PhishMe Intelligence™ has uncovered a phishing campaign that delivers a new loader/browser plugin combination that we have dubbed Vulture Stealer. Vulture Stealer is a two-stage data stealer that includes a version of Banload banking trojan malware. However, paired with an extensive secondary stealer it can target and gather information beyond Banload’s reach within Google Chrome—effectively gathering any information entered within the compromised Chrome browser. This campaign, which uses Portuguese-language phishing messages, may be targeting Brazilian banks and their customers. This is the first time PhishMe® has observed Banload coupled with a malicious browser extension.
Over the past weeks, the Phishing Defence Centre has observed several reports that pretend to come from an internal sender. While this impersonation tactic is not new, we have only recently observed an influx in emails used to deliver the Geodo botnet malware. Figure 1 demonstrates an example of an email we have received.
Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.
Figure 1 Initial phishing message
Red Flags Right Away
The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain. (Red Flag number 1: The friendly portion of sender name does not match the email address.) Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.
However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).
The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.) But the attached document delivered a URL shortener link to verify an account credit over $10,000. (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)
Figure 2 PDF document attached to the phishing message
Which Bogus Site Would You Prefer?
Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.
Figure 3 Statistics viewable at hxxps://bit[.]ly/2z0apph+
Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.
The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com  spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.
Figure 4 Landing page of the phishing scam
Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com , but later redirected to pages on the compromised domain missmmarketing[.]com[.]au, like the one below for victims who select the Standard Chartered link.
Figure 5 Standard Chartered branch of larger scam impersonating several banks with users in Malaysia
Just the Latest in a Series of Malaysian Banking Scams
This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.
PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.
Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.
Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.
 “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6
 In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg
 In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior. The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.
 In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.
 Bank logo URLs:
Back in June, PhishMe® launched our free computer-based training module on GDPR compliance. The feedback has been great, including urgent requests to make the training available in other languages.
Recently, CNBC reported on phishing scams in real estate, following up with an interview of PhishMe® CEO and Co-founder Rohyt Belani. Real estate is a bullseye for enterprising phishers. Often, the scammer is attempting wire fraud, trying to induce someone to make an electronic transfer of funds.
Less than a week after a Sensepost blog highlighted how to abuse Microsoft Office functionality to deliver malware to systems via phishing messages, PhishMe® observed attackers abusing this feature of Microsoft Windows. This highlights how quickly malicious actors capitalize on such revelations, outpacing many organizations’ abilities to understand and respond to emerging threats.
Petya. NotPetya. Now BadRabbit. Ransomware keeps evolving and wreaking havoc worldwide.
There’s no evidence that phishing emails have delivered Bad Rabbit, the new ransomware strain which hit Russian, Eastern European and some U.S. networks this week. But nonetheless at PhishMe, BadRabbit has caught our eye.