Share:

By Elmer Hernandez, Cofense Phishing Defense Center (PDC)

The Cofense Phishing Defence Center (PDC) has uncovered a wide-ranging attempt to compromise credentials from five different African financial institutions. Posing as tax collection authorities, adversaries seek to collect account numbers, user IDs, PINs and cell phone numbers from unsuspecting customers.

One such email, which was found in environments protected by Proofpoint and Microsoft, alleges to come from the South African Revenue Service’s (SARS) eFiling service. It claims a tax return deposit of R12,560.5 (South African Rands), approximately $700 USD, has been made to the user’s account and urges them to click on their financial institution in order to claim it. The real sender of the email, however, appears to be a personal Gmail address that may have been created or compromised by the adversaries.

Figure 1 – (Partial) Email Body

As seen in Figure 2, it is erroneously assigned a score of zero in Proofpoint’s “phishscore” metric.

Figure 2 – Proofpoint Header

Dragging and Dropping a Net

Each of the images embedded in the email corresponds to a different bank. Clicking on any of these will take the user to a spoofed login portal corresponding to the selected bank. The spoofed banks include ABSA, Capitec, First National Bank (FNB), Nedbank and Standard Bank, all of which are based in South Africa. The lookalike sites are located at 81[.]0[.]226[.]156 and hosted by Czech hosting provider Nethost. It should be noted that, at the time of analysis, only the site for Standard Bank was unavailable. Figures below -6 show the phishing portals imitating each bank.

Figure 3 – ABSA

Figure 4 – Capitec

Figure 5 – FNB

Figure 6 – Nedbank

All spoofed portals were created using Webnode, a website building service known for its friendly drag and drop features. Despite this ease of use, adversaries have kept things rather simple, as all portals are basic forms with a few or no images. The portals ask for a variety of personal information, including account numbers, passwords, PINs and even cell phone numbers.

Adversaries can access all entries directly from the form itself. They can also receive notifications to an email address of their choosing every time a submission is made; the Gmail account used to send the phishing email may also be where adversaries are notified of each and every new victim. Webnode also allows the export of form submission data in xml and csv formats.

Webnode therefore is an optimal way to store and retrieve stolen user data. There is no need for additional infrastructure, nor to compromise any third parties. As in the case of the Standard Bank portal, the risk of discovery and subsequent closure of spoofed sites means adversaries can lose access to any unretrieved information. However, this risk seems to be offset by the ease with which replacement spoofed sites can be created.

IOCs:

Malicious URLs:

  • hxxps://absa9[.]webnode[.]com
  • hxxps://capitec-za[.]webnode[.]com
  • hxxps://first-national-bnk[.]webnode[.]com
  • hxxps://nedbank-za0[.]webnode[.]com
  • hxxps://standardbnk[.]webnode[.]com

Associated IPs:

  • 81[.]0[.]226[.]156

 

How Cofense Can Help:

Easily consume phishing-specific threat intelligence in real time to proactively defend your organization against evolving threats with Cofense Intelligence™. Cofense Intelligence customers were already defended against these threats well before the time of this blog posting and received further information in the Active Threat Report 38237 and a YARA rule.

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.