_CAS.html*
netredex.grupobbva.com/*
www.bbvanetcash.com.co/local_pibee/KDPOSolicitarCredenciales_es.html*
www.bbvanetcash.com.co/*
www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_es.html*
www.francesnetcash.com.ar/*
www.francesnetcash.com.ar/local_pibee/KDPOSolicitarCredenciales_en.html*
www.francesnetcash.com.ar/*
www.continentalnetcash.com.pe/KDPOSolicitarCredenciales_es.html*
www.continentalnetcash.com.pe/*
www.bbvanetcash.cl/local_pibee/indexPibee.html*
www.bbvanetcash.cl/*
www.bbvanetcash.com/local_kyop/KYOPSolicitarCredenciales.html*
www.bbvanetcash.com/*
ve1.provinet.net/nhvp_ve_web/atpn_es_web_jsp/login.jsp*
ve1.provinet.net/*
www.provincialnetcash.com/KDPOSolicitarCredenciales_en.html*
www.provincialnetcash.com/*
netredex.grupobbva.com/local_tebe/TEBELogin_bbva_belgica_FRA.html*
netredex.grupobbva.com/*
netredex.grupobbva.com/local_tefr/TEFRLogin_bbva_francia_FRA.html*
netredex.grupobbva.com/*
netredex.grupobbva.com/local_telnsp/TELNLogin_bbva_londres_CAS.html*
netredex.grupobbva.com/*
netredex.grupobbva.com/local_teln/TELNLogin_bbva_londres_ING.html*
netredex.grupobbva.com/*
www.bbvanet.com.co/index.html*
www.bbvanet.com.co/*
www.provincial.com/personas/BBVAProvincial.jsp*
www.provincial.com/*
secure.provinet.net/cgi-bin.cgi/bbvanettxtencr.cgi*
secure.provinet.net/*
www.bbvanet.cl/bbvanet/Process*
www.bbvanet.cl/*
www.bbvanet.cl/bbvanet/personas.html*
www.bbvanet.cl/*
privat.bhf-bank.ch/Authentification/GetAuthentificationVersion*
privat.bhf-bank.ch/*
onba.zkb.ch/
onba.zkb.ch/*
www.neuehelvetischebank.ch/e-banking.html*
www.neuehelvetischebank.ch/*
onlinebanking.bankcoop.ch/coopLogin*
onlinebanking.bankcoop.ch/*
www.fibi-online.co.il/web/swisswwwc*
www.fibi-online.co.il/*
online.bankvonroll.ch
online.bankvonroll.ch/*
sobanet.baloise.ch/ibfLogin/*
sobanet.baloise.ch/*
eservice.cembra.ch/
eservice.cembra.ch/*
banking.bekb.ch/ident.html*
banking.bekb.ch/*
www.barclayswealth.ch/Login/fedsso.do*
www.barclayswealth.ch/*
netbanking.sparkasse.at/
netbanking.sparkasse.at/*
online.bankaustria.at/
online.bankaustria.at/*
ebanking.es.rbcis.com/ebancoval/control/login*
ebanking.es.rbcis.com/*
www2.targobank.es/empresasI*
www2.targobank.es/*
www2.targobank.es/particularesI*
www2.targobank.es/*
www.volkswagenbank.es/html/central_empresas.jsp*
www.volkswagenbank.es/*
www.volkswagenbank.es/clientes/central_particular.jsp*
www.volkswagenbank.es/*
clientes.selfbank.es/conexion/
clientes.selfbank.es/*
clientes.selfbank.es/login.phtml*
clientes.selfbank.es/*
bancoonline.openbank.es/servlet/PProxy*
bancoonline.openbank.es/*
bancoonline.openbank.es/servlet/PProxy*
bancoonline.openbank.es/*
www.oney.es/OneyES_PrivateArea/EspacioCliente.aspx*
www.oney.es/*
clientes.uci.es/
clientes.uci.es/*
oi.bankia.es/es/login*
oi.bankia.es/*
ib.swedbank.lv/business*
ib.swedbank.lv/*
factoring.mb.seb.se/nauth3/Authentication/login.jsp*
factoring.mb.seb.se/*
factoring.seb.de/nauth3/Authentication/login.jsp*
factoring.seb.de/*
ib.baltikums.eu/x/login;jsessionid=BB003BE9FD76AAB7C6C99F3D944F7152*
ib.baltikums.eu/*
ib.bib.lv/web/guest*
ib.bib.lv/*
www.norvik.eu/en/intl*
www.norvik.eu/*
www.comercios.cetelem.es/FcControlador.srvl*
www.comercios.cetelem.es/*
oficinaempresas.bankia.es/es/login.html*
oficinaempresas.bankia.es/*
arg3875.andbank.com/olywebAND/IndexSIA.jsp*
arg3875.andbank.com/*
www.bmedonline.es/*
www.bmedonline.es/*
www2.bancopastor.es/particularesBP*
www2.bancopastor.es/*
www2.bancopastor.es/empresasBP*
www2.bancopastor.es/*
telemarch.bancamarch.es/htmlVersion/index.jsp*
telemarch.bancamarch.es/*
internetbanken.forex.se/wps/portal/0087
internetbanken.forex.se/*
www.penser.se/sv/Logga-in/EPnet
www.penser.se/*
www.penser.se/sv/Logga-in/EPoint
www.penser.se/*
online.carnegie.se/Login/Logon
online.carnegie.se/*
nordic.carnegie.se/
nordic.carnegie.se/*
www.expressfaktura.se/*
www.expressfaktura.se/*
banken.amfabank.se/wa/auth*
banken.amfabank.se/*
ibank.humebank.com.au/mvp/signon/login.aspx*
ibank.humebank.com.au/*
mittval.maxm.se/companyservices/
mittval.maxm.se/*
inloggad.volvofinans.se/foretag/inloggning/forenklad.html*
inloggad.volvofinans.se/*
inloggad.volvofinans.se/privat/inloggning/valjInloggning.html*
inloggad.volvofinans.se/*
secure.ekobanken.se/security/login.aspx*
secure.ekobanken.se/*
amsweb.catella.se/catella/login.htm*
amsweb.catella.se/*
portfolioservice.seb.fi/pbfi/Default.aspx*
portfolioservice.seb.fi/*
webapp.sebgroup.com/sec/extranet/inloggning/inloggning.asp*
webapp.sebgroup.com/*
otf.seb.se/
otf.seb.se/*
internetbanken.sparbankenoresund.se/BankIDLogin/sidor/login.aspx*
internetbanken.sparbankenoresund.se/*
www.dnb.se/cim
www.dnb.se/*
e-gbs24.gbsbarlinek.pl/
e-gbs24.gbsbarlinek.pl/*
ebank.bankbps.pl/bpswarszawa_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpswroclaw_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpsolsztyn_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpskatowice_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpslublin_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpskrakow_k*
ebank.bankbps.pl/*
ebank.bankbps.pl/bpsrzeszow_k*
ebank.bankbps.pl/*
sso.cloud.ideabank.pl/login*
sso.cloud.ideabank.pl/*
www.citibankonline.pl/PLGCB/JPS/portal/SignonLocaleSwitch.do*
www.citibankonline.pl/*
secure.ideabank.pl/
secure.ideabank.pl/*
www.meritumbank.pl/
www.meritumbank.pl/*
secure.resurs.se/butiksredovisning/setlang.do*
secure.resurs.se/*
factoring.resurs.se:81/login.aspx*
factoring.resurs.se:81/*
factoring.resurs.se/login.aspx*
factoring.resurs.se/*
secure.resurs.se/butiksredovisning/login.do*
secure.resurs.se/*
mnet.marginalen.se/
mnet.marginalen.se/*
fakturaservice.marginalen.se/
fakturaservice.marginalen.se/*
secure.resurs.se/internetbank/inlaninglogin_foretag.jsp*
secure.resurs.se/*
www.asnbank.nl/onlinebankieren/secure/loginparticulier.html*
www.asnbank.nl/*
www.megabank.nl/portal/authentication/logonPassword.do*
www.megabank.nl/*
www.megabank.nl/portal/authentication/logonToken.do*
www.megabank.nl/*
www.bngbank.nl/_layouts/15/Authenticate.aspx*
www.bngbank.nl/*
www.btv.bdsonline.nl/
www.btv.bdsonline.nl/*
www.ims.bdsonline.nl/
www.ims.bdsonline.nl/*
www.da.bdsonline.nl/
www.da.bdsonline.nl/*
www.btp.bdsonline.nl/treasury/
