“All-in-One” Phish Gives Malaysians a Choice…of Phony Sites

Recently, PhishMe® recorded suspicious messages that spoofed bnm.gov.my, the domain for the central bank of Malaysia, Bank Negara. The emails concerned a Funds transfer.

Figure 1  Initial phishing message

Red Flags Right Away

The spoofed sending address belongs to a U.S.-based employee account on a high-reputation .ORG domain.  (Red Flag number 1: The friendly portion of sender name does not match the email address.)  Addresses on .ORG and addresses on university (.EDU) domains are frequently used to bypass spam filters that are set to allow messages through only when they appear to be coming from a sending domain with a good reputation.

However, the email headers reveal that the messages originated from the Chinese IP addresses 113.0.71[.]105 (Unicom) and 183.166.66[.]188 (Chinanet).

The brief message suggested that the recipient view the attached Word document. (Red Flag number 2: The recipient is not expecting a file from this sender.)  But the attached document[1] delivered a URL shortener link[2] to verify an account credit over $10,000.  (Red Flag number 3: We know that phishers try to appeal to our emotions, including greed.)

Figure 2  PDF document attached to the phishing message

Which Bogus Site Would You Prefer?

Because the URL was shortened using the Bit.ly service, some brief statistics are publicly-available that reveal over 8,000 clicks on the link since it was established on October 23rd at approximately 3pm Malaysia Time, about 3.5 hours before sending the phishing messages.

Figure 3  Statistics viewable at hxxps://bit[.]ly/2z0apph+

Oddly, less than 5% of the clicks recorded by Bit.ly were made by Malaysians, and about one-fourth of the clicks were made in the Czech Republic.

The link led to a landing page (see Figure 4 below) on the compromised domain polymaxtpe[.]com [3] spoofs the central bank of Malaysia and allows the victim to click on their preferred bank. This is what some researchers call an all-in-one phish.

Figure 4  Landing page of the phishing scam

Each of the bank links initially led to customized phishing pages on the domain techliveassist[.]com [4]but later redirected to pages on the compromised domain missmmarketing[.]com[.]au,[5] like the one below for victims who select the Standard Chartered link.

Figure 5  Standard Chartered branch of larger scam impersonating several banks with users in Malaysia

Just the Latest in a Series of Malaysian Banking Scams

This is not the first time we have seen such an all-in-one phish that apparently targets Malaysians with links to several phishing pages for various banks with a presence in Malaysia. The bank selection this time included Affin Bank Berhad, Agro Bank, Alliance Bank, AmBank, Bank Islam, Bank Rakyat, CIMB Bank, Citi, Hong Leong Bank, Bank Muamalat, Kuwait Finance House, Maybank, OCBC Bank, Public Bank Berhad, RHB Bank, Standard Chartered, and United Overseas Bank.

PhishMe analysts recorded every step for one of the banks and noted that the criminals are collecting several pieces of personally identifiable information (PII), including online banking username and password, date of birth, mobile phone number, the concurrently-generated one-time PIN, and email address. The final step warns the victim not to try to log in for the next 24 hours while the database is being updated.

Banks whose customers are being targeted by these phish can examine their logs for attempts to access multiple bank accounts online from one IP address in a short time frame. Enterprises can check logs to identify whether employees may have visited these phishing sites by looking for connections to the hosts previously mentioned and to the URLs of the 17 bank logos.[6]

Don’t ever miss another threat – sign up for PhishMe® Threat Alerts today and receive updates on new and emerging phishing and malware threats, completely free.


[1] “BNM.docx” MD5 hash value: 43e6ec275168125ce334a253831316d6

[2] hxxps://bit[.]ly/2z0apph

[3] In dynamically-generated directories under hxxp://polymaxtpe[.]com/LNcNFsKg

[4] In bank-specific directories under hxxps://www.techliveassist[.]com/NXYu3qQR This domain also hosted an Apple phish three days prior.  The Apple phish was reached from a redirector on the host www.clubrougeva[.]com.

[5] In bank-specific directories under hxxps://missmmarketing[.]com[.]au/wip/mLwMY8uM This domain also hosted a Wells Fargo phish four days prior.

[6] Bank logo URLs:




















Microsoft Office Features Abused to Deliver Malware

Less than a week after a Sensepost blog highlighted how to abuse Microsoft Office functionality to deliver malware to systems via phishing messages, PhishMe® observed attackers abusing this feature of Microsoft Windows. This highlights how quickly malicious actors capitalize on such revelations, outpacing many organizations’ abilities to understand and respond to emerging threats.

Don’t Go In the Attachment: 5 Security Reminders in Honor of Halloween

Do we really need another Halloween-themed security blog?

Yep. We do. Not because our edgiest holiday triggers more cyber threats. No, Halloween season is scary because it’s been absorbed by the winter holidays—the spendiest, cyber-riskiest time on the retail calendar, beginning in mid-September and lasting until…it ends, right?

Sage Ransomware Distinguishes Itself with Engaging User Interface and Easy Payment Process

In early 2017, the Sage ransomware distinguished itself with a fresh take on the business model for criminal ransomware operations. Built with an engaging, intuitive user interface for requesting the ransom payment, it also reinforced the fact criminals are willing to invest in developing new versions of established ransomware tools.  Sage has reasserted itself as a relevant player on the already-saturated ransomware threat landscape with version 2.2.

Fake Swiss Tax Administration Office Emails Deliver Retefe Banking Trojan

PhishMe®’s Phishing Defence Centre has observed multiple emails with a subject line that includes a reference to tax declarations in Switzerland (Original subject in German: “Fragen zu der Einkommensteuerklaerung”) as shown in Figure 1. The sender pretends to be a tax officer working for the tax administration (Eidgenoessische Steuerverwaltung ESTV) and is asking the victim to open the attached file to answer questions about the tax declaration.