Proofpoint
Microsoft 365
By Elmer Hernandez, Cofense Phishing Defense Center (PDC)
The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.
One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.
Figure 1 – (Partial) Email Body
As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.
Figure 2 – Proofpoint Header
Dragging and Dropping a Net
Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.
Figure 3 – ABSA
Figure 4 – Capitec
Figure 5 – FNB
Figure 6 – Nedbank
All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.
Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.
Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.
IOCs:
Malicious URLs:
- hxxps://absa9[.]webnode[.]com
- hxxps://capitec-za[.]webnode[.]com
- hxxps://first-national-bnk[.]webnode[.]com
- hxxps://nedbank-za0[.]webnode[.]com
- hxxps://standardbnk[.]webnode[.]com
Associated IPs:
- 81[.]0[.]226[.]156
How Cofense Can Help:
Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.