www.btp.bdsonline.nl/*
online.atbank.nl/atb-retail/engine
online.atbank.nl/*
online.atbank.nl/atb-corporate/engine
online.atbank.nl/*
login.binck.nl/
login.binck.nl/*
bankieren.rabobank.nl/klanten
bankieren.rabobank.nl/*
sparen.nibcdirect.nl/
sparen.nibcdirect.nl/*
telemacoweb.credem.it/
telemacoweb.credem.it/*
banking.lloydsbank.nl/netbankingnl/RetailLoginHome.html*
banking.lloydsbank.nl/*
bankieren.triodos.nl/ib-seam/login.seam*
bankieren.triodos.nl/*
www.snsbank.nl/mijnsns/secure/login.html*
www.snsbank.nl/*
www.snsbank.nl/mijnsns/secure/loginzakelijk.html*
www.snsbank.nl/*
www.regiobank.nl/internetbankieren/secure/login.html*
www.regiobank.nl/*
www.regiobank.nl/internetbankieren/secure/loginzakelijk.html*
www.regiobank.nl/*
www.vanlanschot.com/ebanking/myportal/FvLnl2*
www.vanlanschot.com/*
auth.aktia.fi/netbank
auth.aktia.fi/*
auth.aktia.fi/tunnistus/UI/Login
auth.aktia.fi/*
auth.aktia.fi/corporatenetbank
auth.aktia.fi/*
www.saastopankki.fi/yritysverkkopankkiin
www.saastopankki.fi/*
pankki.tapiola.fi/service/identify
pankki.tapiola.fi/*
www2.handelsbanken.fi/Tapas/tapas/hb/login
www2.handelsbanken.fi/*
creditors.kaupthing.com/default.aspx*
creditors.kaupthing.com/*
creditors.kaupthing.com/default.aspx*
creditors.kaupthing.com/*
online.s-pankki.fi/service/identify
online.s-pankki.fi/*
swedbank.telehansa.net/thnetfi/thnetfi
swedbank.telehansa.net/*
annit.osuuspankki.fi/oprextranet/default.asp*
annit.osuuspankki.fi/*
www.pohjola.fi/linkki*
www.pohjola.fi/*
www.pohjola.fi/linkki*
www.pohjola.fi/*
www.pohjola.fi/linkki*
www.pohjola.fi/*
www.pohjola.fi/linkki*
www.pohjola.fi/*
www.op-pohjola.fi/yrityspalvelut*
www.op-pohjola.fi/*
kultaraha.op.fi/cgi-bin/krcgi
kultaraha.op.fi/*
auth.aktia.fi/tupas
auth.aktia.fi/*
nettbank.edb.com/edbnettbank
nettbank.edb.com/*
nettbank.edb.com/edbnettbank/*
nettbank.edb.com/*
www.netfonds.no/account/auth.php*
www.netfonds.no/*
secure.skandiabanken.no/Authentication/OtpSms*
secure.skandiabanken.no/*
secure.skandiabanken.no/Authentication/BankIdMobile*
secure.skandiabanken.no/*
secure.skandiabanken.no/Authentication/OtpCodeCard*
secure.skandiabanken.no/*
secure.skandiabanken.no/Authentication/BankIdWebClient*
secure.skandiabanken.no/*
nettbank.seb.no/authenticate/login/selectauth*
nettbank.seb.no/*
bank.storebrand.no/
bank.storebrand.no/*
www.nettkonto.no/
www.nettkonto.no/*
nettbank.remember.no/
nettbank.remember.no/*
www.sbm.no/nettbank-logginn/
www.sbm.no/*
www.banknorwegian.no/Login/BankId
www.banknorwegian.no/*
www.banknorwegian.no/Login/BankIdMobil
www.banknorwegian.no/*
bebank.bpel.net/bpel-web/virty/login.cfm*
bebank.bpel.net/*
www.bancacrasti.it/sito2001/botw/botw_4-5/areavetrina3.asp*
www.bancacrasti.it/*
www.bancacrasti.it/sito2001/botw/botw_4-5/areavetrina4.asp*
www.bancacrasti.it/*
www.bancacrasti.it/sito2001/botw/botw_4-5/areavetrina2.asp*
www.bancacrasti.it/*
www.biverbanca.it/sito2001/botw/botw_4-5/areavetrina4.asp*
www.biverbanca.it/*
www.biverbanca.it/sito2001/botw/botw_4-5/areavetrina2.asp*
www.biverbanca.it/*
www.biverbanca.it/sito2001/botw/botw_4-5/areavetrina3.asp*
www.biverbanca.it/*
app.secservizi.it/CommonApps/shared/vb/tesoweb/loginTesowebGVB.html*
app.secservizi.it/*
www.carife.it/it/accesso-imprese.php*
www.carife.it/*
www.carife.it/it/accesso-privati.php*
www.carife.it/*
www.carife.it/it/accesso-imprese-online.php*
www.carife.it/*
portale.tercas.it/AreaRiservata.aspx*
portale.tercas.it/*
portale.bancacaripe.it/AreaRiservata.aspx*
portale.bancacaripe.it/*
ibbweb.tecmarket.it/tmibbwebsecurity/05034/login.aspx*
ibbweb.tecmarket.it/*
tesoreriaonline.bper.it/tesoreria/index.jsp*
tesoreriaonline.bper.it/*
youwebcard.bancopopolare.it/preLogin.asp*
youwebcard.bancopopolare.it/*
bywebcard.bancopopolare.it/preLogin.asp*
bywebcard.bancopopolare.it/*
www.bpmbanking.it/pub/xbank/home.do*
www.bpmbanking.it/*
webteso.ubibanca.it/tesopen/ente.seam
webteso.ubibanca.it/*
areariservata.bancamarche.it/TesoWeb/TeSeInit*
areariservata.bancamarche.it/*
compasspay.compass.it/puc/enter.html*
compasspay.compass.it/*
secure.bancaifis.it/
secure.bancaifis.it/*
www.suedtirolbank.eu/it/internet-banking-3
www.suedtirolbank.eu/*
www.suedtirolbank.eu/de/internet-banking-3
www.suedtirolbank.eu/*
www.albertinisyzbank.it/ar/wa/albe/rs~albert/inet_cli_arac/home
www.albertinisyzbank.it/*
www.collegiosindacale.bcc.it/
www.collegiosindacale.bcc.it/*
cpe.erste-group.com/
cpe.erste-group.com/*
www.online-kundenservice.at/index.php*
www.online-kundenservice.at/*
www.denzelbank.at/Sparen/Login.aspx*
www.denzelbank.at/*
www.factorbank.com/clients.php*
www.factorbank.com/*
ef3web.factorbank.com/efweb/servlet/efweb.RCServlet*
ef3web.factorbank.com/*
online.gutmann.at/pobapp/LoginForm.aspx*
online.gutmann.at/*
vip.valartis.at/Pages/Login/Login.aspx*
vip.valartis.at/*
newentreprises.interepargne.natixis.com/nie_psd_ee/EC_EE_TRANSV_AUTH_01.action*
newentreprises.interepargne.natixis.com/*
cib.natixis.com/net/*
cib.natixis.com/*
www.novobanco.es/site/cms.aspx*
www.novobanco.es/*
online.popularbancaprivada.es/index.html*
online.popularbancaprivada.es/*
conecta.es.rbcis.com/tafval
conecta.es.rbcis.com/*
nbnet.novobanco.es/
nbnet.novobanco.es/*
conecta.es.rbcis.com/person-online/dologin
conecta.es.rbcis.com/*
www.ing.be/en/retail/pages/login.aspx
www.ing.be/*
www.ing.be/de/retail/Pages/Login.aspx*
www.ing.be/*
www.ingonline.com/cz
www.ingonline.com/*
www.ingonline.com/bg
www.ingonline.com/*
www.ingonline.com/hu
www.ingonline.com/*
www.ingonline.com/pl
www.ingonline.com/*
www.ingonline.com/ro
www.ingonline.com/*
www.ingonline.com/sk
www.ingonline.com/*
secure.ingdirect.fr/public/displayLogin.jsf*
secure.ingdirect.fr/*
esipub.esi-sa.com/INGArchive/Account/Login.aspx*
esipub.esi-sa.com/*
esipub.esi-sa.com/INGArchive/Account/Login.aspx*
esipub.esi-sa.com/*
esipub.esi-sa.com/INGArchive/Account/Login.aspx*
esipub.esi-sa.com/*
banking.ing-diba.de/app/obligo
banking.ing-diba.de/*
secure.ingdirect.it/login.aspx*
secure.ingdirect.it/*
www.ing.lu/web/ING/EN/Personal/Login/index.htm*
www.ing.lu/*
www.ing.lu/ING/FR/Particuliers/Login/index.htm*
www.ing.lu/*
www.ing.lu/web/ING/FR/Personal/Login/index.htm*
www.ing.lu/*
www.ing.lu/web/ING/NL/Particuliers/Login/index.htm*
