Standard Bank Business users are the targets in latest phishing attack

March 20, 2019



Author: Snode Technologies

Security researchers at Snode Technologies, a cybersecurity and data analytics company based in Gauteng, have recently uncovered an ongoing malicious phishing attack specifically targeted at Standard Bank Business users.

The victims of this attack received a mail, seemingly from Standard Bank, that informed them that they had outstanding payments due to SARS and, in order to view the details of this outstanding payment, they had to click on the attachment.

At a quick glance, the mail could potentially fool, even more vigilant users, into believing that it could indeed be legitimate. All the “normal” Standard Bank branding and imagery is visible, and the sender’s email address appears to be a legitimate Standard Bank domain. So then, the question is how did these attackers manage to use a seemingly legitimate address, subsequently bypass spam filters, and still manage to trick users into filling in their details?  To understand this, Snode’s security researchers performed a deep-dive analysis to uncover the true method and motivation for this phishing attack.

Header Analysis

First, a deep header analysis was conducted on one of the emails received to understand just exactly how the attackers used a standardbank.co.za email address. What was found is that the attackers were using an unprotected open email relay service (ecoenergo.com.ua, mail.ecoenergo.com.ua, 109.251.204.43) to spoof the sender address as “Standard Bank <ibsupport@standardbank.co.za>” This top-level domain (standardbank.co.za) was specifically crafted to bypass technical controls like spam filters.

Spam Filter Pass Through

Secondly, in order to understand how this attack bypassed the spam filters, it’s important to understand that spam filters will, in most cases, allow spoofed emails through if the *SPF (Sender Policy Framework) check results in a “Pass” or “Soft Fail”. 

In this attempt, it was found that the attacker manipulated the header to trick the SPF record in resolving the original sender domain to the original sender IP, and not resolving to standardbank.co.za. When this happens, it exposes the original email relay (mail.ecoenergo.com.ua) but allows the email to pass through the filters. Below is an example of the ongoing phishing campaign:

Standard Bank Phishing Mail
Figure1: An example of what the user will see when receiving the phishing mail.

Social Engineering

In the above screenshot of the sample mail, the copy asks the user to open the attached .pdf file to view the “…Pending payment from SARS.” When examining the attachment, it is evident that the file extension is “.pdf.html”. Once clicked, the user saves and opens a local HTML file (as opposed to the intended PDF).

This HTML file initially loads a GoDaddy shortened URL in the user’s browser and then redirects to a URL that would look something like this: ‘https://zREDACTEDq/gti/onlinebanking.standardbank.co.za’. This final redirect changes as the phishing domains are reported and flagged as malicious by Google.

Below are examples of live and burned domains hosting the phishing attack:

Figure 2: Example of a live phishing domain.

Figure 3: Example of a domain which has been burned.

Taking a Closer Look

After a domain is burned, a new deployment is spun up:

Due to the rapid pace of deployment that the attacker requires in order to keep new phishing domains live and un-flagged, the process of deployment is done hastily and as a result the root directory of the web server is directory indexed – which reveals a .zip file used for these quick deployments.

Within the source code, the inner workings of the web-server is revealed. This gave the security researchers at Snode access to the results of the phishing attack – saved on the web-hosted directory of each spun up domain. 

The results that were uncovered included confidential information such as email addresses, passwords, client IPs, user agents, telephone numbers, and OTP attempts (the phishing server indefinitely loops, asking the user for the most recent OTP).

At the time of this write-up, the phishing attack has been observed over a period of 3 days and in excess of 500 submissions have been made to the phishing website(s).

