Kiwibank users targeted by email phishing scam

Kiwibank users may be at risk as email phishing scam are leveraged by criminals to harvest Kiwibank users’ credentials.

The victims will be redirected to a malicious phishing website controlled by the criminals once they click on the link in the phishing emails received. Below is a copy of what the site looks like:

Screen Shot 2017-01-03 at 11.39.46 AM.png

Here is a list of the latest campaign we’ve observed:

screen-shot-2017-01-03-at-9-11-02-pm

The emails were sent using various domains, all from universities that are either spoofed or a box out there is compromised:

wartburgseminary.edu – Wartburg Theological Seminary
ncwc.edu – North Carolina Wesleyan College
desu.edu – Delaware State University

To get to the Kiwibank phishing website, the criminals redirect the victims to a 1st stage URL then redirect them to the Kiwibank phishing site. The links embedded in the emails are the first stage redirectors to the second and last stage.

Stage 1 URLs from emails:
tolooetehran[.]com/media/
cashewcorporation[.]com/wp-admin/user/
mailocphotos[.]com/logs/
artisangarricmickael[.]fr//templates/

Stage 2 URLs – Kiwibank phishing websites:
hxxp://www.buddhalandnepaltreks[.]com/cache/new/suspended/message/
hxxp://intervention.tbs-services[.]fr/templates/beez5/fonts/new/suspended/message/

For instances, the two last campaigns can be dissected as follows:

Email from 12/28/16:
Display in mail -> hxxps://www.ib.kiwibank.co[.]nz/
-> 1st stage link is: hxxp://mailocphotos[.]com/logs/
-> redirects to phishing website: hxxp://intervention.tbs-services[.]fr/templates/beez5/fonts/new/suspended/message/

Email from 1/2/17:
Link in email to is 1st stage -> hxxp://artisangarricmickael[.]fr//templates/
-> redirects to phishing website: hxxp://www.buddhalandnepaltreks[.]com/cache/new/suspended/message/

The stage 1 and stage 2 appears to be compromised website that criminals leveraged for their use. The website intervention.tbs-services[.]fr is heavily compromised. We found several webshells in addition to two PHP mailer, a cPanel finder/cracker, a database emails extractor, and a file uploader. It appears as this server has been compromised multiple times possibly by different criminals. Below are screenshots of the different tools we found on the server.

This slideshow requires JavaScript.

The criminals having almost full control on this server, also uploaded an Amazon phishing scam accessible at the following URL:
hxxp://intervention.tbs-services[.]fr/amazon…com-subscriptions.manager/ap/signin_encoding=UTF8&openid.assoc_handle=usflex&openid.claimed_id=/Mjk4NjgzNzE3OA=/login.php?member_[a-z0-9]{20}&token=0.1

The Kiwibank phishing page is set to send the stolen credentials, and answers to secret questions to the following email address:
Kiwibank – ce0c3oceo@gmail[.]com

The Amazon phishing page is, on the other hand, has set to send the stolen credentials, full name, home address, date of birth, and credit card number details to the following email address:
Amazon – polpo666@yahoo[.]com

Unfortunately, there is nothing much on these two email addresses, they are probably just used as drops to receive the stolen data.

Lastly, there was a folder that seemed interesting named traderpcp. The folder contained a text and a zip file. The zip file just contained the actual text file. The text is named horux.txt and the content is:

TrackID:YTS-PSD-4E2H
Freshly shell 100% and unzip ok
Proof : hxxp://a.top4top[.]net/p_3487yzqi1.png

=================================
hxxp://up.top4top[.]net/index.php
traderpcp

Untitled.png

The text file contained a proof of web shell installed on a server and that the threat actor has successfully unzipped an archive containing a phishing kit. Looking at the other opened tabs, we can see one opened on Horux Store. Horus is a marketplace where criminals can buy a plethora of stolen data, RDP access, shell, and so on. We gained access to the store and found a member using the handle “traderpcp” selling web shells and phishing kit that confirms our findings, see below:

screen-shot-2017-01-08-at-11-40-58-am

The other interesting information that we can see in that screenshot is the threat actor IP address – 46.32.126[.]130. At this time of writing it ‘s hard to know if it is his own IP address or just a proxy/VPN exit node but the service, the threat actor used to share the screenshot (up.top4top[.]net) is in Arabic and the IP address 46.32.126[.]130 is in Jordan.

Lastly, the web shell access showed by the criminal in the screenshot is still active.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s