www.ing.lu/*
mijnzakelijk.ing.nl/
mijnzakelijk.ing.nl/*
mijn.ing.nl/
mijn.ing.nl/*
banking.ing-diba.at/online-banking
banking.ing-diba.at/*
start.ingbusinessonline.pl/ing/do/sms
start.ingbusinessonline.pl/*
solo.nordea.com/nsc/engine*
solo.nordea.com/*
solo.nordea.com/nsc/engine*
solo.nordea.com/*
solo.nordea.com/nsc/engine*
solo.nordea.com/*
solo.nordea.com/nsc/engine*
solo.nordea.com/*
www.netbank.nordea.dk/netbank/index.jsp*
www.netbank.nordea.dk/*
solo1.nordea.fi/nsp/engine
solo1.nordea.fi/*
solo1.nordea.fi/nsp/login
solo1.nordea.fi/*
internetbanken.privat.nordea.se/nsp/login
internetbanken.privat.nordea.se/*
internetbanken.privat.nordea.se/nsp/engine*
internetbanken.privat.nordea.se/*
nb.nordea.no/jlogin/nettbank/login/login
nb.nordea.no/*
www.nordeaim.nordea.com/ImExt/WebportExt.nsf*
www.nordeaim.nordea.com/*
eplusgiro.plusgirot.se/eplusgiro.html*
eplusgiro.plusgirot.se/*
eplusgiro.plusgirot.se/eplusgiro_comp.html*
eplusgiro.plusgirot.se/*
gfs.nb.se/privat/bank/index_foretag.html*
gfs.nb.se/*
girolink.plusgirot.se/
girolink.plusgirot.se/*
www.bcif.fr/Compte/Login.aspx*
www.bcif.fr/*
www.ubibanca.com/Login_utilio
www.ubibanca.com/*
extranet.bpifrance.fr/etresosesame/connexion.do*
extranet.bpifrance.fr/*
basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_fr.html*
basfnet.france.banqueaudi.com/*
basfnet.france.banqueaudi.com/cnet/Arc_NbOrion_html/Banque/Static_BASF/netbank_en.html*
basfnet.france.banqueaudi.com/*
www.banque-tahiti.pf/pauth.aspx*
www.banque-tahiti.pf/*
www.mydegroof.fr/
www.mydegroof.fr/*
www4.banquewormser.com/
www4.banquewormser.com/*
esecure.banque-edel.fr/es@b/fr/index.jsp*
esecure.banque-edel.fr/*
www.ct6.e-i.com/wlib_sharedresources/sson/ssonsign/sign_extranet.asp*
www.ct6.e-i.com/*
boursebesv.besv.fr/fr/index.html*
boursebesv.besv.fr/*
clients.banque-fiducial.fr/comptes/fr/index.htm*
clients.banque-fiducial.fr/*
web.procapital.fr/bami/public/form_login.html*
web.procapital.fr/*
web.procapital.fr/bami/public/form_procap_login.html*
web.procapital.fr/*
www.bamibanque.fr/WD110AWP/WD110awp.exe/CONNECT/GESCOMPTE2010
www.bamibanque.fr/*
www.bami.lmpatrimonline.com/bol-sb-web/EP01Action.do*
www.bami.lmpatrimonline.com/*
www.bami.lmpatrimonline.com/bol-sb-web/EC01Action.do*
www.bami.lmpatrimonline.com/*
www.palatine.fr/espace-client-entreprises.html*
www.palatine.fr/*
www.pouyanne.net/
www.pouyanne.net/*
www.palatine.fr/espace-client-entreprises.html*
www.palatine.fr/*
www.portail.banque-solfea.fr/user/login
www.portail.banque-solfea.fr/*
www.bybloseuropeonline.com/finsebanking_enu_europe
www.bybloseuropeonline.com/*
www.byblosonline.com/finsebanking_enu
www.byblosonline.com/*
www.casden.fr/simu/view/accueil.seam
www.casden.fr/*
www.ing.lu/web/ING/DE/Privatpersonen/Einloggen/index.htm*
www.ing.lu/*
www.ingbank.cz/ib/login
www.ingbank.cz/*
www.internationalmoneytransfers.com.au/login/login
www.internationalmoneytransfers.com.au/*
www.bnpparibasfortis.be/private/Start.asp*
www.bnpparibasfortis.be/*
nab.directnet.com/dn/c/cls/auth
nab.directnet.com/*
www.secure.bnpparibas.net/banque/portail/particulier/HomeConnexion*
www.secure.bnpparibas.net/*
www.secure.bnpparibas.net/banque/portail/entrepros/HomeConnexion*
www.secure.bnpparibas.net/*
www.secure.bnpparibas.net/banque/portail/particulier/Fiche*
www.secure.bnpparibas.net/*
ssologin-bp2s.bnpparibas.com/jsp/index.jsp*
ssologin-bp2s.bnpparibas.com/*
factor.bnpparibas.com/factoring/fr/Portail_Connexion.or*
factor.bnpparibas.com/*
personeo.epargne-retraite-entreprises.bnpparibas.com/portal/salarie-bnp/*
personeo.epargne-retraite-entreprises.bnpparibas.com/*
personal.gironet.com/DIBS_GIRO_BANK/pages/loginP.jsp*
personal.gironet.com/*
business.firstcitizensonline.com/cb/pages/jsp-ns/loginfcbsc.jsp*
business.firstcitizensonline.com/*
ibs.medbank.lt/login.aspx*
ibs.medbank.lt/*
business2.danskebank.dk/pub/logon/logon.aspx*
business2.danskebank.dk/*
ebankas.danskebank.lt/ib/site/login*
ebankas.danskebank.lt/*
verkkopankki2.danskebank.fi/pub/logon/logon.aspx*
verkkopankki2.danskebank.fi/*
business2.danskebank.com/pub/logon/logon.aspx*
business2.danskebank.com/*
www.danskebank.no/nb-no/Bedrift/Mellomstore-bedrifter/Nettbank/Pages/Nettbank.aspx*
www.danskebank.no/*
business2.danskebank.no/pub/logon/logon.aspx*
business2.danskebank.no/*
businessonline.huntington.com/BOLHome/BusinessOnlineLogin.aspx*
businessonline.huntington.com/*
banking.postbank.de/rai/login
banking.postbank.de/*
online.akbank.de/onlinebanking/de/Login.html*
online.akbank.de/*
www.colonialfirststate.com.au/firstnet/login.aspx*
www.colonialfirststate.com.au/*
www.colonialfirststate.com.au/FNMaster/masterLoginFrames.asp*
www.colonialfirststate.com.au/*
bizpermonline.newcastlepermanent.com.au/NPBSBusiness
bizpermonline.newcastlepermanent.com.au/*
internetbanking.imb.com.au/IB/personal
internetbanking.imb.com.au/*
www.cardservicesdirect.com.au/AUCRD/JSO/signon/DisplayUsernameSignon.do*
www.cardservicesdirect.com.au/*
banking.beyondbank.com.au/daib/logon/cu5022/logon.asp*
banking.beyondbank.com.au/*
logon.online.anz.com/auth/Logon/CentralLogin.fcc*
logon.online.anz.com/*
sslsecure.maybank.com.sg/cgi-bin/mbs/scripts/mbb_login.jsp*
sslsecure.maybank.com.sg/*
www.bizchannel.cimb.com.sg/corp/common2/login.do*
www.bizchannel.cimb.com.sg/*
www.hongleongonline.com.my/business/index.jsp*
www.hongleongonline.com.my/*
www.mybsn.com.my/mybsn/login/login.do*
www.mybsn.com.my/*
bbmy.ocbc.com/baliweb/59341/site/defaultskin/en_US/html/static/logon_box.htm*
bbmy.ocbc.com/*
webzr.aktivbank.de/webzr/login/ShowLogin.do
webzr.aktivbank.de/*
akp.aab.de/akp/vermoegensstatus/uebersicht.do
akp.aab.de/*
www.baaderbank.de/en/login.html
www.baaderbank.de/*
www.hsbctrinkaus.de/global/display/user*
www.hsbctrinkaus.de/*
portal4.sydbank.dk/wps/bankdata/jsp/html/da/PortalFrame.jsp*
portal4.sydbank.dk/*
www.sydbank.de/Sign/DE/_mcologon*
www.sydbank.de/*
ssl.icoio.de/account
ssl.icoio.de/*
ssl.icoio.de/cash
ssl.icoio.de/*
ssl.icoio.de/realestate
ssl.icoio.de/*
konto.biw-bank.de/onlinebanking-biwvp/login
konto.biw-bank.de/*
banking.bmwbank.de/
banking.bmwbank.de/*
business.memberdirect.net/business/default.jsp*
business.memberdirect.net/*
www.bankdirect.co.nz/
www.bankdirect.co.nz/*
