By Marie Mamaril
A new phishing campaign that initially targeted travelers to Singapore by exploiting immigration arrival card submission requirements has begun to target the immigration process for other countries as well. This campaign was first seen in September 2023. However, it is a highly targeted attack making overall volumes low. This campaign mimics Singapore’s official Immigration & Checkpoint Authority (ICA) website to deceive victims into providing credit card information for fraudulent payments.
It is particularly effective because it preys on travelers’ urgency and unfamiliarity with immigration procedures, especially during the holiday season which is a peak time for international travel. As part of its social engineering tactics, it uses fear-inducing language to create a sense of urgency - pressuring victims to act immediately by threatening denied entry to the visiting country due to non-compliance.
Additionally, the current political climate in the United States makes immigration a hot topic of interest for many. With many people planning trips abroad for various purposes, attackers are leveraging this opportunity to maximize their reach and impact.
Other than the initial attacks in 2023 that targeted Singapore’s immigration process, this campaign has now been seen targeting Malaysia and the United Kingdom.
The Arrival Card-Themed Phishing Emails
As seen in Figures 1 and 2, both emails notify the user about the status of their arrival card and the urgent action they need to take. The emails and the spoofed website employ official-sounding branding and tone to increase credibility. Clicking the embedded link redirects victims to a fake immigration portal designed to resemble legitimate government domains (e.g., ica[.]gov[.]sg and imigresen-online[.]imi[.]gov[.]my). One notable observation is that the targeted individuals of this campaign involve high-level executives
Several parts in the fake immigration portal are already auto filled with Personally Identifiable Information (PII) making the page seem even more legitimate. The fraudulent site requests sensitive information, including credit card details, to pay for a purported processing fee.
Figure 1: An example of the email notifying the user about the status of their arrival card and the urgent action they need to take.
Figure 2: An example of a similarly themed campaign email notifying the user about the status of their arrival card and the urgent action they need to take.
Both emails used an authoritative-sounding line designed to invoke urgency, such as “arrival card or document is required”.
Phishing Pages
The fraudulent websites closely mimic legitimate immigration portals, featuring logos, forms, and navigation menus that are very similar to the real ones in order to deceive users. The threat actors demonstrate a high level of sophistication by continuously updating their fake sites to reflect changes on the actual immigration websites, further enhancing the authenticity of the malicious pages.
Once on the site, victims are prompted to provide sensitive information, including credentials and credit card details, which are immediately harvested and exfiltrated to attacker-controlled servers in real time. This data can be sold on dark web markets, used for fraudulent transactions, or leveraged in follow-up attacks, such as identity theft.
Figure 3: Landing page of credential phishing campaign.
Figure 4: Payment portion of credential phishing page.
The dual exploitation of personal information and financial data makes this campaign particularly dangerous for victims.
The associated fake website is meticulously designed to mirror the official immigration portal, with the domain closely resembling the actual one, eservices[.]ica[.]gov[.]sg. The websites replicate authentic-looking forms, navigation structures, and even employs legitimate-looking payment gateways to instil trust and persuade victims to share their credit card details.
A particularly sophisticated aspect of this attack is the option to edit information on the Checkout page, which reveals prepopulated personal information about the victim. It has been confirmed that some of the prepopulated data is legitimate. This level of detail suggests a highly targeted approach and that the personally identifiable data may have been purchased from the dark web, thus making the attack both unique and alarming. Reports of data breaches at organizations containing relevant information such as Philippine passport data make it even more likely that the stolen information was purchased online.
Figure 5: The payment section of the phishing page includes an “Edit” option, revealing the victim's prefilled personal details.
Figure 6: The prepopulated form exposing the victim’s sensitive personal information such as first/last name, date of birth, country of birth, and passport number.
Figure 7: Prepopulated form also reveals victim’s email address, mobile number and arrival date in Singapore.