Previous

Data Wizards’ Magic Proved Too Strong at #SS18Hack

May 25, 2018

Author: Alastair Waldeck, Head of Marketing (Snode)   One month after the successful Ideathon was held in Johannesburg CBD, the Hackathon participants gathered once again for the main event at Vodacom World in Midrand, the #SS18Hack! In total, 42 infosec aspirants from all around the country arrived for a two-day event that would test their stamina, concentration, teamwork and coding abilities to the limit! The theme of these year’s Hackathon was ‘Man vs Machine – Securing the future of business against an ever-changing threat landscape’; focusing, as the title suggests, on machine learning and creating a solution that could solve real-world security problems that continue to plague many organisations today. The 11 teams arrived early on the morning off 22 May, full of energy and motivation, and immediately started getting to work on their ideas with the guidance from their respective mentors. By the evening of the 22nd, the participants had made themselves comfortable and settled down for a long night of hard work and coding. When delegates from the Security Summit walked in the next day, the room was virtually unrecognisable; bean bags, energy drinks and snacks were scattered everywhere! The long-haul proved too much for some as they caught a quick power nap to give themselves the ability to push through the last few hours before the final presentations and judging. The participants truly had pulled out all the stops to ensure that they can keep going, keep coding, with their eyes constantly focused on the top spot! At half-past two on day two, time was up! The teams now had to pitch their ideas to the judges in the hopes that what they had manage to create was good enough to earn them a place in the winner’s circle. Each team had 6 minutes to present followed by Q&A from the judges. After all the pitches were complete, the judges went away to deliberate as the teams anxiously waited for the results. A few minutes later, it was done, the scores were tallied and the winners were known. Doreen Mokoena, Internet Governance Coordinator at .ZA Doman Name Authority had the honours of announcing the top teams. In third place was team Knowzee who presented a solution that allowed individuals to determine whether or not they were sharing too much information on their social media accounts. First and second place were neck-in-neck with the judges having to discuss long and hard in order to reach a consensus as to whom they believed should be the winner. Moringa IT, a team from Kimberley, ultimately claimed second place. Their idea was a platform that utilised the power of IoT in order to assist farmers with the irrigation of their crops by sensing the moisture levels in the soil and allowing the irrigation systems to automatically determine when and for how long the crops should get irrigated. The magic of team Data Wizards, however, proved to be too much as they claimed top spot at this year’s hackathon! Their solution was to prevent fraudulent activity in real-time at a transactional level. As a transaction occurs, each transaction would be assigned a risk score based on a several factors, this score would then determine whether or not the transaction should be accepted or declined. The winning team walked away with R20 000, followed by the second and third teams receiving R10 000 and R5 000 respectively. We would like to thank everyone who participated in the Hackathon for their hard work and dedication and for assisting in pulling off yet another successful event! Here’s to many more! The #SS18Hack was sponsored by the Northern Cape Department of Economic Development and Tourism, Geekulcha, Snode, The Business Clinic, MTN and CISO Alliances.

Next

#SS19Hack Ideathon to offer free security training, idea generation

April 4, 2019

Author: ITWeb During the run-up to the ITWeb Security Summit 2019, an Ideathon will be held on 6 April, aimed at preparing participants of #SS19Hack, which will run alongside the event. The Ideathon will consist of a full day of training and idea generation, and will be hosted in an environment that is creative and conducive to stimulating attendees' 'thinking mojos', says Tiyani Nghonyama, COO and CTO of Geekulcha. The Ideathon will be powered by Snode Technologies, a supporter of the Hackathon since its inception in 2017. The Ideathon runs from 9am to 5pm at iClub in the Tshimologong Digital Precinct, at 41 Juta Street. Industry leaders will be holding presentations and mentoring the participants throughout the day, including Ivan Regasek (CEO) of ITWeb, Doreen Mokoena from the .ZA Domain Name Authority, Steve Jump from Telkom, Solomon Bhala from PwC, Lee Annamalai from MapIT, Nithen Naidoo from Snode and Ridewaan Hanslo from the CSIR. Participants will be also be mentored by experts from Micro Focus, PwC, MTN, the session leaders, and Bernard Mashala, who will lead the mentors in Kimberley. As a host, the Tshimologong Digital Precinct's events and marketing manager, Kendal Makgamathe, says they are excited to be collaborating with ITWeb and Geekulcha. "We look forward to breaking down more barriers to entry into our industry. Hosting the Security Summit Ideathon that feeds into the #SS19 Hackathon allows us to actively support work that seeks to build up the digital and tech innovation ecosystem." Says Regasek: "We are in our third year, and with support from the start of the many individuals in their capacities or on behalf of their organisations who continue to give their time, I do believe for the past two years we've managed to achieve an event where real thinking, coding and learning happens, although on a small scale. "We are looking forward to putting it on a bigger stage this year, are very welcome for old and new supporters. We look forward to working with them for a shared purpose, and are hopeful of more support of such efforts all round and in years to come," he adds. "Tshimologong Precinct, Dr Dwolatzki's dream of an African brain hub still to be fully realised, is one of the places that make me optimistic about the future, and we are thankful it is hosting us for the event. We are looking forward to an excellent agenda of speakers, dedication and inspired ideas from the young participants, and a fun day of learning in the heart of Johannesburg," concludes Regasek. In addition, Northern Cape Geeks from Kimberley will attend both the Ideathon, as well as another hackathon in May, at Sol Plaatje University. Winners will then join SS19Hack in Sandton, running alongside the ITWeb Security Summit 2019. In addition, several of the sessions from the Johannesburg edition of Ideathon will be live-streamed to Kimberley. Chairperson of the Geekulcha Student Society at Sol Plaatje University, Barrington Hulana, says he's excited about the Ideathon because it's another chance to assess and build tech capacity in the province. Rodwyn Grewan, senior manager from DEDAT in the Knowledge and Innovation Economy sub-programme, has been leading these ICT programmes in the province since the inception of the NCDev Ecosystem. He says: "As the world becomes more digitally integrated, cyber security and cyber intelligence become of a greater concern. The challenges and opportunities are not only technical, but social as well. By contributing to support the technical skills, the Hackathon platform is also helping address the socio-technical system." The programme will feature training session by industry leaders, a ‘Capture The Flag' challenge walk-through by Snode, a pitch session and a prize-giving. To register for the Ideathon, click here.