Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.
Figure 1 Initial phishing message
Red Flags Right Away
The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain. (Red Flag number 1: The friendly portion of sender name does not match the email address.) Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.
However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).
The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.) But the attached document delivered a URL shortener link to verify an account credit over $10,000. (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)
Figure 2 PDF document attached to the phishing message
Which Bogus Site Would You Prefer?
Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.
Figure 3 Statistics viewable at hxxps://bit[.]ly/2z0apph+
Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.
The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com  spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.
Figure 4 Landing page of the phishing scam
Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com , but later redirected to pages on the compromised domain missmmarketing[.]com[.]au, like the one below for victims who select the Standard Chartered link.
Figure 5 Standard Chartered branch of larger scam impersonating several banks with users in Malaysia
Just the Latest in a Series of Malaysian Banking Scams
This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.
PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.
Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
 “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6
 In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg
 In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior. The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.
 In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.
 Bank logo URLs: