Share:

By Elmer Hernandez, Cofense Phishing Defense Center

The Cofense Phishing Defense Center (PDC) has uncovered a phishing campaign aimed at customers of African financial services group ABSA. Mimicking ABSA’s online banking portal, the adversaries attempt to steal users’ online banking credentials to gain access to their bank accounts.

The phishing email presents the end user with a couple of lines of text informing him/her of pending transfers from another bank that need authorization. The user must download and open the htm attachment “IBPAYDOC.htm” in order to connect to the online portal. The email does not present any indication of an attempt to imitate a legitimate ABSA communication, completely relying instead on the user’s misplaced curiosity.

Figure 1 (Email Body)

Phishing Portal

Upon opening the htm file, the user is directed to a fake ABSA online banking portal at hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php, which is almost identical to the legitimate ABSA portal, as seen in Figures 2 and 3. The user is prompted to provide an “access account” number, PIN and user number that are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php.

Figure 2 – Legitimate ABSA Portal

Figure 3 – Copycat ABSA Portal

Adversaries have hijacked the ahmadnawaz[.]org domain on which the fraudulent ABSA portal is hosted, belonging to Pakistani education activist Ahmed Nawaz, and created the “/ched” directory to store their php files and subdirectories as seen in Figure 4.

Figure 4 – Index of /ched

Next, the recipient is asked to provide a password in hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php. This request should tip off users for three reasons. First, ABSA never asks for entire passwords. Second, and in contradictory fashion, instructions for ABSA’s usual password requirements can be found on the right-hand side of the page. Although the password guidelines only require specific characters, the adversaries seem to have kept these in an attempt to make their fake portal look as genuine as possible. Finally, the user’s SurePhrase, part of ABSA’s SureCheck service, is missing. Upon entering their password, it is posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php.

Figure 5 – Fake password login page

The user is then directed to hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php, where a 60- second timer is displayed. Once it reaches zero, the user is instructed to provide a phone number and a code from the ABSA app. Verification messages are normally sent to the ABSA banking app. In this case, however, no such code is sent because the user is not accessing ABSA’s legitimate portal. The threat actors likely rely on curious or frustrated users who decide, nonetheless, to proceed with the login process despite not receiving a verification request, allowing them to steal additional personal information from the end user. The phone number and app code are then posted to hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php.

Figure 6 – Timer in profile .php

Figure 7 – Verification Request

Finally, when and if the user provides the last two pieces of information – the phone number and app passcode – the next stop is hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php, where the aforementioned timer will run out and restart indefinitely. Figure 8 shows the complete HTTPS traffic.

Figure 8 – HTTPS Traffic Overview

IOCs:

Malicious URLs

hxxps://www[.]ahmadnawaz[.]org/ched/tnop[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail1[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/pass[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail2[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/profile[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/mail3[.]php
hxxps://www[.]ahmadnawaz[.]org/ched/finish[.]php

 

Associated IPs:

74[.]63[.]242[.]34

 

HOW COFENSE CAN HELP

75% of threats reported to the Cofense Phishing Defense Center are credential phish. Condition users to be resilient to credential harvesting attacks with Cofense PhishMe, plus get visibility of attacks that have bypassed controls with Cofense Reporter.

Quickly turn user-reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by rapidly quarantining threats with Cofense Vision.

Easily consume phishing-specific threat intelligence to proactively defend your organization against evolving threats with Cofense Intelligence.

Attackers do their research. Every SaaS platform you use is an opportunity for attackers to exploit it. Understand what SaaS applications are configured for your domains—do YOUR research with Cofense CloudSeeker.

Thanks to our unique perspective, no one knows more about the REAL phishing threats than Cofense. To understand them better, read the 2019 Phishing Threat & Malware Review.

 

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.