Tesco Bank phishing

first page in tesav/ directory

Tesco is one of the biggest general merchandise retailer operating worldwide. Since several years Tesco offers phone and bank services.

Tesco Bank is one of the targets of cyber criminals, interested in capturing home banking and credit cards data.

In the Net we can find mainly one phishing kit. It’s composed by 2 folders called tesav/ and tescr/, both containig about a hundred html files, all equal, and different php files, as showed in pictures below.

 two directory in the kit


files in tesav/ directory

files in tesav/ directory

files in tescr/ directory

files in tescr/ directory

The two directory show to the visitors phishing pages that use two different tempaltes:

dir tesav template

dir tesav/ step 1

first page in tesav/ directory


dir tesav/ step 2

dir tesav/ step 2


dir tesav/ step 3

dir tesav/ step 3


dir tescr template

dir tescr/ step 1

tesco bank fraud page


dir tescr/ step 2

tesco bank phishing page


dir tescr/ step 3

tesco bank phishing page

dir tescr/ structure

phishing kit structure


In both cases cyber criminals ask for account access data and personal data, but only pages in tescr/ directory ask for credit card data. In all cases, after sending data in the third page, visitors go back to trusted Tesco Bank web site.

D3Lab started monitoring phishing against Tesco Bank users in the beginning of the last August, identifying 58 different kit installation. If each kit presents 200 html pages, the phisher may count on 11600 different fraud url.

Analysing phishing kit is possible determinate that stolen credentials have been sent via mail to criminals .

php file written to send stolen credentials via mail


D3Lab identified ten different email addresses (gmail.com, aol.co.uk, hotmail.co.uk, bluemail.com, mail.mn) used by criminals, that could be operating at least in two or three different teams.

Luckily Tesco Bank seems to be very attentive about the on-line fraud problem, in it’s web site it presents several pages about phishing, fraud and how to operate in case them occur:

Guard against phishing;

How to identify a genuine Tesco Bank email;

How Fraud occurs;

How we protect you;

Security and fraud.

Update 2016/11/08 (three years late):

phishing against Tesco Bank users, D3Lab monitoring
tesco bank phishing