Spotted in the Wild

SA major bank’s spoofing campaign ongoing
Standard Bank, one of South Africa’s biggest financial institutions, has recently fallen victim to domain spoofing.

Security Bulletin - June 2022Security Bulletin - June 2022
Partner News - June 2022Partner News - June 2022

Many emails have been observed from the spoofed domain/sender and it was identified that they were in fact originating from outside of their domain/infrastructure by looking at the email transmission logs. Various servers were also utilised to distribute the campaign and a growth in the number of users targeted has been witnessed.

This is an extremely dangerous campaign because the user is directed to a login page, seemingly Standard Bank’s, and requested to authorise the fake transaction by entering their banking login credentials. This is a form of mass-distributed email phishing, targeting Standard Bank account holders.

Technique used in spoofing campaign:

  1. The email is set up using a format used by Standard Bank for their customer notifications.
  2. A URL to a spoofed login page is then embedded inside an email.
  3. The campaign is mass distributed referencing a database of previously exposed email addresses, i.e. email Combolists.
  4. Once a target clicks the URL, they are redirected to the attacker’s login page.
  5. The login page is where scripts are configured to capture and submit the target’s banking credentials to the attacker’s command and control centre.
  6. Credentials have now been stolen.
  7. The attacker may access the victim’s online banking account but will more than likely sell the credentials to the highest bidder on the dark web.

Example of spoof email

The first sign of mass distribution is the intended recipient address. In the above example, the sender and recipient are the same and no carbon copy (CC) recipients. The attacker utilised the Blind Carbon Copy (BCC) function to hide all the recipients this email was distributed to.

The linked URL is detected as unsafe by Google’s safe browsing

The landing page replicates Standard Bank’s login page with enough accuracy to fool unsuspecting users. Always check the URL if unsure (boxed in red)

Hi Mwebber, beware

MWeb has been one of the commonly targeted organisations observed over past years, plaguing subscribers with constant phishing and spam campaigns.

Most recently, the below addition to the list of techniques, shared via email as a PDF attachment was identified. These campaigns have been refined many times over in attempts to evade detection from spam and malware filters and fool victims into thinking ‘this time it’s legitimate’.

Technique used in spoofing campaign:

  1. A URL is embedded inside a pdf document and the pdf attached to an email. NOTE: this is surprisingly effective depending on the email spam, phishing and malware filters configured.
    1. In many cases, someone may only have basic protection enabled on their email accounts (e.g., gmail.com, live.com, etc.), providing protection against suspicious URLs in the email body and malicious attachments, i.e. the attachment itself is malware.
    2. Deeper scanning is not usually performed on free or basic subscription accounts as it comes at a cost to the provider and is generally offered on more expensive packages or is not configured.
  2. The email campaign is then mass distributed by using a database of previously exposed email addresses, ie. email Combolists again.
    1. In this scenario, the email body contains no suspicious links, and the attachment (itself) is not malware, so both are passed and the email is delivered successfully.
  3. Once a target opens the pdf and clicks on the embedded URL they are redirected to a fake website configured to replicate MWeb’s login page (still no malware).
  4. It’s here, on the fake login page, where scripts are configured to capture and submit the target’s username and password to the attacker’s command and control centre.
  5. Credentials have now been stolen.

DNS Domain Failure

In this case the targeted email address belongs to a corporate domain, meaning that it is managed by the employee’s organisation administration and therefor would always be handled internally.

In this particular event the email was received from an external entity instead of the postmaster or internal administrator and also links to an externally hosted website (webmail seen in the second screenshot).

‘Friendly’ Cash Loan scam

If it’s too good to be true, it’s usually a scam. Here is a loan scam example that offer ridiculously low interest rates and requesting personal information that could be used for identity theft and fraud crimes.

The fraudster requires that the recipients respond and share their details ‘willingly’. The best defence is to never respond to these emails as you have no idea who may be on the receiving end. These emails are safe to ignore and delete.

As an extra measure, the registration number was checked against the National Credit Regulator (NCR) of South Africa’s database and it was found that the registrations number does not actually exist. This confirms that the organisation offering the loans is not a registered credit provider.

When comparing these examples side by side, it can be seen how similar the form templates are.

Inheritance/Insurance pay-out fraud

Inheritance or insurance pay-out scams have existed since the biggening of time, or at least since the invention of life insurance.

Read more…

The concept behind these campaigns is similar, and the internet makes it much easier to reach a wider audience (victims), persons who are more susceptible to the idea of ‘striking it lucky’ than most, coupled with the possibility that a long-lost relative may actually exist.

Below is a summary of how these campaigns work.

Technique:

  • The threat actor selects one of many templates and modifies it as preferred.
  • An email, word, pdf or similar type document is then generated from the template in preparation of deployment.
  • One or multiple free email accounts are setup (Gmail, Hotmail, yahoo, etc.) using fake personal information in attempts to avoid being tracked or found.
  • The threat actor uses an email combolist consisting of thousands, if not millions of email addresses sourced from data breaches or scrapped websites.
  • The configured campaign is then mass-distributed via email and/or social media (most commonly via email).
  • The threat actor then waits for someone to respond/enquire so they may begin engagement with the victim.
  • The responder is advised that they will need to pay a fee before the funds can be released (other information may also be requested).
  • Once the fee has been paid the threat actor may disappear, never to be heard of again, or may even attempt to exfiltrate more funds than needed.
  • The victim has their money stolen and will never receive the promised pay-out.
  • Because the victim is consciously engaging with the fraudster and the victim knowingly actions the transfer or payment, however unknowingly, most financial institutions will not allow reversal or re-imbursement of the stolen funds.

logo