www.hsbc.fr/1/2/hsbc-france/entreprises-institutionnels/connexion
www.hsbc.fr/*
online.asb.co.nz/auth/
online.asb.co.nz/*
fnb.asb.co.nz/SignOn.aspx
fnb.asb.co.nz/*
newentreprises.interepargne.natixis.com/
newentreprises.interepargne.natixis.com/*
entreprises.retraite.assurances.natixis.com
entreprises.retraite.assurances.natixis.com/*
epargnants.interepargne.natixis.fr/def_int_ep/ep/home.do*
epargnants.interepargne.natixis.fr/*
bancaelectronica.evobanco.com/
bancaelectronica.evobanco.com/*
be.abanca.com/
be.abanca.com/*
private.lombardodier.com/login/login.jsp
private.lombardodier.com/*
cs1.credistar.com/p/
cs1.credistar.com/*
www.eurocredito.es/zonaClienteEurocredito/FcControlador.srvl*
www.eurocredito.es/*
caixadirecta.colonya.es/BEWeb/2056/6056/login_identificacion.action
caixadirecta.colonya.es/*
caixadirecta.colonya.es/BEWeb/2056/6056/inicia_identificacion.action*
caixadirecta.colonya.es/*
caixadirecta.colonya.es/BEWeb/2056/6056/inicia_identificacion.action*
caixadirecta.colonya.es/*
ob.cua.com.au/ib/f7bba4b88b84645e0ff8787e159be60d/LoginAuth.action
ob.cua.com.au/*
bcaixanet-empresas.bancocaixageral.es/
bcaixanet-empresas.bancocaixageral.es/*
bcaixanet-particulares.bancocaixageral.es/
bcaixanet-particulares.bancocaixageral.es/*
barclaysnet.barclays.es/accesoBarclaysNet.html
barclaysnet.barclays.es/*
www.bsfincomonline.com/
www.bsfincomonline.com/*
direct.smbc.co.jp/aib/aibgsjsw5001.jsp
direct.smbc.co.jp/*
moj.multibank.pl/
moj.multibank.pl/*
companynet.mbank.pl/mt/
companynet.mbank.pl/*
online.mbank.pl/pl/Login
online.mbank.pl/*
aliorbank.pl/hades/do/Login
aliorbank.pl/*
www.ipko.pl/
www.ipko.pl/*
www.centrum24.pl/centrum24-web/login
www.centrum24.pl/*
www.ubank.com.au/
www.ubank.com.au/*
ib.greater.com.au/OnlineBanking/Login.aspx
ib.greater.com.au/*
ib3.bsp.com.pg/IB/businesslogin.aspx
ib3.bsp.com.pg/*
online.arabbank.com.au/login/abaonline
online.arabbank.com.au/*
ribs.rabobank.co.nz/RIBSNZ/NZ
ribs.rabobank.co.nz/*
online.corp.westpac.co.nz/
online.corp.westpac.co.nz/*
e-biz.smbc.co.jp/core/index.html
e-biz.smbc.co.jp/*
ibiznes24.pl/bzwbk24biznes-client/login.html
ibiznes24.pl/*
www.inwestoronline.pl/cbm/
www.inwestoronline.pl/*
velocity.ocbc.com/login.html
velocity.ocbc.com/*
www.bizsol.anser.ne.jp/0010c/rblgi01/I1RBLGI01-S01.do
www.bizsol.anser.ne.jp/*
fes.rakuten-bank.co.jp/MS/main/RbS*
fes.rakuten-bank.co.jp/*
token.kasbank.com/
token.kasbank.com/*
monitor.kasbank.com/
monitor.kasbank.com/*
attijarinet.attijariwafa.com/entreprise/
attijarinet.attijariwafa.com/*
attijarinet.attijariwafa.com/particulier/
attijarinet.attijariwafa.com/*
attijariconnect.attijariwafa.com/
attijariconnect.attijariwafa.com/*
www.attijarioffshore.com/
www.attijarioffshore.com/*
mijn.gilissen.nl/
mijn.gilissen.nl/*
profnet2.tgservices.nl/
profnet2.tgservices.nl/*
mijn.asrbank.nl/loginpagina.aspx*
mijn.asrbank.nl/*
www.contractmanager.asr.nl/
www.contractmanager.asr.nl/*
banking.dvbbank.com/
banking.dvbbank.com/*
smartcard.kasbank.com/kasweb/
smartcard.kasbank.com/*
nettbank.danskebank.no/html/index.html*
nettbank.danskebank.no/*
www.danskebank.no/nb-no/Privat/Nettbank-og-Mobil/nettbank/support/Pages/support.aspx*
www.danskebank.no/*
multiversa.geartesiabank.nl/MULTIVERSA-IFP/actions/login*
multiversa.geartesiabank.nl/*
mybbsaccounts.bucksbs.co.uk/mlogn01.asp*
mybbsaccounts.bucksbs.co.uk/*
www2.poppankki.fi/VerkkopalvelutWeb/sisaankirjaus/lomake_valinta.jsp*
www2.poppankki.fi/*
www.danskebank.dk/da-dk/Erhverv/Mellem-erhverv/Online-services/Support/Pages/Support.aspx*
www.danskebank.dk/*
www.danskebank.dk/da-dk/Privat/Selvbetjening/Produkter/Letbank/Pages/Log-ind-ji.aspx*
www.danskebank.dk/*
www.danskebank.dk/da-dk/Privat/Selvbetjening/raadgivning/Teknisk-support/Pages/Teknisk-support.aspx*
www.danskebank.dk/*
www.danskebank.dk/da-dk/Erhverv/Mindre-erhverv/Netbank/Support/Pages/Support.aspx*
www.danskebank.dk/*
foton-it.ubs.com/
foton-it.ubs.com/*
www.tesoreria.cassacentrale.it/
www.tesoreria.cassacentrale.it/*
www.tesoreria.dedagroup.it/bcc/
www.tesoreria.dedagroup.it/*
tesoreria.cabel.it/
tesoreria.cabel.it/*
online.crfossano.it/nb/it/index.html*
online.crfossano.it/*
www.chebanca.it/wps/portal/Istituzionale/login*
www.chebanca.it/*
carigeonline.gruppocarige.it/wps8ib/portal*
carigeonline.gruppocarige.it/*
portal.berenberg.de/MULTIVERSA-IFP/faces/login/login.jsf*
portal.berenberg.de/*
my.hsbcprivatebank.com/1/2/*
my.hsbcprivatebank.com/*
www.bancorpsouthinview.web-cashplus.com/Cashplus/
www.bancorpsouthinview.web-cashplus.com/*
singlepoint.usbank.com/cs70_banking/logon/sbuser*
singlepoint.usbank.com/*
banking.smile.co.uk/SmileWeb/start.do*
banking.smile.co.uk/*
bankonline.sboff.com/OFS2/InternetBanking*
bankonline.sboff.com/*
online.alrayanbank.co.uk/online/aspscripts/Logon.asp*
online.alrayanbank.co.uk/*
online.ccbank.co.uk/main.asp*
online.ccbank.co.uk/*
u-2-view.chorleybs.co.uk/mlogn01.asp*
u-2-view.chorleybs.co.uk/*
wealthclient.closebrothers.com/Login*
wealthclient.closebrothers.com/*
www.coventrybuildingsociety.co.uk/onlineservices/login/ols_login.aspx*
www.coventrybuildingsociety.co.uk/*
secure.funds.lloydsbank.com/user/logon.aspx*
secure.funds.lloydsbank.com/*
myaccounts.newbury.co.uk/main.asp*
myaccounts.newbury.co.uk/*
cbforex.citizenscommercialbanking.com/CitizensWebApplication/cbforex/loginScreen*
cbforex.citizenscommercialbanking.com/*
www.bostonprivate.com/index.cfm/page/Online-Banking/pid/10540*
www.bostonprivate.com/*
www.anz.com/personal/
www.anz.com/*
cashproonline.bankofamerica.com/AuthenticationFrameworkWeb/cpo/login/public/loginMain.faces*
cashproonline.bankofamerica.com/*
online.citi/snapshoot/3
online.citi/snapshoot/3
chaseonline.chase.com/snapshoot/1
chaseonline.chase.com/snapshoot/1
client.schwab.com/snapshoot/70
client.schwab.com/snapshoot/70
secure.bankofamerica.com/snapshoot/2
secure.bankofamerica.com/snapshoot/2
www.careerbuilder.co.in/snapshoot/23
www.careerbuilder.co.in/snapshoot/23
oltx.fidelity.com/snapshoot/62
oltx.fidelity.com/snapshoot/62
online.americanexpress.com/snapshoot/25
online.americanexpress.com/snapshoot/25
www.discovercard.com/snapshoot/29
www.discovercard.com/snapshoot/29
www.paypal.com/snapshoot/7
www.paypal.com/snapshoot/7

