Tesco is one of the biggest general merchandise retailer operating worldwide. Since several years Tesco offers phone and bank services.
Tesco Bank is one of the targets of cyber criminals, interested in capturing home banking and credit cards data.
In the Net we can find mainly one phishing kit. It’s composed by 2 folders called tesav/ and tescr/, both containig about a hundred html files, all equal, and different php files, as showed in pictures below.
files in tesav/ directory
files in tescr/ directory
The two directory show to the visitors phishing pages that use two different tempaltes:
dir tesav template
dir tesav/ step 1
dir tesav/ step 2
dir tesav/ step 3
dir tescr template
dir tescr/ step 1
dir tescr/ step 2
dir tescr/ step 3
dir tescr/ structure
In both cases cyber criminals ask for account access data and personal data, but only pages in tescr/ directory ask for credit card data. In all cases, after sending data in the third page, visitors go back to trusted Tesco Bank web site.
D3Lab started monitoring phishing against Tesco Bank users in the beginning of the last August, identifying 58 different kit installation. If each kit presents 200 html pages, the phisher may count on 11600 different fraud url.
Analysing phishing kit is possible determinate that stolen credentials have been sent via mail to criminals .
D3Lab identified ten different email addresses (gmail.com, aol.co.uk, hotmail.co.uk, bluemail.com, mail.mn) used by criminals, that could be operating at least in two or three different teams.
Luckily Tesco Bank seems to be very attentive about the on-line fraud problem, in it’s web site it presents several pages about phishing, fraud and how to operate in case them occur:
Update 2016/11/08 (three years late):
phishing against Tesco Bank users, D3Lab monitoring