Thank you for your interest in our newsletters. You will receive an email shortly to confirm your subscription.
Stiaan van der Watt, Security Consultant
10 mins read
F-Secure Consulting was recently made aware of an SMS sent supposedly from a financial institution to a client. The SMS indicated that the client should follow the provided link and enter their credentials within the next 24 hours to prevent their account being suspended or disabled. The SMS used social engineering techniques to convey a sense of urgency around this action being taken, including consequences should they not be. A quick inspection of the link in the SMS raised suspicions and prompted our investigation.
Using open source intelligence gathering, we were quickly able to validate whether the link had been detected by any engines or listed in any database labeling phishing sites. Our consultants came across detections for this specific link, marked as phishing. Detections included Google Safe Browsing, for which a warning page is displayed to a user visiting the website using Google Chrome, indicating that the site might be attempting to steal personal data or install software.
Leveraging the tools at our disposal, we discovered that the web server was being hosted inside South Africa, and the link was indeed a phishing website attempting to harvest user credentials. This mimicked a financial institution's login page to convince the user to submit their credentials. Further investigation revealed a compressed (ZIP) file on the web server hosting the fake website. The archive contained the files and code for the fake website, providing us with a wealth of additional information and technical insight into how the attacker was gathering credentials.
Should a victim click on the link in the SMS, and submit their credentials, their credentials are captured and written to a file. With no reason to suspect malicious intent, the victim is likely to perform no further investigation after entering their credentials, leaving the attacker to access the captured credentials stored in a file on the server. Code on the malicious website revealed an additional link pointing to an account on a messaging platform. In the description of the account, an array of tools was listed for sale on another website. Some of these were:
Such tools can be used for malicious purposes, such as capturing a user's keystrokes, or gaining remote access to a system. The evidence that was gathered and reviewed supported the theory that the website was a phishing site being utilized to harvest user credentials.
Following our initial discovery, further research and investigation revealed that the server hosting the phishing website was also hosting many others. These appeared to mimic other financial institutions' login pages, including one instance attempting to mislead a user into submitting their Gmail credentials. All financial institutions mimicked were based in South Africa, leading us to suspect this was part of a larger credential harvesting campaign targeting mostly South Africans.
Phishing users through SMS messages is otherwise known as smishing . This may appear to be a difficult task, requiring significant hard-to-obtain user information, but South Africans have had their data leaked on multiple occasions. One example is the famous Master Deeds Breach in 2017 , which included cellphone numbers and other personal information being compromised.
Attackers utilizing phishing for credential harvesting usually make use of language that portrays a sense of urgency; the message will often imply that not following a number of instructions quickly could result in potentially dire consequences. This language is designed to manipulate their victim into taking an action within a short time period.
With the world in a 'lockdown' state, and call centers busier than normal, a user is likely to be alarmed and react in haste if they receive correspondence saying their financial institution might suspend or disable their account. Such tactics are commonly used in times of crises .
The evidence our team collected indicated that the attacker was most likely financially motivated. Naturally, this is because they were attempting to gain access to accounts containing money and/or that could be used to make transfers. At the time of writing this article, no malware has been identified as being delivered by the server and fake websites.
The South African organizations, whose clients could be targeted by this phishing campaign, have been alerted to the malicious websites through the appropriate communication channels. We are providing them with the necessary information from the investigation to assist with a domain takedown.
Being vigilant and informed of such attacks greatly improves people’s ability to identify phishing messages. Internal and external education campaigns can be used to promote best practise for prevention. Educating employees and customers to analyze any messages they receive, be it an email, SMS, MMS, or even WhatsApp message, is possible using the questions  below. These will help them determine if the message could be a potential phishing attempt:
An advanced attacker might attempt to spoof or conceal the sender name in their message, or provide snippets of the recipient’s own personal information to make the message appear more legitimate. These targeted attacks are more difficult to detect, and demand deeper investigation by the recipient.
If there are any doubts regarding a message, users should not click on any links or open any attachments. Advice should be given to report the message to your organization immediately. Users should rather use their known, trusted links or applications to log into their online banking to check their account. If a client is unsure about a link, they should contact their bank immediately.
Where possible, encourage the use of two factor authentication for accounts and unique passwords for each account. This will limit the damage attackers can do if a password is compromised.
The following steps should be recommended if a user has clicked on a malicious link and submitted their credentials:
With attacks increasing over the past few months, the probability of receiving a potentially malicious message has also increased. Continuous vigilance, demonstrated by employees, customers, and even third-party partners, will serve to deter potential attackers.
Certificate number: 10000178485-MSC-UKAS-FIN