The following are the server IP addresses where the malware redirects the matched URL requests listed above:

{BLOCKED}.{BLOCKED}.105.117:443
{BLOCKED}.{BLOCKED}.202.99:443

The spyware steals important banking/Bitcoin by injecting malicious codes to webpages accessed by a compromised system with the following URLs:

*/bbw/cmserver/*
*/bbw/dashboard/*
*/bbw/clientPub/*
*/bbw/cmserver/welcome/default/favicon.ico[?]*
*netteller.com/login2008/*
*netteller.com/login2008/Authentication/Views/favicon.ico[?]*
*myvirtualbranch.com*
*myvirtualbranch.com/*/favicon.ico[?]*
*dab-bank.de*
*dab-bank.de/favicon.ico[?]*
*.*/OnlineBankingWebfrontend/banking/common/login.xhtml*
*.*/OnlineBankingWebfrontend/banking/common/favicon.ico[?]*
*bbva.*
*bbva.*/favicon.ico[?]*
*creatis.fr*
*creatis.fr/favicon.ico[?]*
*arvest*.com*
*arvest.com/favicon.ico[?]*
*bancofarnet.bancofar.es*
*bancofarnet.bancofar.es/favicon.ico[?]*
*tapiola*/ebank/auth/*.do*
*alandsbanken*/ebank/auth/*.do*
*alandsbanken*/ebank/auth/favicon.ico[?]*
*tapiola*/ebank/auth/favicon.ico[?]*
*.ch*/auth/login*
*/auth/login?favicon.ico[?]*
*online.bank-abc.com*
*online.bank-abc.com/favicon.ico[?]*
*wwwsec.*.ch*/login*
*.ch_login/favicon.ico[?]*
*umb.com*
*umb.com/favicon.ico[?]*
*efirstbank.com*
*efirstbank.com/favicon.ico[?]*
*/Authentication/Login*
*/Accounts/AccountOverview.asp*
*/Authentication/favicon.ico[?]*
*allianzbanque.fr*
*allianzbanque.fr/favicon.ico[?]*
*.com/SPF/Login/Auth.aspx*
*.com/SPF/Login/favicon.ico[?]*
*lacaixa.es*
*lacaixa.es/favicon.ico[?]*
*authenticate/login/selectauth*
*authenticate/login/selectauth/favicon.ico[?]*
*bv-activebanking.de/*/loginFormAction.*
*/onlinebanking-*/loginFormAction.*
*/onlinebanking-*/favicon.ico[?]*
*banking.*/onlinebanking*/loginFormAction.*
*banking.*/onlinebanking*/favicon.ico[?]*
*konto.*/loginFormAction.*
*konto.*/favicon.ico[?]*
*bv-activebanking.de/*/favicon.ico[?]*
*zionsbank.com*
*zionsbank.com/favicon.ico[?]*
*www.op.fi*
*www.op.fi/favicon.ico[?]*
*/outil/UAUT*
*/outil/UAUT*favicon.ico[?]*
*-banking.at/*/tiles/start.action*
*-banking.at/*/tiles/favicon.ico[?]*
*/isum/Main?ISUM_SCR=login&loginType=accesoSeguro&ISUM_Portal*
*/isum/favicon.ico[?]*
*bbvacontinental.pe*
*bbvacontinental.pe/favicon.ico[?]*
*/EBC_EBC1961/*
*/EBC_EBC1961/favicon.ico[?]*
*espaciojovenuni.com*
*espaciojovenuni.com/favicon.ico[?]*
*/dciweb.htm*?p0=idesai.tht&t=p*
*/dciweb.htm*/favicon.ico[?]*
*activobank.com*
*activobank.com/favicon.ico[?]*
*ediweb.credit-agricole.fr/*/login*.jsp*
*.ediweb.ca-*.fr/*/login*.jsp*
*.ediweb.ca-*.fr/favicon.ico[?]*
*ediweb.credit-agricole.fr/favicon.ico[?]*
*cajasur.es*
*kutxabank.es*
*kutxabank.es/favicon.ico[?]*
*cajasur.es/favicon.ico[?]*
*.ebanking-services.com/*
*.ebanking-services.com/*/favicon.ico[?]*
*bancsabadell.com*
*bancosabadellfr.com*
*bancosabadellfr.com/favicon.ico[?]*
*bancsabadell.com/favicon.ico[?]*
*.de/portal/portal/*
*.de/portal/porta/favicon.ico[?]
*.com/fi*/*/*
*.com/fi*/*/favicon.ico[?]*
*finconsum.es*
*finconsum.es/favicon.ico[?]*
*commerzbank*
*commerzbank.*/favicon.ico[?]*
*ubibanca.com*
*ubibanca.com/favicon.ico[?]*
*pib*.secure-banking.com/*
*pib*.secure-banking.com/*/favicon.ico[?]*
*cic.fr*
*cic.fr/favicon.ico[?]*
*cm-cic-bail.com*
*cm-cic-bail.com/favicon.ico[?]*
*laboralkutxa.com*
*laboralkutxa.com/favicon.ico[?]*
*portalbank.no/wsl/slogin*
*portalbank.no/bsl/do/slogin*
*portalbank.no/bsl/do/slogin/favicon.ico[?]*
*portalbank.no/wsl/slogin/favicon.ico[?]*
*bancaadistancia*es*
*liberbankbancaprivada.es*
*liberbankbancaprivada.es/favicon.ico[?]*
*activa24.ccm.es*
*activa24.ccm.es/favicon.ico[?]*
*bancaadistancia*es/favicon.ico[?]*
*/cgi-bin/hbproxy.exe/*
*/cgi-bin/hbproxy.exe/favicon.ico[?]*
*inbiz.intesasanpaolo.com*
*inbiz.intesasanpaolo.com/favicon.ico[?]*
*engine/login/businesslogin*
*/engine/login/favicon.ico[?]*
*synovus*
*synovus.com/favicon.ico[?]*
*nettbedriften.evry.com/cpsnbg2/cpsnbg2/main?bankid*
*nettbedriften.evry.com/cpsnbg2/cpsnbg2/favicon.ico[?]*
*-g*-enligne.*.fr/stb/entreeBam*
*-g*-enligne.*.fr/stb/favicon.ico[?]*
*verbund*
*verbund/favicon.ico[?]*
*caixaontinyent.es*
*caixaontinyent.es/favicon.ico[?]*
*onlinebank.com/*
*onlinebank.com/favicon.ico[?]*
*bankoaonline.com*
*bankoaonline.com/favicon.ico[?]*
*secure-banking.de/ItrexsWeb/ValidateLogin*
*secure-banking.de/ItrexsWeb/favivon.ico[?]*
*secure.fundsxpress.com/piles/fxweb.pile/*
*secure.fundsxpress.com/piles/favicon.ico[?]*
*/InternetBanking/InternetBanking*
*/InternetBanking/InternetBanking/favicon.ico[?]*
*volkswagenbank.de*
*volkswagenbank.de/favicon.ico[?]*
*/logincenter/login.wf*
*/logincenter/login.wf/favicon.ico[?]*
*/business/j_security_check*
*/business/login/Login.jsp*
*/business/cts_security_precheck*
*/business/*favicon.ico[?]*
*s-pankki*
*s-pankki/favicon.ico[?]*
*cetelem.es*
*cetelem.es/favicon.ico[?]*
https://*.websteronline.com/*
*websteronline.com/favicon.ico[?]*
*be.ceca.es*
*be.ceca.es/favicon.ico[?]*
*banquedelareunion.fr*
*banquedelareunion.fr/favicon.ico[?]*
*consorsbank.de*
*consorsbank.de/favicon.ico[?]*
*bhf-bank.com/w3/*index.*.jsp*
*bhf-bank.com/favicon.ico[?]*
*caja-ingenieros.es*
*caixa-enginyers.com*
*caixa-enginyers.com/favicon.ico[?]*
*caja-ingenieros.es/favicon.ico[?]*
*weinhandl*
*weinhandl/favicon.ico[?]*
*bbvanet.com.co*
*bbvanet.com.co/favicon.ico[?]*
*creditmutuel.fr*
*creditmutuel.fr/favicon.ico[?]*
*bbv.com.ar*
*bbv.com.ar/favicon.ico[?]*
*entreprises*lcl.fr*
*entreprises*lcl.fr/favicon.ico[?]*
*.de/loginStart.do*
*.de/favicon.ico[?]*
*cey-ebanking.com/CLKCCM/*
*cey-ebanking.com/CLKCCM/favicon.ico[?]*
*banque-*.fr*
*tarneaud.fr*
*tarneaud.fr/favicon.ico[?]*
*credit-du-nord.fr*
*credit-du-nord.fr/favicon.ico[?]*
*smc.fr*
*smc.fr/favicon.ico[?]*
*banque-*.fr/favicon.ico[?]*
*bancopopular.es*
*bancopopular.es/favicon.ico[?]*
*uno-e.com*
*uno-e.com/favicon.ico[?]*
*pankki/kirjautuminen*
*pankki/kirjautuminen/favicon.ico[?]*
*barclays.fr*
*barclays.fr/favicon.ico[?]*
*bfsonline.es*
*bfsonline.es/favicon.ico[?]*
*portal.citidirect.com/*/forms/*
*portal.citidirect.com/*/forms/*favicon.ico[?]
*entreprises.natixis.com*
*entreprises.natixis.com/favicon.ico[?]*
*.com/pub/html/login.html*
*.com/pub/html/favicon.ico[?]*
*sparda*.de*
*sparda*.de/favicon.ico[?]*
*wuestenrot*
*wuestenrot/favicon.ico[?]*
*ffb.de*
*ffb.de/favicon.ico[?]*
*unicaja*es*
*unicaja*es/favicon.ico[?]*
*ebanking*/login_auth/login/?*
*/ebankingLogin/login?*
*ebanking*.ch/ebankingLogin/*
*.bsibank.com/bsi_login_auth/login*
*/ebankingLogin/favicon.ico[?]*
*/bsi_login_auth/favicon.ico[?]*
*/login_auth/favicon.ico[?]*
*/appl/ebp/*.html*
*/appl/ebp/favicon.ico[?]*
*bmn.es*
*bmn.es/favicon.ico[?]*
*bankinter.com*
*bankinter.com/favicon.ico[?]*
*/onlineserv/CM*
*/onlineserv/CM/favicon.ico[?]*
*bancomer.com*
*bancomer.com/favicon.ico[?]*
*corporatebankingweb/core/*
*corporatebankingweb/core/favicon.ico[?]*
*palatine.fr*
*palatine.fr/favicon.ico[?]*
*.ibps.*.banquepopulaire.fr*
*.ibps.*.banquepopulaire.fr/favicon.ico[?]*
*banqueprivee1818.com*
*banqueprivee1818.com/favicon.ico[?]*
*cajamar.es*
*cajamar.es/favicon.ico[?]*
*www.evli.com*
*www.evli.com/favicon.ico[?]*
*associatedbank.com*
*associatedbank.com/favicon.ico[?]*
*catalunyacaixa.com*
*catalunyacaixa.com/favicon.ico[?]*
*.blilk.com/Core/Authentication/MFA*
*.blilk.com/Core/Authentication/favicon.ico[?]*
*es@b/fr/codeident.jsp*
*es@b/fr/favicon.ico[?]*
*.icgauth.banquepopulaire.fr*
*.icgauth.banquepopulaire.fr/favicon.ico[?]*
*/wcmfd/*
*/wcmfd/*/favicon.ico[?]*
*www.eq.fi*
*www.eq.fi/favicon.ico[?]*
*commbank.com.au*
*.anz.com*
*ib.nab.com.au/nabib*
*.westpac.com.au/secure/banking/*
*.westpac.com.au/esis/Login/SrvPage*
*stgeorge.com.au/ibank/*
*bankofmelbourne.com.au/ibank/*
*internetbanking.suncorpbank.com.au*
www.careerbuilder.com/share/login.aspx*
www.careerbuilder.co.in/share/login.aspx*
www.careerbuilder.co.in/jobposter/mycb.aspx
www.careerbuilder.com/jobposter/mycb.aspx
www.careerbuilder.com/jobposter/accounts/accountinfo.aspx*
www.careerbuilder.co.in/jobposter/accounts/accountinfo.aspx*
www.bankofamerica.com/
www.bankofamerica.com/[?]*
www.bankofamerica.com/#login/sign-in/entry/signOn.go
