ZA BANK PHISHING HELPED WITH INSECURE INTERNAL PRACTICES

Created 4/2/2024

Version 1.0

Summary

1. None of the fraud sites have been removed or reported by 4/2/2024. (some removed by 12/2/2024).

2. The initial site is located on a VPS (Virtual Private Server) hosted by a German hosting company https://contabo.com/ who can be contacted https://contabo.com/en/abuse/.

3. The site is hosted on https://eu2.contabostorage.com/34e12b9b6d58497ebca5a392f0c69e13:jak/index.html

4. SSL is valid on the site because the certificate being used is CONTABO’s legitimate certificate issued to *.CONTABOSTORAGE.COM

5. The site was copied using a tool called https://www.httrack.com/ via a port forwarding service called https://portmap.io/ (the port forwarding was probably done to hide the abuse)

6. The form mimics THE BANK'S site to some extent (imagery branding and process flow looks like the THE BANK online banking app) and forwards the username and password to https://account.dnalifenl.com/jakme/verification_1.php. There are a number of scripts on this URL that sequentially processes the user submission. It is not possible to download or study the code that processes the HTTP POST (it is marked as executable and not readable), however, the process flow seems to be:

   1. The site collects THE BANK internet banking username and password.

   2. It then collects a mobile number

   3. Lastly it collects a credit card number, expiration date and CVV number. This card collection seems not used in the phishing attack but the card might be recorded for later purposes.

   4. There is very minimal input validation:

      1. Tests for empty values on loginID and emailPASS

      2. Tests that the password doesn’t contain only numbers and alerts on that.

      3. Tests that the password does not contain only letters and DOESN’T ALERT ON THAT. This seems to be leftover code not used.

   5. It then sends an OTP after trying to log into the internet banking site (not tested due to the sensitive nature of providing this site with a working phone number). This OTP pretends to be a card authorization, but most likely is a man-in-the-middle attack (MITM) when they log into the THE BANK Internet Banking web frontend with the obtained username and password.

   6. The attackers called the target on a phone line then to obtain the OTP in order to log into the site. It is unclear where this call originated.

7. This domain (DNALIFENL.COM) is hosted in the US in Virginia with the following reverse DNS (vps92392.inmotionhosting.com) with a hosting company INMOTIONHOSTING.COM. (https://www.inmotionhosting.com/contact) they can also be contacted on support@inmotionhosting.com.

8. The domain name  DnaLifenl.com was registered on 13/1/2024 with TUCOWS. domainabuse@tucows.com can be used to revoke this domain.

9. DNS is hosted in NS.INMOTIONHOSTING.COM and NS2.INMOTIONHOSTING.COM and removing the DNS entry form these servers will render the domain inaccessible.

Analysis

1. How do the criminals know to target specific individual customers? 

   1. Did they receive information from within the bank or was this information obtained vir public disclosure?

2. Why does the bank not action the removal of these domains immediately to prevent customers being hacked? There is already proof that specific customers have lost large amounts of money via this scheme.

3. The cyber attack is sophisticated as it requires the attackers to also successfully contact the target to obtain the OTP sent to them via phone in order to complete the attack. This is done via social engineering and because the bank has no secure way to contact clients (in app secure messaging doesn’t work), there is no way for banking customers to know if they receive a legitimate call from the bank or from a phishing attack.

4. THE BANK has done very little to protect against phishing attacks.

   1. Their application doesn’t support 2FA to log into the site every time that a user wants to access internet banking.

   2. They often use their OTP channel to push marketing messages to their clients, thereby creating confusion about what is banking security information and what is commercial activity.

   3. The in-application messaging for transactional OTPs has been problematic for years and THE BANK has failed to remedy this (support cases no 3135757 (6 Nov 2023) and 3190698(17 Jan 2024)). This unreliable service opens the opportunity for attackers to exploit the broken and outdated THE BANK application to attack its customers.

   4. THE BANK does not educate their customers about the dangers of phishing and does not provide them with a clear reliable way to communicate with the bank. The current way the bank responds to a support query or complaint is to call customers directly (with no way for customers to verify it is the bank calling them). This is exactly the channel and method that attackers use to attack bank customers.

Recommendations

Actions that should have immediately be taken by the THE BANK security team:

1. Contabo to be contacted to freeze the VPC hosting URL https://eu2.contabostorage.com/34e12b9b6d58497ebca5a392f0c69e13:jak/phone-verification.html.

2. TUCOWS should be contacted (domainabuse@tucows.com) and the DNS for this domain removed.

3. INMOTIONHOSTING.COM (support@inmotionhosting.com) who is hosting the DNALIFENL.COM domain should be contacted and this VPC stopped and frozen for investigation purposes.

4. INMOTIONHOSTING.COM should immediately remove the DNS entries for DNALIFENL.COM.