Rewterz Threat Alert – Qakbot Spreads through VBS Files
June 2, 2020Rewterz Threat Advisory – CVE-2020-10136 – Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability
June 2, 2020Rewterz Threat Alert – Qakbot Spreads through VBS Files
June 2, 2020Rewterz Threat Advisory – CVE-2020-10136 – Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability
June 2, 2020Severity
Medium
Analysis Summary
Researchers identified a phishing campaign targeting customers of South African banking institutions in order to steal credentials, accounts numbers, PINs, and more. The phishing email appears to come from the South African Revenue Service’s (SARS) eFiling service and claims to reference a tax return that has been deposited into the user’s account. Recipients are requested to select and log in to their institution from one of five listed banks in order to complete the refund process. Each of the links leads to a look alike login page for the associated bank. The landing pages ask for a variety of information, such as account numbers, passwords, PINs and cell phone numbers. All of the sites are hosted on the same server and leverage the Webnode website building service. By using Webnode, any data entered into the form is conveniently gathered and stored by the service.
Impact
- Credential theft
- Financial loss
- Exposure of sensitive data
Indicators of Compromise
URL
- hxxps[:]//absa9[.]webnode[.]com
- hxxps[:]//capitec-za[.]webnode[.]com
- hxxps[:]//first-national-bnk[.]webnode[.]com
- hxxps[:]//nedbank-za0[.]webnode[.]com
- hxxps[:]//standardbnk[.]webnode[.]com
Remediation
- Block all threat indicators at your respective controls.
- Always be suspicious about emails sent by unknown senders.
- Never click on the links/ attachments sent by unknown senders.