www.bankofamerica.com/smallbusiness/
www.bankofamerica.com/login/sign-in/entry/signOn.go*
secure.bankofamerica.com/login/sign-in/signOnScreen.go*
secure.bankofamerica.com/login/sign-in/validateChallengeAnswer.go*
secure.bankofamerica.com/login/languageToggle.go*
secure.bankofamerica.com/login/sign-in/signOn.go*
secure.bankofamerica.com/login/sign-in/displayAuthCodeScreen.go*
www.bankofamerica.com/sitemap/hub/signin.go*
secure.bankofamerica.com/login/sign-in/internal/entry/signOn.go*
secure.bankofamerica.com/login/sign-in/entry/signOn.go*
secure.bankofamerica.com/login/sign-in/entry/signOnV2.go*
secure.bankofamerica.com/login/sign-in/internal/entry/signOnV2.go*
www.bankofamerica.com/onlinebanking/online-banking.go*
secure.bankofamerica.com/login/sign-in/signOnV2Screen.go*
www.bankofamerica.com/homepage/overview.go*
secure.bankofamerica.com/myaccounts/signin/signIn.go*
secure.bankofamerica.com/customer/manageContacts/view-profile.go*
online.citi*.com/??/JSO/signon/LocaleUsernameSignon.do*
online.citi*.com/??/JSO/signon/uname/Next.do*
online.citi*.com/??/JPS/portal/Index.do*
www.citi*.com/credit-cards/creditcards/CitiHome.do*
www.accountonline.citi*.com/cards/svc/LoginIntNext.do*
online.citi*.com/??/JSO/signon/uname/HomePageCinless.do*
online.citi*.com/??/JSO/signon/VIPLocaleUsernameSignon.do*
online.citi*.com/??/JPS/portal/LocaleSwitch.do*
online.citi*.com/??/JSO/signon/CBOLSessionRecovery.do
online.citi*.com/??/JPS/portal/Home.do*
online.citi*.com/??/CBOL/ain/dashboard/flow.action*
online.citi*.com/??/CBOL/ain/cardasboa/flow.action*
online.citi*.com/US/JRS/contactinfo/initialiseContactInfo.do*
www.wellsfargo.com/
www.wellsfargo.com/biz*
online.wellsfargo.com/signon*
online.wellsfargo.com/das/signon*
online.wellsfargo.com/login*
connect.secure.wellsfargo.com/auth/login/present*
online.wellsfargo.com/das/channel/accountSummary*
online.wellsfargo.com/das/cgi-bin/session.cgi?screenid=SIGNON_PORTAL_PAUSE
server*.cey-ebanking.com/CLKPCB/*/login.asp*
*/ISuite5/Features/Auth/MFA/Default.aspx*
*/ISuite5/Features/Auth/MFA/Login/MFALoginEnrolledPassword.aspx*
*/ISuite5/Features/Auth/MFA/IFrameLoginMFA.aspx*
*/ISuite5/Features/Auth/MFA/iFrameLoginMFABrandableSingleLine.aspx*
*/ISuite5/Features/Auth/MFA/Login/MFALoginChallengeUser.aspx*
*/ISuite5/Features/LandingPage.aspx*
/ISuite5/Features/Preferences/MFA/MFASecuritySettings.aspx
www.paypal.com/
www.paypal.com
www.paypal.com/home
www.paypal.com/??/home
www.paypal.com/webapps/mpp/home*
www.paypal.com/??/webapps/mpp/home*
www.paypal.com/webapps/mpp/merchant
www.paypal.com/??/webapps/mpp/merchant
www.paypal.com/signin*
www.paypal.com/login*
www.paypal.com/*cgi-bin/webscr?cmd=*flow*
www.paypal.com/*cgi-bin/webscr?token*
www.paypal.com/*cgi-bin/webscr?cmd=*express-checkout*
www.paypal.com/*cgi-bin/webscr?cmd=*login-run*
www.paypal.com/*cgi-bin/webscr?cmd=*login-submit*
www.paypal.com/*cgi-bin/webscr?cmd=*contact-general*
www.paypal.com/*cgi-bin/webscr?cmd=*run-check-cookie*
www.paypal.com/*cgi-bin/webscr?cmd=*login-processing*
www.paypal.com/*cgi-bin/webscr?cmd=*account-refund*
www.paypal.com/auth/validatecaptcha
www.paypal.com/myaccount/
www.paypal.com/myaccount/[?]*
www.paypal.com/myaccount/home
www.paypal.com/businessexp/money*
www.paypal.com/businessexp/summary*
www.paypal.com/webapps/business/
www.paypal.com/webapps/business/moneyBasic
www.paypal.com/webapps/customerprofile/summary.view
www.paypal.com/myaccount/settings
www.paypal.com/myaccount/activity
*/LoginAdv.aspx?qs=*
*/SignOn.aspx?qs=*
*/PassMarkRecognizedAdv.aspx?qs=*
business.santander.co.uk/LGSBBI_NS_ENS/BtoChannelDriver.ssobto*
business.santander.co.uk/LGSBBI_NS_ENS*/ChannelDriver.ssobto*
business.santander.co.uk/SBBI_Accounts_ENS/BtoChannelDriver.ssobto?*dse_operationName=MyAccounts*
business.santander.co.uk/SBBI_ServiceRequest_ENS/BtoChannelDriver.ssobto?dse_encryptData=*dse_operationName=ChangeContactDetails
onlinebanking.nationwide.co.uk/AccessManagement/Login
onlinebanking.nationwide.co.uk/AccountList
onlinebanking.nationwide.co.uk/CustomerIB/ViewAndMaintainCustomerDetails/Index
www.nwolb.com/login.aspx*
www.nwolb.com/AccountSummary2.aspx
www.nwolb.com/ChangeSettingsLandingPageA.aspx
www.ulsterbankanytimebanking.ie/login.aspx*
www.ulsterbankanytimebanking.ie/AccountSummary2.aspx*
www.ulsterbankanytimebanking.ie/ChangeSettingsLandingPageA.aspx
www.rbsdigital.com/login.aspx*
www.rbsdigital.com/AccountSummary2.aspx*
www.rbsdigital.com/ChangeSettingsLandingPageA.aspx
www.tescobank.com/sss/auth
online.bankofscotland.co.uk/personal/logon/login.jsp*
secure.bankofscotland.co.uk/personal/a/account_overview_personal/
secure.bankofscotland.co.uk/personal/a/your_personal_details/
www.halifax-online.co.uk/personal/logon/login.jsp*
secure.halifax-online.co.uk/personal/a/account_overview_personal/
secure.halifax-online.co.uk/personal/a/your_personal_details/
online.lloydsbank.co.uk/personal/logon/login.jsp*
secure.lloydsbank.co.uk/personal/a/account_overview_personal/
secure.lloydsbank.co.uk/personal/a/your_personal_details/
corporate.santander.co.uk/LOGSCU_NS_ENS/BtoChannelDriver.bto*
corporate.santander.co.uk/LOGSUK_NS_ENS/ChannelDriver.ssobto*
business.santander.co.uk/SBBI_Accounts_ENS/BtoChannelDriver.ssobto?*dse_operationName=MyAccounts*
retail.santander.co.uk/LOGSUK_NS_ENS/BtoChannelDriver.ssobto*
retail.santander.co.uk/LOGSUK_NS_ENS/ChannelDriver.ssobto*
retail.santander.co.uk/EBAN_Accounts_ENS/channel.ssobto*
retail.santander.co.uk/EBAN_ServiceRequest_ENS/BtoChannelDriver.ssobto?dse_encryptData=*&dse_operationName=ChangeContactDetails
online.tsb.co.uk/personal/logon/login.jsp*
secure.tsb.co.uk/personal/a/account_overview_personal/
secure.tsb.co.uk/personal/a/your_personal_details/
*/hbnet/app*
*/ebranch/login/login.aspx*
*/hbnet/login/login.aspx*
*/hbnet/accountinfo/balances.aspx?*
www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserInputRoamingEPF.jsp
www.americanexpress.com/
www.americanexpress.com/[?]*
online.americanexpress.com/myca/logon/us/action/LogonHandler*
online.americanexpress.com/myca/logon/us/action/LogLogonHandler*
online.americanexpress.com/myca/accountsummary/??/accounthome*
online.americanexpress.com/myca/acctmgmt/??/myaccountsummary.do*
global.americanexpress.com/myca/intl/isummary/??/summary.do*
online.americanexpress.com/myca/tasdsgn/??/action*
online.americanexpress.com/myca/accountprofile/us/view.do?request_type=authreg_home&source=inav&sorted_index=0&inav=MYCA_PC_Profile_Preference2
mycardholderservicing.com/
mycardholderservicing.com/[?]*
mycardholderservicing.com/Login.do*
mycardholderservicing.com/ProcessLogin.do*
*card-data.com/RegionsCardManagementSystem/Security/Login.aspx
*card-data.com/ComericaCardManagementSystem/Security/Login.aspx
*card-data.com/CardManagementSystem/Security/Login.aspx*
login.careerone.com.au/Login/SignIn*
advertisers.careerone.com.au/login.aspx*
*/_mcologon*
*/session.lyo*
btultra.btrl.ro/signm/036PRS.lyo*
e-bcr.bcr.ro/smartofficemobile/999XIT.lyo*
banking.oberbank.de/smartoffice/de/logon.htm
www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsRouting
www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginRouting
www.barclayswealth.com/login/action/logon/unauthenticated/corporate/loginSigningGemplus
www.barclayswealth.com/login/action/logon/unauthenticated/personal/loginDetailsRouting
uksecure.barclayswealth.com/
uksecure.barclayswealth.com/UAB/S/bwl_logon*
www.barclayswealth.ch/Login/fedsso.do*
www.barclayswealth.mc/Login/fedsso.do*
www.boi-bol.com/newHome.jsp
globalpay.westernunion.com/GlobalPay/Login.aspx*
auth.globalpay.westernunion.com/Sso/Login.aspx*
online.bulbank.bg/page/default.aspx
online.bulbank.bg/page/[?]*
companynet.mbank.pl/mt/fragments/cua/login.jsp*
certificat.banques.exalog.net/authent.php*
www.mojebanka.cz/InternetBanking/
pro.skb.net/
pro.skb.net/prijava/
pro.skb.net/MOI/moigw.dll/CMOI
www.skb.net/
www.skb.net/Default.aspx
www.discover.com/
www.discover.com/[?]*
www.discovercard.com/cardmembersvcs/loginlogout/app/signin*
www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main*
www.discoverbank.com/bankac/loginreg/login*
www.discover.com/online-banking/
