Findings show that 89% of Australian IT professionals surveyed have dealt with security incidents originating from deceptive emails, yet nearly half feel unprepared to respond to such threats.
As Black Friday draws near, it seems that every company with anything to sell is sending emails to advertise their specials. Consumers can expect to see emails from all sorts of major retailers: Amazon, Dell, Fry’s, Home Depot, Khol’s, Microsoft, and everyone under the sun, with some really great deals. However, mixed into this pile of email are a tremendous number of messages touting shady deals that could lead consumers to give up personal information, money, or just land them with fake products instead of what they were shopping for. Here are two major categories of trouble that you might want to watch out for in your Black Friday Emails:
PhishMe Intelligence™ has uncovered a phishing campaign that delivers a new loader/browser plugin combination that we have dubbed Vulture Stealer. Vulture Stealer is a two-stage data stealer that includes a version of Banload banking trojan malware. However, paired with an extensive secondary stealer it can target and gather information beyond Banload’s reach within Google Chrome—effectively gathering any information entered within the compromised Chrome browser. This campaign, which uses Portuguese-language phishing messages, may be targeting Brazilian banks and their customers. This is the first time PhishMe® has observed Banload coupled with a malicious browser extension.
Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.
Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.
Figure 1 Initial phishing message
Red Flags Right Away
The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain. (Red Flag number 1: The friendly portion of sender name does not match the email address.) Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.
However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).
The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.) But the attached document delivered a URL shortener link to verify an account credit over $10,000. (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)
Figure 2 PDF document attached to the phishing message
Which Bogus Site Would You Prefer?
Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.
Figure 3 Statistics viewable at hxxps://bit[.]ly/2z0apph+
Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.
The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com  spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.
Figure 4 Landing page of the phishing scam
Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com , but later redirected to pages on the compromised domain missmmarketing[.]com[.]au, like the one below for victims who select the Standard Chartered link.
Figure 5 Standard Chartered branch of larger scam impersonating several banks with users in Malaysia
Just the Latest in a Series of Malaysian Banking Scams
This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.
PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.
Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
 “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6
 In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg
 In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior. The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.
 In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.
 Bank logo URLs:
Back in June, PhishMe® launched our free computer-based training module on GDPR compliance. The feedback has been great, including urgent requests to make the training available in other languages.