www.discover.com/online-banking/[?]*
www.discoverbank.com/bankac/loginreg/submitlogin
www.discovercard.com/cardmembersvcs/loginlogout/app/ac_main*
www.discovercard.com/cardmembersvcs/achome/homepage*
www.discovercard.com/cardmembersvcs/personalprofile/pp/MyProfilePage*
secure.fiacardservices.com/login/trans/cc/sign-in/entry/signOnScreen.go*
secure.fiabusinesscard.com/login/transsignin/entry/signOnScreen.go*
www.hawaiianbohcard.com/servicing/
www.hawaiianbohcard.com/servicing/[?]*
www.hawaiianbohcard.com/servicing/login*
www.bohcreditcard.com/servicing/
www.bohcreditcard.com/servicing/[?]*
www.bohcreditcard.com/servicing/login*
www.bbtcreditcardconnection.com/
www.bbtcreditcardconnection.com/[?]*
www.bbtcreditcardconnection.com/Login.aspx*
www.bbtcreditcardconnection.com/MFAUnrecognized.aspx*
securebanking.ally.com/
www.us.hsbc.com/1/2/home/personal-banking
www.us.hsbc.com/1/2/3/personal/online-services/personal-internet-banking/view-accounts/view-accounts-post-registration-email
www.security.us.hsbc.com/gsa/SaaS30Resource/
www.us.hsbcprivatebank.com/1/2/!ut/p/c5/04_SB8K8xLLM9MSSzPy8xBz9CP0os3gTR1d3dwN3A293C09TA0dvz7BQR5dgI4NgI6B8JG55CzNidDu7O3qYmPsYGBiEeboaeJo4mRiY*
www.santanderbank.com/us/
www.santanderbank.com/us/personal*
www.santanderbank.com/us/business*
rolb.santanderbank.com/LOGSVG_NS_ENS/BtoChannelDriver.ssobto*
rolb.santanderbank.com/LOGSVG_NS_ENS/ChannelDriver.ssobto*
rolb.santanderbank.com/FORPAS_ENS/ChannelDriver.bto*
drob.santanderbank.com/cscobgss/Satellite*
bob.santanderbank.com/LGSVBS_NS_ENS/ChannelDriver.ssobto
www.frostbank.com/pages/default.aspx
www.frostbank.com/cgi-bin/ecomm/portal/signin/enterusername.do*
www.frostbank.com/cgi-bin/ecomm/portal/myfrostnew/signin/challenge.jsp*
www.hancockbank.com/
secure.hancockbank.com/online/Hancock/Consumer/login.asp*
secure.hancockbank.com/online/Hancock/business/login.asp*
www.svbconnect.com/auth
www.capitalone.com/
login1.capitalone.com/loginweb/login/login.do
login1.capitalone.com/loginweb/login/invalidCredential.do
www.capitaloneonline.co.uk/CapitalOne_Consumer/Login.do
banking.capitalone.com/
banking.capitalone.com/[?]*
secure.capitalone360.com/myaccount/banking/login.vm
secure.capitalone360.com/myaccount/banking/security_questions.vm
nohasslerewards.capitalone.com/login.aspx
www.capitalonecardservice.ca/ecare/loginform*
www.capitalonecardservice.ca/ecare/accountoverview*
coi.netxinvestor.com/web/coi/login*
login1.capitalone.com/loginweb/login/loginMFA.do*
sgcib.pl/ib/Default.aspx*
www.sgcb.nc/part/??/dciweb.htm*
sogecashnet.sgeb.bg/smartoffice/
entreprises.societegenerale.fr/
entreprises.bnpparibas.net/NSAccess
www.scotiaconnect.scotiabank.com/sco-tp/pki/AuthenticateUserRoamingEPF.bns
www.fidelity.com/
login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Login/Init*
login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Login/Response*
login.fidelity.com/ftgw/Fas/Fidelity/RtlCust/Refresh/Init*
www.fidelity.com/lpp/homepage-a*
www.fidelity.com/login/accountposition
login.fidelity.com/ftgw/Fidelity/NBPart/Login/Init
login.fidelity.com/ftgw/Fas/Fidelity/FIISCust/Login/Response
www.fidelity.com/login/portfolio*
oltx.fidelity.com/ftgw/fbc/ofaccounts/BrokerageBalances*
scs.fidelity.com/accounts/services/content/norelationship.shtml*
advisor.fidelity.com/app/account/list*
oltx.fidelity.com/ftgw/fbc/oftop/portfolio*
workplaceservices200.fidelity.com/mybenefits/navstation/navigation
accountmaint.fidelity.com/ftgw/Profile/action/profile?hint=coainq
fps.fidelity.com/ftgw/Fps/Fidelity/RSAAnalyzeChallengeRetail/Maintain/Init
oltx.fidelity.com/ftgw/fbc/ofpositions/snippet/portfolioPositions
oltx.fidelity.com/ftgw/fbc/oftop2/cashmgmtAllAcct?ACCOUNT=&CREDIT_CARD=
accountsetup.fidelity.com/ftgw/bene/maint/summary
sso.verizonenterprise.com/amserver/sso/login.go*
mblogin.verizonwireless.com/amserver/UI/Login
enterprisecenter.verizon.com/
mblogin.verizonwireless.com/amserver/loginflow/main
wireless.att.com/business
wireless.att.com/business/index.jsp*
www.wireless.att.com/business/
www.wireless.att.com/business/index.jsp*
smb.att.com/olam/loginAction.olamexecute*
www.businessdirect.att.com/portal/smallbusiness/index.jsp*
www.businessdirect.att.com/portal/*
www.sprint.com/mysprint/pages/sl/global/login.jsp*
sendgrid.com/login
www.dotmailer.com/login/*
accounts.logme.in/login.aspx*
login.salesforce.com/
www.schwab.com/
client.schwab.com/Login/SignOn/CustomerCenterLogin.aspx*
client.schwab.com/secure/cc/accounts/summary
client.schwab.com/Accounts/Summary/Summary.aspx*
client.schwab.com/Service/MyProfile/MailingAddress.aspx
client.schwab.com/Accounts/BrokerageBalances/BrokerageBalances.aspx
client.schwab.com/secure/cc/service/my_profile/emailaddress
client.schwab.com/secure/cc/accounts/history
client.schwab.com/secure/cc/accounts/positions
wdlsslc.idsfulfillment.com/wdlsweb*
idsnet.teamidslogistics.com/wdlsweb*
secure-wms.com/PresentationTier/LoginForm.aspx*
app.shipwire.com/sign-in*
fcp.efulfillmentservice.com/index.php*
login.webgistix.com/
www.shopify.com/login
my.fulfillrite.com/portal/Account/Login.aspx*
www.speedcommerce.com/*
speedorder.speedfc.com/admin/
www.capacityllc.com/*html
www.capacityllc.com/
www.sprocketexpress.com/portal/login.php
ec.synnex.com/ecexpress/newWelcome.do
ec.synnex.com/ecexpress/login.html*
www.synnex.ca/eng/ecexpress/index.shtml
onlinebanking.usbank.com/Auth/Login
onlinebanking.usbank.com/Auth/Login/Login
onlinebanking.usbank.com/Auth/Login/StepUpCheck
www.usbank.com/index.html*
www.usbank.com/small-business/index.html*
access.usbank.com/cpsApp1/AxolPreAuthServlet*
singlepoint.usbank.com/cs70_banking/logon/sbuser*
m.singlepoint.usbank.com/spt_mobile_web/sbb/logon*
app.atcostfulfillment.com/
app.atcostfulfillment.com/home
www.nfsrv.com/
www.nfsrv.com/*html
web.nfsrv.com/nfsportal/login*
access.alivefulfillment.com/*
secure.aerofulfillment.com/efulfillment/login.aspx*
www.badgergraphics.com/
www.badgergraphics.com/about-us
www.badgergraphics.com/contact-us
www.badgergraphics.com/blog
www.badgergraphics.com/creative-design
www.badgergraphics.com/commercial-digital-print
www.badgergraphics.com/direct-mail
www.badgergraphics.com/promotional-products
www.badgergraphics.com/signage
www.badgergraphics.com/corporate-apparel
www.badgergraphics.com/on-demand-orders
www.badgergraphics.com/warehousing-fulfillment
www.badgergraphics.com/e-commerce
www.four51.com/ui/logon.aspx
accentbranding.com/about-us/customer-login*
qnet.e-quantum2k.com/~accent/cgi-bin/entry.cgi
fmw.ferbermidwest.com/cw/*
fmw.ferbermidwest.com/fmw/*
inventory.landiscowhse.com/
li.ironmountain.com/KeystoneSTS/Saml2/Login.aspx*
www.fsifulfillment.com/fsienterprise/Account/Login*
www.otterbox.com/
www.otterbox.com/en-us/source
www.otterbox.com/en-us/account-login
www.bluepoint.net/users/login.php
secure*.store.apple.com/us/sign_in*
www.anyware.com.au/customer/account/login/*
leadersystems.com.au/
leadersystems.com.au/Account/Logon
www.bluechipit.com.au/
www.bluechipit.com.au/customer/account/login/*
www.swfulfillment.com/sfc/Login.asp
elink.echodata.com/default.asp
elink.echodata.com/*asp
www.chase.com/
www.chase.com/business-banking*
www.chase.com/mortgage*
www.chase.com/checking*
www.chase.com/online-banking*
www.chase.com/mobile-banking*
www.chase.com/savings*
www.chase.com/personal-banking*
www.chase.com/private-client*
www.chase.com/home-equity*
www.chase.com/commercial-bank*
chaseonline.chase.com/Logon.aspx*
chaseonline.chase.com/
www.chase.com/student-loans*
www.chase.com/investments*
www.chase.com/credit-cards*
www.chase.com/resources*
www.chase.com/online/private_client*
www.chase.com/content/chasecom/en/credit-cards/rtbl/verify-credit-card
www.chase.com/espanol*
www.chase.com/online/Credit-Cards/disney.htm
chaseonline.chase.com/MyAccounts.aspx
chaseonline.chase.com/secure/Profile/UpdateContactInfo/UpdateContact.aspx
www.tdcardservices.com/TD_Consumer/Login.do*
www.tdcardservices.com/TD_Consumer/ProcessLogin.do*
us-new.ingrammicro.com/_layouts/CommerceServer/IM/Login.aspx*
www.icloud.com/
*/tob/live/usp-core/app/initialLogin
*/tob/live/usp-core/app/login/consumer
*/onlineserv/HB/Signon.cgi*
*/onlineserv/HB/signon.cgi*

The following are the server IP addresses responsible for injecting malicious codes for matched URLs listed above:

http://{BLOCKED}.{BLOCKED}.190.253/redirect.php
http://{BLOCKED}.{BLOCKED}.190.253/second.php
{BLOCKED}.{BLOCKED}.202.99:443/login/{Value}
{BLOCKED}.{BLOCKED}.202.99:443/getq/{Value}
{BLOCKED}.{BLOCKED}.202.99:443/rcrd/{Value}
{BLOCKED}.{BLOCKED}.202.99:443/account/{Value}
{BLOCKED}.{BLOCKED}.202.99:443/info/{Value}

It sends the following GET request:

/1809uk77/{Computer Name}_{OS Platform}.{BOT ID}/{Value}/{Data/Variable}/103.5.6.243/

It sends a POST request to send stolen information from the injection.

SOLUTION

Minimum Scan Engine: 9.750

FIRST VSAPI PATTERN FILE: 11.928.05

FIRST VSAPI PATTERN DATE: 19 Sep 2015

VSAPI OPR PATTERN File: 11.929.00

VSAPI OPR PATTERN Date: 20 Sep 2015

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Restart in Safe Mode

[ Learn More ]

Step 4

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%System%\config\systemprofile\Application Data\{random filename} (for Windows XP and below)
%AppDataLocal%\{random filename} (for Windows Vista and above)

Step 5

Restore this modified registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- From: LimitBlankPasswordUse = "0"
  To: LimitBlankPasswordUse = 1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- From: fDenyTSConnections = "0"
  To: fDenyTSConnections = 1
In HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
- From: fSingleSessionPerUser = "0"
  To: fSingleSessionPerUser = 1

Step 6

Delete the Scheduled Tasks added by this malware/grayware

[ Learn More ]

To delete the added Scheduled Task file:

For Windows 2000, Windows XP, and Windows Server 2003:

Open the Windows Scheduled Tasks. To do this, click Start>Programs>Accessories>System Tools>Scheduled Tasks.
Double-click on a .JOB file.
Check if the malware path and file name exists in the .JOB file. To do this, check the value in the Run field.
If found, select the .JOB file then press SHIFT+DELETE to permanently delete the file.
Repeat the steps above for the remaining .JOB files.

For Windows Vista, Windows 7, Windows Server 2008, Windows 8, Windows 8.1, and Windows Server 2012:

Open the Windows Task Scheduler. To do this:
• On Windows Vista, Windows 7, and Windows Server 2008, click Start, type taskschd.msc in the Search input field, then press Enter.
• On Windows 8, Windows 8.1, and Windows Server 2012, right-click on the lower left corner of the screen, click Run, type taskschd.msc, then press Enter.
In the left panel of the Task Scheduler Window, click Task Scheduler Library.
In the upper-middle panel, click a Task.
In the lower middle panel, click the Actions tab
Check if the malware path and file name exists in the task. To do this, check the value in the Details column under the Actions tab.
If found, select the task and press DELETE and click Yes to delete the task.
Repeat the steps above for the remaining tasks.

Step 7

Scan your computer with your Trend Micro product to delete files detected as TSPY_DYRE.YYSNZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restart in normal mode and scan your computer with your Trend Micro product for files detected as TSPY_DYRE.YYSNZ. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Did this description help? Tell us how we did.